Security Experts:

U.S. Authorities Indict Maker of Mobile Spy App 'StealthGenie'

The chief executive of a company that develops and sells spying software for mobile devices has been indicted in the Eastern District of Virginia in what's said to be the first-ever criminal case involving the advertisement and sale of mobile spyware.  

Pakistani national Hammad Akbar, 31, the CEO of InvoCode Pvt Ltd, the company that commercializes the StealthGenie spy application, has been charged with conspiracy, sale of a surreptitious interception device, advertisement of a known interception device, and advertising a device as a surreptitious interception device.

StealthGenie is a mobile application that can be used to listen to and record phone calls, intercept SMS messages, track an individual's location, read emails and instant messages, view multimedia files, monitor Internet activities and even control devices remotely. The application works on iOS, Android and BlackBerry devices and it's designed not to leave any clues that could reveal its existence to the targeted individual.

StealthGenie users must install the application by gaining physical access to the targeted device. The information collected by the app can then be accessed through the StealthGenie website. The spy application has been sold for up to $200, the price of a premium package for a period of 12 months.

Prosecutors claim that the marketing of the app targeted individuals who suspected their spouses or romantic partners of infidelity. Furthermore, the language and testimonials used on the StealthGenie website focused on potential customers who did not have any ownership interest in the devices they were targeting.

Hammad Akbar was arrested in Los Angeles on September 27 and appeared before a magistrate judge in the Central District of California on Monday.

"Selling spyware is not just reprehensible, it’s a crime," said Assistant Attorney General Leslie R. Caldwell of the Justice Department’s Criminal Division. "Apps like StealthGenie are expressly designed for use by stalkers and domestic abusers who want to know every detail of a victim’s personal life – all without the victim’s knowledge.  The Criminal Division is committed to cracking down on those who seek to profit from technology designed and used to commit brazen invasions of individual privacy."

"This application allegedly equips potential stalkers and criminals with a means to invade an individual’s confidential communications," commented Assistant Director in Charge Andrew McCabe of the FBI’s Washington Field Office. "They do this not by breaking into their homes or offices, but by physically installing spyware on unwitting victim’s phones and illegally tracking an individual’s every move.  As technology continues to evolve, the FBI will investigate and bring to justice those who use illegal means to monitor and track individuals without their knowledge."

Some experts say the indictment is unusual considering the widespread availability of applications that enable tracking.

"StealthGenie merely bundles all of these features into a single application and makes the purpose explicit. Shame on them for making it explicit, versus other code name uses for tracking pets and dogs. By purporting this software is to spy on partners, rather than tracking children or pets, the US Attorney's office is saying this is over the line," Pat Belcher, director of security analytics for Invincea, told SecurityWeek.

"According to the indictment, however, the software maker never suggested that the software be installed on a device that was not already under personal control and the user did not have access rights to it. He did not exploit software, nor did he create malicious websites or code to surreptitiously install the code. The Android app store is full of similarly Trojaned apps that steal personal data and track users. At least this one was advertised with full disclosure," Belcher added.

The Internet archive website Wayback Machine shows that StealthGenie was in fact advertised as a spying application for cheated spouses when it was launched. However, the marketing tactic seems to have changed sometime in 2012 when the company started advertising the software for parental control and employee monitoring. That's when the creators of StealthGenie started displaying a disclaimer stating that users must own the mobile devices they are monitoring or they must obtain written permission from the targeted individual.

The StealthGenie website is hosted at a data center in Ashburn, Virginia. The site has been temporarily disabled by the FBI based on a restraining order issued by a federal judge in the Eastern District of Virginia on September 26.

"I once witnessed a keystroke logger and URL logger installed on a DoD endpoint. A soldier had problems with pornography addiction, and to save his marriage, as directed by a marriage counselor, he agreed to install this application on every computer he had access to, both at home and at work. The keystrokes and URLs visited were automatically uploaded to a site that the suspicious spouse had access to for monitoring purposes," Belcher said. "When confronted by an IT manager about this egregious spyware on a DoD endpoint, the soldier was actually allowed to keep the spyware in place! I fail to see how this StealthGenie app is any different, other than marketing."

 

view counter
Eduard Kovacs is an international correspondent for SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.