Amazon won’t say whether it plans to take action against three phone surveillance apps that store personal private phone data on Amazon’s cloud servers, although TechCrunch notified the tech giant a few weeks ago that it is hosting stolen phone data.
Amazon tells TechCrunch that it’s “Following” [its] Process “after our February notice, but as of the time of publication, Tracker software Operations Cocospy, Spyic and Spyzie continue to upload and store photos deleted from people’s phones on Amazon Web Services.
cocospy, spyand Spyzie According to the security researchers who found it, are three nearly identical Android applications that share the same source code and a common security error and provide details for TechCrunch. The operations revealed that the operations revealed a collective telephone data of 3.1 million people, many of whom were victims, unaware that their devices had been compromised. Researchers share data with vulnerability notification website I’ve had.
As part of our investigation into Stalkerware operations, which included analyzing the application itself, TechCrunch found that some content from devices compromised by the Stalkerware application has been uploaded to a storage server running by Amazon Web Services, or AWS.
TechCrunch notified Amazon by email on February 20 that it hosted data that thoroughly penetrated by Cocospy and Spyic, and earlier this week when we notified Amazon, it also hosted Spyzie’s forgotten mobile data.
In both emails, TechCrunch contains the name of each specific Amazon-hosted storage “bucket” that contains data from the victim’s phone.
In response, Amazon spokesman Ryan Walsh told TechCrunch: AWS’s terminology is clear and requires our customers to use our services in compliance with applicable laws. When we receive reports of potential violations, we take prompt action to review and take steps to disable prohibited content.” Walsh provides links to Amazon web pages hosting the abuse report form, but does not comment on the status of the Amazon server used by the application.
In a follow-up email this week, TechCrunch referenced an email from earlier February 20, including Amazon-hosted storage bucket names.
In response, Walsh thanked TechCrunch for “geting our attention” and provided another link to Amazon’s abuse form. When asked again whether Amazon plans to take action against the bucket, Walsh replied: “We have not received a report of abuse from Techcrunch through the link provided earlier.”
Amazon spokesman Casey McGee copied it in email thread [sic] A “report” that constitutes any potential abuse. ”
Amazon Web Services has commercial interest in retaining paid customers, earning $39.8 billion in profit in mid-2024 The company’s full-year revenue for 2024representing the majority of Amazon’s annual total revenue.
At the time of publication, the storage buckets used by Cocospy, Spyic and Spyzie are still active.
Why this matters
Amazon’s own Acceptable use policy It spells out broadly what the company allows customers to host on their platform. Amazon doesn’t seem to question it doesn’t allow spyware and Stalkerware operations to upload data to its platform. Instead, Amazon’s controversy seems to be entirely procedural.
Things that police host on Amazon or any other company’s cloud platform are not the job of journalists or anyone else.
Amazon has huge financially and technically resources to implement its own policies by ensuring bad actors don’t abuse their services.
Finally, TechCrunch provided Amazon with notifications including information directly pointing to the location of the stolen private phone data. Amazon chooses not to take action on the information it receives.
How we find victim data hosted on Amazon
When TechCrunch learns of a data breach related to surveillance – There have been dozens of Stalkerware Hacks and leaks in recent years – We investigate to learn as much as possible about the operation.
Our investigation can Help identify victims of cell phone hackingbut it can also reveal the often hidden real-world identity of the surveillance operator itself, and which platforms are used to facilitate surveillance or hosting victims’ stolen data. TechCrunch will also analyze applications (if any) to help victims Determine how to identify and delete applications.
As part of our reporting process, TechCrunch will be with any company we identify as hosting or supporting spyware and Stalkerware operations, as well as standard practices for journalists planning to mention the company in the story. It’s also uncommon for companies Web hosting and payment processorsuspend account or delete data Violate your own terms of serviceinclude Spyware operations previously hosted on Amazon.
In February, TechCrunch learned that Cocospy and Spyic were violated and we set out to investigate further.
Since the data suggests that most of the victims are Android device owners, TechCrunch first needs to identify, download and install Cocospy and Spyic applications on virtual Android devices. (Virtual devices allow us to run Stalkerware applications in a protected sandbox without giving any real-world data for any application, such as where we are.) Both Cocospy and Spyic appear to be the same look and “system services” called “system services” that try to evade detection by mixing with Android’s built-in applications.
We use network traffic analysis tools to check data flowing in and out of applications, which can help understand how each application works and determine which phone data is loaded from our test devices.
Network traffic shows that two Stalkerware applications are uploading some victims’ data (such as photos) into their storage buckets of the same name hosted on Amazon Web Services.
We further confirmed this by logging into the Cocospy and Spyic user dashboards, which allow people who plant Stalkerware apps to view the target’s stolen data. Once we deliberately compromised the virtual device with Stalkerware Apps, the web dashboard allowed us to access the contents of the photo gallery of the virtual Android device.
When we open the contents of the device photo gallery from the web dashboard of each application, the images hosted from the web address containing their respective bucket names are hosted in amazonaws.com Domain, run by Amazon Web Services.
Later news about Spyzie data breachTechCrunch also used a network analysis tool to analyze Spyzie’s Android application and found that the traffic data is the same as Cocospy and Spyic. The Spyzie app similarly uploads victims’ device data to its own storage bucket of the same name, and we reminded Amazon on March 10.
If you or someone you know of in need, the National Domestic Violence Hotline (1-800-799-7233) provides free, confidential support for victims of domestic abuse and violence. If you are in an emergency, call 911. Alliance against tracking If you think your phone has been compromised by spyware, please provide resources.
