Federal Government Agents Buy Stalkerware

A spyware company called Mobistealth was revealed to be selling its products and services to several agencies of the American government, according to information released by a hacker who infiltrated Mobistealth’s servers. Mobistealth markets their cell phone surveillance and computer surveillance products to parents as a way to enable parental controls, as well as to businesses to monitor employee use of company computers and cell phones. The company has even marketed themselves to people who suspect their spouse is cheating on them. Mobistealth’s spyware is frequently referred to as stalkerware. Mobistealth produces spyware for two mobile operating systems, Google Android and Apple iOS. Some of the features of the company’s mobile spyware include allowing users to read all messages sent and received on the device, as well as see all calls made and received, browsing history, photographs, and track the device’s location in real time through GPS and WiFi.

“It’s disgusting how easily accessible and user friendly such sites are, that they enable stalking and enable physical and emotional abuse on such high scales, and how hilariously vulnerable such sites are,” the hacker who breached Mobistealth’s site told Motherboard over an online chat. The hacker chose to remain anonymous. Mobistealth was not the only spyware company the hacker attacked, they also hacked the website of Spy Master Pro. Within the customer data of Mobistealth that was released by the anonymous hacker were the e-mail addresses for many different agencies of the federal government. According to customer data exfiltrated by the hacker, some of the accounts on Mobistealth were registered using email addresses from the Federal Bureau of Investigation (FBI), Immigration and Customs Enforcement (ICE), the Department of Homeland Security (DHS), the Transportation Security Administration (TSA), and several branches of the Department of Defense (DOD).

At least 40 of the accounts were associated with e-mail addresses from the United States Army. The chief of public affairs for the US Army Criminal Investigation Command (CID), Chris Grey, told Motherboard that he was not aware of any investigations being conducted by CID that used Mobistealth spyware. It is not certain how many of these accounts on Mobistealth’s site that are registered using a federal government e-mail address are for personal use or official government use. The FBI and DHS would not respond with a comment on this story when asked by reporters with Motherboard. A reporter from Motherboard tried to contact the email addresses associated with law enforcement agencies and branches of the military that held accounts with Mobistealth, but none would reply with a comment on the story. It should be noted that according to documents, leaked by NSA whistleblower Edward Snowden in 2013, employees at the NSA often used the government’s mass surveillance systems to spy on current and former spouses or lovers.

When reporters from Motherboard cross-referenced the data provided to them by the hacker, they were able to find out some information about the targets of the government agents who were using Mobistealth’s spyware. One account associated with an FBI e-mail address was using the software to conduct surveillance on a Blackberry cell phone. The hacker told Motherboard that he was inspired by one of their articles to hack the stalkerware companies. The article which inspired the hacker was one that covered how a police officer with the London Metropolitan Police Service in the UK had purchased similar stalkerware. It was not clear whether the software purchased by the officer was intended for official police business or if it was for the officer’s own personal use. Motherboard filed an official complaint with the Independent Police Complaints Commission, a government organization which is now called the Independent Office for Police Conduct, in which they called for an independent investigation of the spyware purchase by the London Metropolitan police officer. The British police oversight commission is refusing to investigate the matter.