LetMeSpy, a provider of spyware for mobile devices, has been hacked, resulting in the theft of data from users and the victims they spied on.

The service, as the name suggests, is “stalkerware,” a form of software that can be used to spy on a mobile device. In LetMeSpy’s case, the company pitches itself as a tool for parental control or employee tracking, although it doesn’t take much imagination to know that it can also be used for nefarious purposes. The app collects are shares SMS messages, call logs and the phone’s location while remaining “invisible to the user.”

The Polish blog Niebezpiecznik first reported the hack on June 21, with hackers obtaining information of all LetMeSpy logged data, affecting an estimated 13,000 Android devices. LetMeSpy also reportedly admitted to being hacked, although SiliconANGLE could not find any notice on their website.

An analysis of the stolen data by the Swiss hacker “Maia Arson Crimew” detailed that the stolen data included a full phpMyAdmin database. The database contained decrypted calls, message logs, email addresses and password hashes.

Of the data analyzed, the DailyDot noted, U.S. college students were among the app’s most popular users. Other data included government domains, drug trades and some users admitting to using the app to spy on others. One email was linked to a police department in Louisiana.

“This hack demonstrates the importance of security testing when it comes to mobile applications,” Ray Kelly, a fellow at Synopsys Software Integrity Group, told SiliconANGLE. “However, mobile apps — especially ones downloaded from Apple’s App Store or Google Play — are more difficult to test than traditional web applications for security vulnerabilities.”

Kelly explained that examining three areas where malicious actors can take advantage is critical. The app should be tested for unencrypted credentials and the leakage of personally identifiable information, which hackers could steal. In addition, security testing should be conducted on the network layer to ensure the app is using a secure connection and is not leaking data to third-party sites. Finally, mobile app vendors must also test back-end systems, such as open storage buckets or application programming interface nonvalidated inputs that could lead malicious actors to carry out SQL Injection attacks and potentially steal an entire database.

“This is where it appears LetMeSpy’s weakness was found,” Kelly added.

Image: Bing Image Creator