A little-known phone surveillance operation called Spyzie has compromised more than half a million Android devices and thousands of iPhones and iPads, according to data shared by a security researcher. This latest leak highlights the growing concern of consumer phone surveillance apps, which have become increasingly prevalent among civil society.

The security researcher told TechCrunch that Spyzie is vulnerable to the same bug as Cocospy and Spyic, two near-identical but differently branded stalkerware apps that share the same source code and exposed the data of more than 2 million people. The bug allows anyone to access the phone data, including messages, photos, and location data, exfiltrated from any device compromised by the three apps.

The bug also exposes the email addresses of each customer who signed up to Spyzie to compromise someone else’s device, the researcher said. The researcher exploited the bug to collect 518,643 unique email addresses of Spyzie customers, and provided the cache of email addresses to TechCrunch and to Troy Hunt, who operates the Have I Been Pwned data breach notification site.

This latest leak shows how increasingly prevalent consumer phone surveillance apps have become among civil society, even from little-known operations like Spyzie, which barely have any online presence and are largely banned by Google from running ads in search results, and yet have amassed thousands of paying customers. Collectively, Cocospy, Spyic, and Spyzie are used by more than three million customers.

The leak also shows that flaws in stalkerware apps are increasingly common and put both the customer and victim’s data at risk. Even in the case of parents who want to use these apps to monitor their children, which is legal, they are putting their kids’ data at risk of hackers. By our count, Spyzie is now the twenty-fourth stalkerware operation since 2017 to have been hacked or otherwise leaked or exposed its victims’ highly sensitive data because of shoddy security.

Spyzie’s operators have not returned TechCrunch’s request for comment. At the time of writing, the bug has yet to be fixed. Apps like Spyzie, or Cocospy and Spyic, are designed to stay hidden from home screens, making the apps difficult to identify by their victims. All the while, the apps continually upload the contents of the victim’s device to the spyware’s servers, and are accessible to the person who planted the app.

A copy of the data shared by the security researcher with TechCrunch shows that the vast majority of affected Spyzie victims are Android device owners, whose phones have to be physically accessed to plant the Spyzie app, usually by someone with knowledge of the person’s device passcode. This is one of the reasons why these apps are typically used in the context of abusive relationships, where people often know their romantic partner’s phone passcode.

The data also shows Spyzie has been used to compromise at least 4,900 iPhones and iPads. Apple has stricter rules about which apps can run on iPhones and iPads, so stalkerware usually taps into a victim’s device data stored in Apple’s cloud storage service iCloud by using the victim’s Apple account credentials, rather than on the device itself.

Some of the earliest compromised Apple device owners date back to early late-February 2020 and as recently as July 2024, the leaked Spyzie records show. If you or someone you know needs help, the National Domestic Violence Hotline (1-800-799-7233) provides 24/7 free, confidential support to victims of domestic abuse and violence. If you are in an emergency situation, call 911. The Coalition Against Stalkerware has resources if you think your phone has been compromised by spyware.

For those who may be affected, there are steps you can take to remove Spyzie stalkerware from your device. For Android users, you can dial ✱✱001✱✱ into your Android phone app’s keypad and then the call button. If Spyzie is installed, it should appear on your screen. This is a backdoor feature built into the app that allows the person who planted the app on the victim’s phone to regain access. In this case, it can also be used by the victim to see if the app is installed. TechCrunch has a general Android spyware removal guide that can help you identify and remove common types of phone stalkerware, and switch on the settings to secure your Android device.

For iPhone and iPad users, Spyzie relies on using the victim’s Apple Account username and password to access the data stored in their iCloud account. You should ensure your Apple Account uses two-factor authentication, which is a vital protection against account hacks and a primary way for stalkerware to target your data. You should also check and remove any devices from your Apple account that you don’t recognize.

This latest leak serves as a reminder of the importance of cybersecurity and the need for consumers to be aware of the risks associated with phone surveillance apps. As the use of these apps continues to grow, it is essential that users take steps to protect their devices and personal data from being compromised.