LetMeSpy Phone-Tracking App Hacked, Revealing User Data

With at least 13,000 compromised devices in the data leak, it is still unknown who the threat actor is or whether or not victims will be personally notified.

Dark Reading Staff, Dark Reading

June 28, 2023

2 Min Read
an image of an eye with digital imaging on it indicating some sort of spyware.
Source: Robert Brown via Alamy Stock Photo

LetMeSpy, an Android phone-tracking company that has been used to track more than 236,000 phones, was hacked on June 21, resulting in threat actors gaining unauthorized access to its users' data dating as far back as 2013.

The hack was discovered by a Polish security research team at Niebezpiecznik, which contacted the maker of the spyware app — but the researchers instead received a response from the threat actor, suggesting the person had taken over the LetMeSpy domain. It is unknown who the threat actor is or what the motives are. 

The phone-tracking app, designed to be hidden from the home screen of a phone in order to remain undetected, was created for and marketed toward parents to control the phone usage of minors and for employers to monitor employees. But the app can also be used in more malicious and threatening "stalkerware" ways, such as an abusive spouse planting the app in a partner's phone, allowing access to any data the stalker deems necessary. Once the app is downloaded, it uploads information — including texts, call logs, and location data — so that an individual can be tracked to a precise location.

Target for Leaks and Hacks

Because they have a deep level of accessibility into phone, these types of apps are targets for leaks and hacks.

"The database we reviewed contained current records on at least 13,000 compromised devices, including detailed phone records, though some of the devices shared little to no data with LetMeSpy (LetMeSpy claims to delete data after two months of account inactivity)," stated TechCrunch, which obtained a copy of the leaked data.

LetMeSpy has stated that it has notified law enforcement and its local data protection authority, UODO, but it is unknown as to whether or not it will be notifying victims who have compromised phones.

About the Author

Dark Reading Staff

Dark Reading

Dark Reading is a leading cybersecurity media site.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights