It's unexpected to me that someone with the technical knowhow to build spyware like this and a nice web interface for it, made basic mistakes like storing passwords in plaintext and piping unescaped user input into database queries.
> Q: Can I monitor a phone without them knowing?
> A: Yes, you can monitor a phone without them knowing with mobile phone monitoring software. The app is invisible and undetectable on the phone. It works in a hidden and stealth mode.
How is that even possible on a modern Android? I'd think one of the explicit goals of the security model would be to prevent this.
The TechCrunch article says
> Google said it added new protections for Google Play Protect
But the screenshot of the device settings in the article shows that the app has you turn off Google Play Protect. So does this even do anything?
Meanwhile Google (via its firebase brand) is apparently continuing to act as a host for this app...
some time ago I was having super weird phone issues (iphone) and narrowed it down to one of these services. I clearly had been 0 click vuln’d because I couldnt fathom how else it could have been infected, but had no idea who or why, still dont know. felt extremely gross and I have absolutely zero sympathy for any users or operators of these services and think this researcher was far too polite about it.
From sqlmap
> Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program"
I don't know the legal footing these spyware apps stand on, but this blog post seems like exhibit A if Catwatchful ever decided to sue the author, or press criminal charges. Hacking, even for reasons that seem morally justified, is still illegal.
Sometimes, I wish engineers running backend services were not hindered by management nonsense and would just nuke these systems when they are reported, sufficiently backed up with evidence (like here -- though I'd do a personal check first to verify). Seems like some did (congrats), others didn't (Firebase). I can assure you if I was on the other end, I would have escalated until I got fired or the service was down. Unimaginable that some let these run, wake up in the morning, look in the mirror and aren't ashamed of themselves.
People will continue doing their unethical behaviour not because we aren't on the streets fighting for the right thing, but because we just don't care enough, and let them continue.
> The live photo and microphone options are particularly creepy, successfully taking a photo or recording and uploading it for me to view near-instantly on the control panel without giving the phone user the slightest sign that anything is amiss
Oh dear.
Someone who is in malware business will 100% not sue you for what you did, i wouldn't worry about that at all. You did a good job!
isn't using software like this deeply illegal? or is that a legislative blind-spot? seems like this database should be sent to the FBI and someone can make a career out of prosecuting
>Intercepting my test phone’s traffic confirms that the files are directly uploaded to Firebase, and reveals that the commands for features like live photos are also handled through FCM. This is going to reduce our attack surface by a lot - nothing in Firebase is going to be IDORable or vulnerable to SQLI, and some quick testing eliminates any of the usual traps like open storage buckets or client-side service account credentials.
I was surprised at how the malware devs made such sloppy mistakes but being on Firebase protected them from more severe vulnerablities. I've seen other vendors get popped by configuring Firebase incorrectly, but it seems like if you configure the basics right, it cuts down the attack surface a lot.