A year after being banned by the Federal Trade Commission, a notorious phone surveillance company is back in all but name, a Eureka News Now investigation has found.
A landmark 2021 FTC order banned stalkerware app SpyFone, its parent company Support King, and its CEO Scott Zuckerman from the surveillance industry. The order, which was unanimously approved by the regulator’s five incumbent commissioners, also required Support King to wipe the illegally collected phone data and inform victims that its app was secretly installed on their device.
Stalkerware or spousal ware are apps that are secretly installed by someone with physical access to a person’s phone, often under the guise of family tracking or child monitoring, except these apps are designed to remain hidden from home screens while silently uploading will the contents of a person’s phone, including their text messages, photos, browsing history, and granular location data.
But many stalkerware apps — like KidsGuard, TheTruthSpy, and Xnspy — have security flaws that put thousands of people’s personal phone data at risk of further compromise.
This includes SpyFone, whose unsecured cloud storage server leaked the personal information stolen from the phones of more than 2,000 victims, prompting the FTC to investigate and subsequently ban Support King and its CEO Zuckerman from offering to sell, distribute, promote or otherwise support monitoring apps.
Since then, Eureka News Now has received additional tranches of data, including from the internal servers of a stalkerware app called SpyTrac, run by developers with ties to Support King.
Meet Aztec Labs
With more than 1.3 million compromised devices, SpyTrac is one of the largest known active Android stalkerware operations, more than trebling the number of victims caught by TheTruthSpy. Despite the wide international reach, US visitors to SpyTrac’s website are blocked with an abrupt message stating “Your country is not supported”.
But SpyTrac is like any other stalkerware app, including its ability to remain hidden on a victim’s device. SpyTrac’s website also makes no mention of the people performing the operation, which is likely to protect the developers from legal and reputational risks associated with conducting a stalkerware operation.
According to data and other public records viewed by Eureka News Now, SpyTrac is managed by developers working for both Support King and a group of developers called Aztec Labs, who build and maintain the SpyTrac stalkerware operation. Aztec Labs also maintains a nearly identical Spanish-language stalkerware app called Espía Móvil (which translates to “spy phone”) and another clone stalkerware app called StealthX Pro, the data shows.
Some of the data found on SpyTrac’s server connects SpyTrac directly to Support King.
One of the server files contained a set of Amazon Web Services private keys that allow access to cloud storage related to Support King and GovAssist, a website said to help immigrants obtain US visas and permanent residency permits. The keys also allow access to cloud storage for OneClickMonitor, a clone stalkerware app that Support King shut down at the same time as SpyFone.
Both Support King and GovAssist are led by Chief Executive Scott Zuckerman.
Reached via email, Zuckerman told Eureka News Now, “We are investigating your claims that SpyTrac internal data stored AWS keys that may be associated with S3 buckets related to Support King, GovAssist, and OneClickMonitor. We take this very seriously and will comply with all provisions of the FTC regulation.”
Access logs viewed by Eureka News Now show that at least two Aztec Labs developers logged into SpyTrac’s servers using different credentials, but each from the same IP addresses. Both developers signed up using IP addresses registered with a Bosnian residential broadband provider, using credentials associated with Aztec Labs, SpyTrac and Support King email addresses.
One of the developers is the technical lead at Aztec Labs, whose LinkedIn says he is based in Sarajevo. His other public freelance portfolios list his work as a program manager at Support King, a role he describes as “managing the entire IT team.”
According to LinkedIn profiles and other work portfolios, the technical lead and other SpyTrac developers are also working on Zuckerman’s latest project, GovAssist.
The access logs also show that a third party developer is logging into SpyTrac’s servers, also from their private IP address in Sarajevo, using different sets of credentials associated with Support King, Aztec Labs, and GovAssist are linked.
In response, Zuckerman told Eureka News Now, “Neither I nor any of my companies are affiliated with Aztec Labs, SpyTrac or [the technical lead, who] worked as an independent contractor for Support King between June 2019 and October 2021. We also do not have access to SpyTrac’s servers.”
The SpyFone connection
SpyFone, the stalkerware app banned by the FTC in September 2021, has stopped working.
The internal SpyTrac data we saw shows that SpyFone issued its last customer license just days before the FTC banned it. SpyFone’s domain name has been sold to another phone surveillance manufacturer, SpyPhone. Customers attempting to log into SpyFone’s web dashboard, which is used to access a victim’s stolen data, were redirected to SpyPhone’s website instead.
The 2021 FTC order also required Support King to delete the data it had illegally collected from SpyFone. However, internal SpyTrac data viewed by Eureka News Now still includes thousands of records associated with SpyFone licenses assigned to buying customers’ email addresses.
Each SpyFone license was sold by a reseller with a Support King email address, the data showed.
Security researchers have also become aware of SpyTrac Vangelis Stykas and Felipe Solferini, whose months of research identified common and easy-to-find vulnerabilities in several families of stalkerware, including SpyTrac. Their findings, presented at BSides London this month, involved decompiling the apps and mapping their server infrastructure using public internet data. Your evidence connects SpyTrac to Support King.
Zuckerman said in response, “Support King has deleted all data on its servers associated with SpyFone and OneClickMonitor customers in accordance with FTC regulation.”
Shortly after Eureka News Now reached out to Zuckerman for comment, SpyTrac’s website went offline with a message saying “The product is temporarily unavailable.” The websites for SpyTrac’s clone stalkerware apps StealthX Pro and its Spanish-language clone Espía Móvil also went offline. The Aztec Labs website also stopped loading.
Stalkerware is a difficult problem to combat. These operations are classified by nature, making it difficult for regulators to investigate or know whose jurisdiction they fall under.
In 2020, the FTC took its first action against a stalkerware operator, Retina-X, which was hacked multiple times and later shut down. A year later, the FTC’s second action was directed against Support King.
Businesses violating FTC orders can face significant civil penalties. Earlier this year, Twitter was fined $150 million for violating a 2011 FTC order.
Instead, much of the effort against stalkerware and other commercial surveillance has been picked up by the tech industry, including device makers Apple and Google, which have banned stalkerware apps. In 2020, Google also banned ads in its search results promoting stalkerware. Anti-malware vendors who are members of the Coalition Against Stalkerware, formed in 2019 to support stalkerware victims and survivors, collectively share signatures of known stalkerware apps and networks to prevent them from running on their customers’ phones to work.
A former FTC attorney who reviewed our findings before publication told Eureka News Now that the evidence points to a likely violation of the FTC’s ban. Whether Support King has broken its agreement with the FTC will ultimately be decided by the agency.
When reached, an FTC spokesman declined to comment.
If you or someone you know needs help, the National Domestic Violence Hotline (1-800-799-7233) provides free, 24-hour, confidential support for victims of domestic violence and violence. If you are in an emergency situation, call 911. The Coalition Against Stalkerware also has resources if you think your phone has been compromised by spyware. You can contact this reporter on Signal and WhatsApp at +1 646-755-8849 or email email@example.com.