'LetMeSpy' Spouse Spying App Hacked

An app for spying on a partner or employee has been hacked. It means victims of the spying could face further data security threats.

LetMeSpy is what the makers call a "parental control" and "employee control" and what critics call "stalkerware" or "spouseware". Once installed on a phone, it lets the person who installed it remotely access text messages, call logs and precise location. (Source: techcrunch.com)

The marketing is somewhat inconsistent with what the company says its intended use is for, suggesting people might put it on their own phone so that they can find the phone when lost, or access messages when they forget to take their phone with them. However, it also suggests people could use it to "protect your children from being influenced by dangers of their environment" or to deter employees from using work phones for personal calls.

App Well Hidden

The makers also note that installing the app is "child's play" and that "This program is very light and can be invisible to the user." They include a brief warning that installing it without permission could violate privacy laws.

The app itself does not appear on home screens, increasing the chances an owner won't know the app is running. It's been suggested that such apps are popular among people trying to secretly track a partner's activity, particularly in a coercive, abusive relationship.

Users can access the data through LetMeSpy's website, however it now turns out this is not properly secure. It appears a hacker was able to make a copy of the database on the site, including call logs and text messages going back a decade. The hacker also got thousands of emails of people who had paid to use the app. (Source: malwarebytes.com)

Data Protection Disaster

The leak also appears to have revealed the identity of the developer of the app, which was previously a secret. He is based in Poland and has now been reported to data protection authorities in the country. Processing data collected by the app without the permission of the person being spied on would certainly appear to be a major violation of European privacy laws.

It appears the hacker may have deleted the database from LetMeSpy's servers after taking a copy. At the time of writing, a website dashboard that shows the number of installations and the number of messages, call logs and locations tracked was displaying zero in call cases.

What's Your Opinion?

Should such apps be illegal when installed without permission? Are the developers responsible for the way people use them? Should developers face extra penalties for failing to secure data collected through such apps?