Topics
Latest
AI
Amazon
Image Credits:Bryce Durbin / TechCrunch
Apps
Biotech & Health
Climate
A screenshot of a photo, hosted on Amazon Web Services, which was uploaded via a virtual Android device deliberately compromised with Cocospy stalkerware during a TechCrunch investigationImage Credits:TechCrunch
Cloud Computing
Department of Commerce
Crypto
Enterprise
EVs
Fintech
fund raise
Gadgets
Gaming
Government & Policy
Hardware
layoff
Media & Entertainment
Meta
Microsoft
concealment
Robotics
Security
societal
Space
startup
TikTok
Transportation
Venture
More from TechCrunch
upshot
Startup Battlefield
StrictlyVC
Podcasts
Videos
Partner Content
TechCrunch Brand Studio
Crunchboard
Contact Us
Amazon will not say if it plans to take natural process against three phone surveillance apps that are storing troves of individual ’ individual phone data on Amazon ’s cloud servers , despite TechCrunch notifying the tech giant weeks in the first place that it was hosting the stolen earpiece data .
Amazon order TechCrunch it was “ following [ its ] physical process ” after our February posting , but as of the time of this article ’s publication , thestalkerwareoperations Cocospy , Spyic , and Spyzie continue to upload and store photo exfiltrated from people ’s phones on Amazon Web Services .
Cocospy , Spyic , andSpyzieare three near - superposable Android apps that partake the same source computer code and a common security bug , according to a security researcher who discovered it , and provided details to TechCrunch . The research worker revealed that the operations expose the phone data point on a collective 3.1 million people , many of whom are victims with no idea that their equipment have been compromise . The researcher shared the data point with breach notification siteHave I Been Pwned .
As part of our investigating into the stalkerware mental process , which included take apart the apps themselves , TechCrunch found that some of the contents of a machine compromised by the stalkerware apps are being uploaded to storage server run by Amazon Web Services , or AWS .
TechCrunch notified Amazon on February 20 by email that it is host data exfiltrated by Cocospy and Spyic , and again earlier this hebdomad when we send word Amazon it was also hosting stolen phone data exfiltrated by Spyzie .
In both electronic mail , TechCrunch admit the name of each specific Amazon - hosted depot “ bucket ” that stop datum taken from victims ’ telephone set .
In response , Amazon representative Ryan Walsh tell apart TechCrunch : “ AWS has unclouded terms that require our client to use our services in compliance with applicable law . When we receive reports of possible misdemeanor of our terms , we act cursorily to refresh and take steps to incapacitate prohibited capacity . ” Walsh provided a link to an Amazon web Sir Frederick Handley Page hosting an ill-treatment reporting form , but would not comment on the status of the Amazon server used by the apps .
In a follow - up email this hebdomad , TechCrunch referenced the early February 20 e-mail that included the Amazon - hosted storage bucket names .
In response , Walsh thanked TechCrunch for “ bringing this to our attention , ” and provided another tie to Amazon ’s report abuse pattern . When asked again if Amazon plan to take action against the bucketful , Walsh respond : “ We have n’t yet have an contumely report from TechCrunch via the contact we provided earlier . ”
Amazon spokesperson Casey McGee , who was copied on the e-mail ribbon , claimed it would be “ inaccurate of TechCrunch to characterize the gist of this screw thread as a [ sic ] constituting a ‘ report ’ of any potential abuse . ”
Amazon Web Services , which has a commercial interest group in retaining devote client , made $ 39.8 billion in earnings during 2024 , perthe society ’s 2024 full - twelvemonth earnings , lay out a majority share of Amazon ’s total yearly income .
The storage bucketful used by Cocospy , Spyic , and Spyzie , are still participating as of the time of publication .
Why this matters
Amazon ’s ownacceptable use policybroadly spell out what the company allows customers to host on its platform . Amazon does not appear to gainsay that it forbid spyware and stalkerware surgical process to upload data on its weapons platform . or else , Amazon ’s dispute seems to be entirely adjective .
It ’s not a journalist ’s job — or anyone else ’s — to law what is host on Amazon ’s platform , or the cloud weapons platform of any other troupe .
Amazon has huge resources , both financially and technologically , to use to apply its own policies by ensuring that bad actors are not abusing its help .
In the death , TechCrunch provided bill to Amazon , including information that straight points to the locations of the trove of stolen private phone information . Amazon made a choice not to dissemble on the entropy it received .
How we found victims’ data hosted on Amazon
When TechCrunch learns of a surveillance - related datum breach — there have been tons of stalkerware hacks and leak in late years — we investigate to teach as much about the operation as possible .
Our investigation canhelp to identify dupe whose phones were hacked , but can also reveal the ofttimes - hide real - public identicalness of the surveillance operators themselves , as well as which political platform are used to alleviate the surveillance or host the victims ’ stolen data point . TechCrunch will also analyze the apps ( where available ) to help victimsdetermine how to key out and bump off the apps .
As part of our reportage process , TechCrunch will achieve out to any troupe we name as hosting or supporting spyware and stalkerware operations , as is stock practice for newsperson who contrive to mention a company in a write up . It is also not rare for companies , such asweb hosts and payment processors , to suspend accounts or take away data thatviolate their own damage of service , includingprevious spyware operations that have been host on Amazon .
In February , TechCrunch learned that Cocospy and Spyic had been break and we set out to investigate further .
Since the data establish that the majority of victims were Android twist possessor , TechCrunch originate by identifying , downloading , and installing the Cocospy and Spyic apps on a virtual Android twist . ( A practical machine allows us to be given the stalkerware apps in a protect sandpit without make either app any veridical - man data , such as our placement . ) Both Cocospy and Spyic appeared as identical - looking and characterless apps named “ System Service ” that seek to evade detection by blending in with Android ’s build - in apps .
We used a internet dealings analysis putz to scrutinise the data flowing in and out of the apps , which can help to realise how each app works and to determine what earphone data is being stealthily upload from our test twist .
The vane dealings showed the two stalkerware apps were upload some victim ’ data point , like photos , to their namesake storage buckets hosted on Amazon Web Services .
We corroborate this further by logging into the Cocospy and Spyic exploiter dashboards , which permit the people who plant the stalkerware apps to see the target ’s stolen data . The WWW dashboards allow us to enter the contents of our practical Android gimmick ’s photo gallery once we had by design compromise our practical twist with the stalkerware apps .
When we opened the subject of our equipment ’s photograph gallery from each app ’s web splasher , the effigy load from web addresses containing their respective bucketful names host on theamazonaws.comdomain , which is run by Amazon Web Services .
If you or someone you get it on needs help , the National Domestic Violence Hotline ( 1 - 800 - 799 - 7233 ) provide 24/7 innocent , secret livelihood to victims of domestic maltreatment and violence . If you are in an emergency place , call 911 . TheCoalition Against Stalkerwarehas resource if you think your phone has been compromised by spyware .
