Define irony: This hidden spyware app was hacked revealing its snooping customers' data.
Apps for tracking what someone is doing on their phone are a big business, typically they are marketed to parents or companies for monitoring their children's or employees' activities on their devices. However, these apps are also ripe for abuse by domestic partners and spouses, which is why these apps are sometimes called "stalkerware" or "spouseware."
LetMeSpy is a tracking app on Android that seems designed for this kind of misuse as it deliberately tries to avoid detection on the device and then quietly sends all of the text messages, call logs, and location data from the phone to the account holder. But now those account holders need to worry about being watched as LetMeSpy reported on June 21 that it was hacked and among the leaked data is information on 26,000 customers that used the free or paid version of the app (via TechCrunch).
What exactly was leaked?
Unfortunately, the leak included not only the data regarding the app's customers but also its victims. For the customers, it appears to be simply the email address associated with their account, although given the use case for this app that is still something many of them don't want to get out.
For the victims, the leaked data set includes text messages, call logs, and location data from at least 13,000 distinct devices. The call logs and text messages in some cases go all the way back to 2013, so it's a considerable trove of information regarding these individuals. While LetMeSpy has notified law enforcement and the Polish Data protection authority (that is where the developer is based), it is unclear at the moment whether the company can or will notify the victims of the data breach.
How to make sure you aren't being tracked by stalkerware on Android
There are a few simple ways to find and remove stalkerware from your Android device. (If you are an iPhone user, we have a guide on how to find and remove stalkerware on iPhone). One thing to be aware of is that the apps often won't use their full name to help them stay hidden "LetMeSpy" for example only shows as "LMS" on the victim's device, so keep that in mind as we go spyware hunting.
For Android users, the first step is to make sure Google Play Protect is active. This is a feature introduced on Android over ten years ago now that scans apps both on install and periodically on your device to ensure that they aren't doing anything malicious. It's turned on by default, so if it is turned off that is a strong indicator right away that someone has been tempering with your device.
To check whether Google Play Protect is enabled just go to Settings > Security > Play Protect. If it's active you'll see a "Scan" button in the middle of the screen, if not you'll see a button that says "Turn on."
Next up, you'll want to check for a device admin app installed on your phone. These profiles can give an app essentially full control over the device without your knowledge. This one is simple to check as well, just navigate to Settings > Security > Device admin apps. In almost all cases it should say "No active apps." The only case where there would be something here is if you have a legitimate device admin through your work, school, or a parental control app. Assuming one of those doesn't apply to you and you see a device admin app listed just tap on it to remove it from your device.
Finally, you can take a peek at Accessibility, this would be an alternative path for an app to gain the kind of sweeping permissions it needs to track all of the activities on your phone. Navigate to Settings > Accessibility and ensure that you know every app listed under "Downloaded apps" or "Accessibility services." If you see anything out of the ordinary there toggle it to off and then go to Settings > Apps > See all apps and then select that app from the list and tap "Uninstall."
That's it, hopefully you didn't find anything, but if you did we've got your device spyware-free again now.