Support King, banned by FTC, linked to new phone spying operation
A year after banned by the Federal Trade Commission, a notorious phone surveillance company is back in all but name, a TechCrunch investigation has found.
A landmark FTC order in 2021 banned stalkerware app SpyFone, its parent company Support King and its CEO Scott Zuckerman from the surveillance industry. The order, unanimously approved by the regulator’s five sitting commissioners, also required Support King to delete the phone data it illegally collected and notify victims that the app was secretly installed on their device.
Stalkerware, or spouseware, are apps surreptitiously planted by someone with physical access to a person’s phone, often under the guise of family tracking or child monitoring, except that these apps are designed to stay hidden from home screens while being uploaded silently the contents of a person’s phone, including text messages, photos, browsing history and detailed location data.
But many stalkerware apps – such as KidsGuard, TheTruthSpy and Xnspy – have security flaws that put thousands of people’s personal phone data at risk of further compromise.
This also includes SpyFone, whose unsecured cloud storage server spilled personal data stolen from more than 2,000 victims’ phones, prompting the FTC to investigate and subsequently ban Support King and its CEO Zuckerman from offering, distributing, promoting or otherwise assisting to with the sale. of monitoring apps.
Since then, TechCrunch has received additional tranches of data, including from the internal servers of a stalkerware app called SpyTrac, which is run by developers with ties to Support King.
Meet Aztec Labs
With more than a million user entries, SpyTrac is one of the largest known active Android stalkerware operations, and more than triples the number of victims caught by TheTruthSpy. Despite its vast international reach, US visitors to SpyTrac’s website are blocked with an abrupt message saying “your country is not supported.”
But SpyTrac is like any other stalkerware app, including its ability to stay hidden on a victim’s device. SpyTrac’s website also does not name the people running the operation, which is likely to protect the developers from the legal and reputational risks associated with running a stalkerware operation.
According to the data and other public records seen by TechCrunch, SpyTrac is managed by developers working for both Support King and a developer outfit called Aztec Labs, which builds and maintains the SpyTrac stalkerware operation. Aztec Labs also has an almost identical Spanish-language stalkerware app called Espía Móvil (which translates to “spy mobile”) and another clone stalkerware app called StealthX Pro, the data shows.
Some of the data contained on SpyTrac’s server links SpyTrac directly to Support King.
One of the server files contained a set of Amazon Web Services private keys that provide access to cloud storage linked to Support King and GovAssist, a website that claims to help immigrants obtain US visas and permanent residency. The keys also provide access to cloud storage for OneClickMonitor, a clone stalkerware app that Support King shut down at the same time as SpyFone.
Both Support King and GovAssist are led by CEO Scott Zuckerman.
When reached by email, Zuckerman told TechCrunch: “We are investigating your allegations that SpyTrac internal data stored AWS keys that may be connected to S3 buckets related to Support King, GovAssist and OneClickMonitor. We take this very seriously and will comply with all provisions of the FTC Order.”
An edited screenshot from a SpyTrac video, referencing SpyFone, a Support King surveillance app that was banned by the FTC a year earlier. Image credit: TechCrunch (screenshot)
Access logs seen by TechCrunch show at least two Aztec Labs developers logging into SpyTrac’s servers using different sets of credentials, but each from the same IP addresses. Both developers logged in from IP addresses registered with a Bosnian broadband provider using credentials associated with Aztec Labs, SpyTrac and Support King email addresses.
One of the developers is Aztec Labs’ technical director, whose LinkedIn says he is based in Sarajevo. His other public freelance portfolios show his work as a program manager at Support King, a role he describes as “leading the entire IT team.”
According to LinkedIn profiles and other work portfolios, the technical lead and other SpyTrac developers are also working on Zuckerman’s latest venture, GovAssist.
The access logs also show a third developer logging into SpyTrac’s servers, also from their home IP address in Sarajevo, using different sets of credentials associated with Support King, Aztec Labs, and GovAssist email addresses.
In response, Zuckerman told TechCrunch: “Neither I nor any of my businesses are affiliated with Aztec Labs, SpyTrac or [the technical lead, who] worked as an independent contractor for Support King between June 2019 and October 2021. We also do not have access to SpyTrac’s servers.”
The SpyFone connection
SpyFone, the stalkerware app banned by the FTC in September 2021, no longer works.
The internal SpyTrac data we’ve seen shows that SpyFone issued its last customer license just days before it was banned by the FTC. SpyFone’s domain name was sold to another phone monitoring manufacturer, SpyPhone. Customers who tried to log into SpyFone’s web dashboard, used to access a victim’s stolen data, were redirected to SpyPhone’s website instead.
The FTC’s 2021 order also required Support King to delete the data it had illegally collected from SpyFone. But the internal SpyTrac data seen by TechCrunch still contains thousands of records related to SpyFone licenses assigned to the email addresses of purchasing customers.
Each SpyFone license was sold by a reseller with a Support King email address, the data showed.
SpyTrac also became known to security researchers Vangelis Stykas and Felipe Solferini, whose months-long research identified common and easy-to-find security flaws in several stalkerware families, including SpyTrac. Their findings, which they presented at BSides London this month, involved decompiling the apps and mapping their server infrastructure using public internet data. Their evidence links SpyTrac to Support King.
Zuckerman said in response, “Support King deleted all data on its servers related to SpyFone and OneClickMonitor customers pursuant to the FTC order.”
Shortly after TechCrunch contacted Zuckerman for comment, SpyTrac’s website went offline with a message that “the product is temporarily unavailable.” The websites for SpyTrac’s clone stalkerware apps, StealthX Pro and its Spanish-language clone Espía Móvil, also went offline. Aztec Labs’ website also stopped loading.
After TechCrunch published this piece, Support King’s website also went offline.
A screenshot of the FTC notice on Support King’s website. Image credit: TechCrunch (screenshot)
Stalkerware is a difficult problem to combat. These operations are secretive by design, making it difficult for regulators to investigate or know under whose jurisdiction they fall.
In 2020, the FTC took its first-ever action against a stalkerware operator, Retina-X, which was hacked multiple times and later shut down. The FTC’s second action was against Support King a year later.
Companies that violate FTC orders can face significant civil penalties. Earlier this year, Twitter was ordered to pay $150 million for violating a 2011 FTC order.
Instead, much of the effort against stalkerware and other commercial surveillance has been taken up by the technology industry, including device makers Apple and Google, which have banned stalkerware apps. In 2020, Google also banned ads in its search results that promote stalkerware. Anti-malware vendors who are members of the Coalition Against Stalkerware, launched in 2019 to support stalkerware victims and survivors, collectively share signatures of known stalkerware apps and networks to block them from working on customers’ phones.
A former FTC attorney, who reviewed our findings before publication, told TechCrunch that the evidence points to a likely violation of the FTC’s ban. Whether Support King breached its agreement with the FTC will ultimately be up to the agency to decide.
When reached, an FTC spokesperson declined to comment.
If you or someone you know needs help, the National Domestic Violence Hotline (1-800-799-7233) provides free, confidential support 24/7 for victims of domestic abuse and violence. If you’re in an emergency, call 911. The Coalition Against Stalkerware also has resources if you think your phone has been compromised by spyware. You can contact this reporter on Signal and WhatsApp at +1 646-755-8849 or [email protected] via email.