New TheTruthSpy Flaw Exposes Phone Spyware Victims

A newly discovered security flaw in TheTruthSpy spyware platform allows unauthorized individuals to hijack user accounts and access highly sensitive personal information extracted from compromised mobile devices. This critical vulnerability, identified by independent security researcher Swarang Wade, enables attackers to reset passwords and take control of any account associated with TheTruthSpy and its companion Android surveillance applications. Given the non-consensual nature of how this software is typically deployed, countless individuals remain unaware that their private communications, location history, and personal media are being exposed to potential exploitation.

This incident marks at least the fourth major security failure linked to TheTruthSpy, reinforcing concerns about the inadequate data protection practices common among consumer spyware manufacturers. Such applications not only enable illegal surveillance—often utilized by abusive partners—but also demonstrate repeated negligence in safeguarding the very data they illicitly collect. TechCrunch has documented 26 separate spyware operations that have experienced significant data leaks in recent years, highlighting a pervasive industry-wide disregard for security.

The vulnerability was confirmed through controlled testing in which researchers successfully altered account passwords using only basic username information. Despite attempts to notify TheTruthSpy’s director, Van Thieu, no corrective action was taken, with Thieu claiming the source code had been “lost” and the bug could not be repaired. As of now, the weakness remains active, placing thousands of surveillance victims at ongoing risk of having their stolen data accessed by malicious third parties.

TheTruthSpy, operated by Vietnam-based 1Byte Software, has been a dominant player in the phone surveillance market for nearly a decade. Its infrastructure supports multiple rebranded applications such as Copy9, and formerly included iSpyoo and MxSpy, all sharing the same vulnerable backend systems. This means that security flaws within TheTruthSpy inevitably affect users across its entire network of white-labeled spyware products.

In 2021, a separate security failure exposed data belonging to approximately 400,000 people, including private messages, photos, and real-time location records. TechCrunch later obtained server files that revealed not only the scale of the operation but also the inner mechanisms of a sophisticated money laundering scheme designed to bypass financial restrictions on spyware transactions. These documents showed how TheTruthSpy funneled millions in customer payments through fabricated identities and forged paperwork.

A more recent breach in late 2023 compromised an additional 50,000 victims, with data again added to a public lookup tool maintained by TechCrunch to help individuals check if their devices have been affected.

Despite these repeated failures, TheTruthSpy continues to operate, recently rebranding part of its business as PhoneParental. Thieu remains involved in spyware development, including a new app called MyPhones.app, which still relies on the same vulnerable JFramework backend previously used by TheTruthSpy.

This pattern of negligence underscores a grim reality: stalkerware vendors pose a dual threat—not only do they facilitate invasive spying, but they also consistently fail to protect the stolen data they collect. For those concerned about potential surveillance, resources are available through the Coalition Against Stalkerware, and immediate support can be accessed via the National Domestic Violence Hotline at 1-800-799-7233. In emergencies, dialing 911 is advised.

(Source: TechCrunch)