A year after it was banned by the Federal Trade Commission, a notorious phone surveillance company is back in all but name, a TechCrunch investigation has found.
A groundbreaking FTC order in 2021 banned the stalkerware app SpyFone, its parent company Support King, and its chief executive Scott Zuckerman from the surveillance industry. The order, unanimously approved by the regulator’s five sitting commissioners, also demanded that Support King delete the phone data it illegally collected and notify victims that its app was secretly installed on their device.
Stalkerware, or spouseware, are apps that are surreptitiously planted by someone with physical access to a person’s phone, often under the guise of family tracking or child monitoring, except that these apps are designed to stay hidden from home screens, all the while silently uploading the contents of a person’s phone, including their text messages, photos, browsing history, and granular location data.
But many stalkerware apps — like KidsGuard, TheTruthSpy and Xnspy — have security flaws that put thousands of people’s personal phone data at risk of further compromise.
That also includes SpyFone, whose unsecured cloud storage server spilled the personal data stolen from more than 2,000 victims’ phones, prompting the FTC to investigate and subsequently ban Support King and its CEO Zuckerman from offering, distributing, promoting, or otherwise assisting in the sale of surveillance apps.
Since then, TechCrunch has received further tranches of data, including from the internal servers of a stalkerware app called SpyTrac, which is run by developers with ties to Support King.
Meet Aztec Labs
With more than 1.3 million compromised devices, SpyTrac is one of the biggest known active Android stalkerware operations, surpassing the number of victims ensnared by TheTruthSpy more than threefold. Despite its vast international reach, U.S. visitors to SpyTrac’s website are blocked with an abrupt message stating that “your country is not supported.”
But SpyTrac is like any other stalkerware app, including its ability to stay hidden on a victim’s device. SpyTrac’s website also makes no mention of the individuals running the operation, likely to shield the developers from legal and reputational risks associated with running a stalkerware operation.
According to the data and other public records seen by TechCrunch, SpyTrac is managed by developers who work for both Support King and an outfit of developers called Aztec Labs, which builds and maintains the SpyTrac stalkerware operation. Aztec Labs also maintains a near-identical Spanish-language stalkerware app called Espía Móvil (which translates to “spy mobile”), and another clone stalkerware app called StealthX Pro, the data shows.
Some of the data found on SpyTrac’s server directly connects SpyTrac to Support King.
One of the server files contained a set of Amazon Web Services private keys that allow access to cloud storage associated with Support King and GovAssist, a website that claims to help immigrants obtain U.S. visas and permanent residency permits. The keys also allow access to cloud storage for OneClickMonitor, a clone stalkerware app that Support King shut down at the same time as SpyFone.
Both Support King and GovAssist are headed by chief executive Scott Zuckerman.
When reached by email, Zuckerman told TechCrunch: “We are investigating your claims that SpyTrac internal data was storing AWS keys that may be connected to S3 buckets relating to Support King, GovAssist, and OneClickMonitor. We take this very seriously and will comply with all provisions of the FTC Order.”
Access logs seen by TechCrunch show at least two Aztec Labs developers logging in to SpyTrac’s servers using different sets of credentials, but each from the same IP addresses. Both of the developers logged in from IP addresses registered to a Bosnian residential broadband provider using credentials associated with Aztec Labs, SpyTrac, and Support King email addresses.
One of the developers is Aztec Labs’ technical lead, whose LinkedIn says he is based in Sarajevo. His other public freelance portfolios list his work as a program manager at Support King, a role that he describes as “managing the entire IT team.”
According to LinkedIn profiles and other work portfolios, the technical lead and other SpyTrac developers also work on Zuckerman’s latest venture, GovAssist.
The access logs also show a third developer logging in to SpyTrac’s servers, also from their home IP address in Sarajevo, using different sets of credentials associated with Support King, Aztec Labs, and GovAssist email addresses.
In response, Zuckerman told TechCrunch: “Neither I, nor any of my businesses, are affiliated with Aztec Labs, SpyTrac, or [the technical lead, who] worked as an independent contractor for Support King between June 2019 and October 2021. Nor do we have access to SpyTrac’s servers.”
The SpyFone connection
SpyFone, the stalkerware app banned by the FTC in September 2021, no longer operates.
The internal SpyTrac data we have seen shows that SpyFone issued its last customer license just days before it was banned by the FTC. SpyFone’s domain name was sold to another phone surveillance maker, SpyPhone. Customers trying to log in to SpyFone’s web dashboard, used for accessing a victim’s stolen data, were redirected to SpyPhone’s website instead.
The FTC’s 2021 order also demanded that Support King delete the data it had illegally collected from SpyFone. But the internal SpyTrac data seen by TechCrunch still contains thousands of records associated with SpyFone licenses assigned to the email addresses of buying customers.
Every SpyFone license was sold by a reseller with a Support King email address, the data showed.
SpyTrac also came to the attention of security researchers Vangelis Stykas and Felipe Solferini, whose months-long research identified common and easy-to-find security flaws in several stalkerware families, including SpyTrac. Their findings, which they presented at BSides London this month, involved decompiling the apps and mapping out their server infrastructure using public internet data. Their evidence links SpyTrac to Support King.
Zuckerman said in response: “Support King deleted all data in its servers connected with SpyFone and OneClickMonitor customers pursuant to the FTC Order.”
A short time after TechCrunch contacted Zuckerman for comment, SpyTrac’s website went offline with a message saying the “product is temporarily not available.” The websites for SpyTrac’s clone stalkerware apps, StealthX Pro and its Spanish-language clone Espía Móvil, also went offline. Aztec Labs’ website also stopped loading.
Stalkerware is a difficult problem to combat. These operations are clandestine by design, making it difficult for regulators to investigate or know under whose jurisdiction they fall.
In 2020, the FTC took its first ever action against a stalkerware operator, Retina-X, which was hacked several times and later shut down. The FTC’s second action was against Support King a year later.
Companies that violate FTC orders can face considerable civil penalties. Earlier this year, Twitter was ordered to pay $150 million for violating an FTC order from 2011.
Instead, much of the effort against stalkerware and other commercial surveillance has been taken up by the tech industry, including device makers Apple and Google, which have banned stalkerware apps. In 2020, Google also banned ads in its search results that promote stalkerware. Anti-malware providers who are members of the Coalition Against Stalkerware, which launched in 2019 to support victims and survivors of stalkerware, collectively share signatures of known stalkerware apps and networks to block them from working on their customers’ phones.
A former FTC attorney, who reviewed our findings ahead of publication, told TechCrunch that the evidence points to a likely breach of the FTC’s ban. As to whether Support King broke its agreement with the FTC will ultimately be for the agency to decide.
When reached, a spokesperson for the FTC declined to comment.
If you or someone you know needs help, the National Domestic Violence Hotline (1-800-799-7233) provides 24/7 free, confidential support to victims of domestic abuse and violence. If you are in an emergency situation, call 911. The Coalition Against Stalkerware also has resources if you think your phone has been compromised by spyware. You can contact this reporter on Signal and WhatsApp at +1 646-755-8849 or firstname.lastname@example.org by email.