A security researcher has discovered a critical flaw in two phone-monitoring apps, Cocospy and Spyic, which has exposed the personal data of millions of people who have the apps installed on their devices. The vulnerability allows anyone to access sensitive information, including messages, photos, call logs, and more, exfiltrated from compromised phones and tablets.

The bug also exposes the email addresses of individuals who signed up to Cocospy and Spyic, intending to plant the app on someone's device to covertly monitor them. The operators of Cocospy and Spyic have not responded to requests for comment, and the bug remains unfixed at the time of publishing.

The security researcher, who wishes to remain anonymous, told TechCrunch that the bug is relatively simple to exploit. To prevent further exploitation, TechCrunch is not publishing specific details of the vulnerability. However, the researcher was able to collect 1.81 million email addresses of Cocospy customers and 880,167 email addresses of Spyic customers by exploiting the bug.

The collected email addresses have been shared with Troy Hunt, who runs the data breach notification service Have I Been Pwned. Hunt has loaded a combined total of 2.65 million unique email addresses registered with Cocospy and Spyic into the service, marking the cache as "sensitive" to protect affected individuals.

Cocospy and Spyic are the latest in a long list of surveillance products that have experienced security mishaps in recent years, often due to bugs or poor security practices. According to TechCrunch's running count, Cocospy and Spyic are now among the 23 known surveillance operations since 2017 that have been hacked, breached, or otherwise exposed customers' and victims' highly sensitive data online.

Phone-monitoring apps like Cocospy and Spyic are typically sold as parental control or employee-monitoring tools but are often referred to as stalkerware (or spouseware), as some of these products explicitly promote their apps online as a means of spying on a person's spouse or romantic partner without their knowledge, which is illegal.

Stalkerware apps are banned from app stores and usually require physical access to someone's Android device to be planted, often with prior knowledge of the victim's device passcode. In the case of iPhones and iPads, stalkerware can tap into a person's device's data stored in Apple's cloud storage service iCloud, which requires using their stolen Apple account credentials.

Little is known about the operators of Cocospy and Spyic, including their identities. However, security researchers Vangelis Stykas and Felipe Solferini found evidence linking the operation of Cocospy and Spyic to 711.icu, a China-based mobile app developer.

TechCrunch installed the Cocospy and Spyic apps on a virtual device to analyze their behavior. Both apps masquerade as a nondescript-looking "System Service" app for Android, which appears to evade detection by blending in with Android's built-in apps. Our traffic analysis found that the app was sending data via Cloudflare, a network security provider that obfuscates the true real-world location and web host of the spyware operations.

While using the app, the server would occasionally respond with status or error messages in Chinese, suggesting the apps are developed by someone with a nexus to China. Neither Amazon nor Cloudflare responded to TechCrunch's inquiries about the stalkerware operations.

If you suspect that your phone has been compromised by Cocospy or Spyic, there are steps you can take to remove the stalkerware. You can enter ✱✱001✱✱ on your Android phone app's keypad and then press the "call" button to make the stalkerware apps appear on-screen. You can also check your installed apps through the apps menu in the Android Settings menu, even if the app is hidden from view.

TechCrunch has a general Android spyware removal guide that can help you identify and remove common types of phone stalkerware. Remember to have a safety plan in place, given that switching off spyware may alert the person who planted it. For Android users, switching on Google Play Protect is a helpful safeguard that can protect against malicious Android apps, including stalkerware.

For iPhone and iPad users who think they may be compromised, you should check that your Apple Account uses a long and unique password (ideally saved in a password manager) and that your account also has two-factor authentication switched on. You should also check and remove any devices from your account that you don't recognize.

If you or someone you know needs help, the National Domestic Violence Hotline (1-800-799-7233) provides 24/7 free, confidential support to victims of domestic abuse and violence. If you are in an emergency situation, call 911. The Coalition Against Stalkerware has resources if you think your phone has been compromised by spyware.