Full Report
Amazon won't say if it will stop hosting data from three phone surveillance operations that spilled private data on millions of people. © 2024 TechCrunch. All rights reserved. For personal use only.
Analysis Summary
# Incident Report: Hosting of Stalkerware-Exfiltrated Private Phone Data on AWS
## Executive Summary
Three near-identical Android stalkerware applications (Cocospy, Spyic, and Spyzie) were discovered exfiltrating private phone data, including photos, from an estimated 3.1 million individuals and storing this troves of stolen data in storage buckets hosted on Amazon Web Services (AWS). The affected organization is Amazon/AWS, as the platform facilitator, and the incident was brought to their attention by TechCrunch. As of the report, AWS had not publicly confirmed taking definitive action to disable the storage buckets used for this illicit activity, despite clear notification that customer data was being hosted in violation of acceptable use policies.
## Incident Details
- Discovery Date: February 20 (Initial notification to Amazon regarding Cocospy/Spyic)
- Incident Date: Ongoing storage of data mined prior to notification dates.
- Affected Organization: Amazon Web Services (AWS) customers (Cocospy, Spyic, Spyzie) and their subsequent victims.
- Sector: Cloud Services/Technology.
- Geography: Global (data hosted on AWS infrastructure).
## Timeline of Events
### Initial Access
- Date/Time: Pre-dating February 20, 2025. The exact compromise timing for individual victims is unknown, but the data was actively being uploaded to AWS prior to notification.
- Vector: Installation of near-identical Android stalkerware apps (Cocospy, Spyic, Spyzie) on victim devices.
- Details: The apps share common source code and a security bug, allowing them to stealthily upload private data from compromised phones.
### Lateral Movement
- Details: The article focuses on data *exfiltration* to AWS storage, not internal network compromise of the stalkerware operators. Movement within the victims' devices allowed the apps to capture comprehensive data.
### Data Exfiltration/Impact
- Date/Time: Ongoing uploads until service termination.
- Details: Photos and other private phone data from approximately 3.1 million people were uploaded and stored in specific `amazonaws.com` storage buckets.
### Detection & Response
- **Detection:** TechCrunch investigation, analyzing app network traffic, and verifying data contents via customer dashboards.
- **Notification:** TechCrunch notified Amazon on February 20 (Cocospy/Spyic) and again earlier this week (Spyzie). Specific storage bucket names were provided.
- **Response (Amazon/AWS):** Spokespersons stated they were "following [their] process" and directed TechCrunch to the abuse reporting form. They later claimed the communications did not constitute a formal abuse report requiring service action, despite having bucket names. Storage buckets remained active at the time of publication.
## Attack Methodology
- Initial Access: Installation of third-party stalkerware apps (Cocospy, Spyic, Spyzie) on target Android devices.
- Persistence: Inferred, as the apps blend in as "System Service" apps to evade user detection.
- Privilege Escalation: Not explicitly detailed; likely relies on user permission grants during installation of the surveillance app.
- Defense Evasion: Disguising the application as a legitimate system component ("System Service").
- Credential Access: Not explicitly detailed against the third-party stalkerware operators, but the apps steal access to the device's data.
- Discovery: Network traffic analysis by TechCrunch revealed data pathways to AWS storage buckets.
- Lateral Movement: Not applicable.
- Collection: Harvesting private data, including photos, from the compromised phone.
- Exfiltration: Data uploaded to specific storage buckets hosted on Amazon Web Services.
- Impact: Mass exposure of private user data (stalking/surveillance facilitation).
## Impact Assessment
- Financial: Not publicly quantified, but AWS has a commercial interest in retaining these paying customers ($39.8 billion profit for AWS in 2024). Affected victims likely face significant personal harm.
- Data Breach: Exposure of private phone data (photos) for an estimated 3.1 million individuals.
- Operational: No noted operational impact on Amazon or the stalkerware vendors, as services remained active despite notification.
- Reputational: Significant negative implication for Amazon/AWS regarding platform governance and enforcement of Terms of Service against egregious abuse like hosting coordinated surveillance data.
## Indicators of Compromise
- **Network Indicators (Defanged):** Traffic flowing to specific `amazonaws.com` storage bucket URLs owned by the stalkerware operators.
- **File Indicators:** N/A (Focus is on hosted data, not malware signatures).
- **Behavioral Indicators:** Stealthy, background uploading of device contents (photos) from Android devices to remote cloud storage endpoints.
## Response Actions
- **Containment:** None confirmed taken by the service provider (AWS) at time of reporting. Containment relied on the investigation by TechCrunch.
- **Eradication:** Relies on the stalkerware applications being uninstalled by victims.
- **Recovery Actions:** Victims require notification and procedures to secure and wipe compromised devices.
## Lessons Learned
- **Platform Accountability:** Major cloud providers with robust resources (financial and technological) face reputational risk when they appear to prioritize procedural compliance (or avoiding difficult decisions) over immediately disabling known customer activity facilitating massive data exposure violating their own Acceptable Use Policies.
- **Notification Effectiveness:** Providing explicit evidence (bucket names) did not immediately trigger service termination, suggesting internal escalation or review processes were slow or deliberately stalled by AWS.
## Recommendations
- AWS must immediately implement an expedited, dedicated review pathway for credible reporting concerning the hosting of confirmed, large-scale surveillance data or illegal content, bypassing standard, lengthy abuse complaint procedures when specific evidence is supplied by authoritative sources.
- Users of Android devices should be educated on identifying and removing unknown apps disguised as system services and encouraged to utilize reputable security organizations for device assessment.