israeli national police found trying to purchase stalkerware - #FuckStalkerware pt. 7
they're in pleasant company with other governments, intelligence companies, and data brokers
content warnings:
mentions of abuse/controlling behaviour
update: the data this reporting is based on is now available via DDoSecrets for secondary reporting, journalists interested in quotes or reproducing my research can reach out to me
most stalkerware reporting focuses on private use by abusers, stalkers or parents, and it makes sense—besides monitoring employees, those tend to be the main people stalkerware companies advertise to, and the ever-increasing normalization of surveillance is an important social issue to shed a light on. but it's always been clear, at least in theory, that this hyperavailability of relatively cheap commercial spyware also enables completely different use-cases, be it as part of fraud schemes or even by governments. during every stalkerware leak i've analyzed so far, i've always been on the lookout for the latter, and in a lot of my articles i report on government employees i've found in the databases, but so far it has always been for either private or unclear use. thanks to an anonymous source who provided me with a complete dump of the mSpy helpdesk a week ago, however, this all changes today.
the dump is massive at over 150GB of plaintext files, made up of over 5 million tickets (with over 30 million total update events) created by 2.5 million users. i spent most of my first day after receiving the data just to set up a local database to make querying it easier. the helpdesk appears to be shared between all products operated by Brainstack_, the ukrainian company behind mSpy, which is by far their biggest venture and one of the biggest stalkerware providers in general; their other services include at least two other stalkerware brands which market to slightly different audiences—at least one of them focuses entirely on infidelity and spying on partners—as well as some of the largest phone number localization services, including scannero.io and localize.mobi, and a weight loss app called lasta.
all of these services, including mSpy, function with the same kind of predatory subscription scheme, luring you in with free trials that autorenew as abhorrently expensive monthly or yearly subscriptions. canceling the service requires reaching out to support, so users are typically unable to avoid overrunning the trial. trying to convince support to issue a refund practically requires you to roll a nat20 in charisma, with them wasting your time trying to talk you into putting your subscription on pause or just simply ignoring support requests completely. this scheme means that at one point or another, most users will get funneled through the helpdesk, making it possible to vaguely guess how big their userbase is; this is complicated, however, by the fact that the helpdesk calls anyone a "user" who has ever sent, been CC'd in, or mentioned in any support email, including tons of spammers and unrelated people.
their pattern of horrible communication also extends into most other areas in the helpdesk, including how they respond to subpoenas. their initial response to these legal inquiries usually just reiterates their terms of service's assertion that mSpy may only be used within legal bounds (that is, for parental control or with consent). sometimes, even after being served a court-signed subpoena, mSpy representatives demand more and more evidence that their software was actually misused before ever handing out any data. often, they instead resort to just closing the tickets, with some legal request emails being manually closed with no response at all. these subpoenas come from all around the world and are typically for cases of stalking or harassment but sometimes even for heavier charges, including attempted murder, a common theme for these types of easily accessible tracking tools. law enforcement officers, however, don't just reach out to mSpy for legal aid; a lot of them also privately use stalkerware to spy on their own children or spouses. this notably includes a (now former) regional police chief in switzerland and an ICE enforcement and removal operations officer. other notable government workers who at one point used mSpy (mostly privately, though that is not entirely clear for all of them) are eleventh circuit US court of appeals judge Kevin Newsom, australian then-parliamentarian Mark Parnell, a then-member of Recep Erdoğan's presidential staff, and two diplomats representing france and germany.
while that's already a pretty wild lineup, that still only covers the private use of stalkerware. because stalkerware providers offer fairly robust spyware solutions for far cheaper than ones marketed for governments and with far fewer legal hurdles in their gray-area operation, it was always inevitable that governments would eventually come knocking to the scene. the first instance i found of this was in 2014 in which Yaniv Azani, CTO of the national cyber unit of the israeli federal police, reached out to mSpy in 2014 to attempt to buy a version of their software that the police could deploy on their own infrastructure. later, in 2016, Luc Schwab (a swiss national) reached out to mSpy as the COO of O.S.S.I. / irgoun, a now-defunct israeli private security and intelligence company that was also looking to whitelabel the software for use by various governments, presumably including the israeli ministry of defense. over the years dozens of other private intelligence companies working with governments and even local police departments have also contacted mSpy with similar requests for either mass licensing or whitelabelling mSpy. interested customers included the royal thai police, vietnamese defense ministry, nebraskan national guard, united arab emirates, italian law enforcement and the tasmanian police. while i couldnt find a single instance of an actual sale occurring in any of these email threads, mSpy did at some point tell O.S.S.I. that they are working on developing a whitelabel solution and added them to the list of potential partners, meaning it is possible an agreement was eventually made via other channels. and no matter if mSpy ever actually sold to governments, this shows their clear interest in stalkerware; it is thus possible other stalkerware may be in use by governments around the world.
of course government agencies arent the only ones interested in software that collects a shitton of data off personal devices—after all, that's what the entirety of the modern advertising industry is built upon. this is evidenced by emails to mSpy sent by Shafiq Rajani, vice president of Mintel, one of the largest market research companies in the world. Rajani attempted to buy data from mSpy to analyze the ads being shown by facebook and snapchat on devices with mSpy installed. a similar request was also made by placer.ai, a location-based market research company, who instead wanted to buy all of mSpy's device location data to then sell this data primarily to retailers such as target and walmart. in a third instance, german company umlaut (now owned by accenture) tried to buy network coverage information from mSpy to provide analytics services to telecommunications providers. once again, i could not find any indication that mSpy actually sold any data to any of these companies; however, some of them claimed to already be working with companies similar to mSpy. this raises a lot of legal and privacy concerns, especially considering a significant portion of the data these companies were interested in buying would have been collected without consent or from devices owned by minors.
if you have any data, insider info, vulnerabilities or any other tips related to stalkerware (or in general) you can securely reach out to me, the same goes for any journalists wanting to do secondary reporting on this data.