Despite notifying TechCrunch that it was hosting stolen phone data a few weeks ago, Amazon wouldn’t say whether it plans to take action against three phone monitoring apps that store personal private phone data on Amazon’s cloud servers.
Amazon told TechCrunch that it was “tracking (that) the process” after its February notification, but at the time of the publication of this article, Stalkerware Operations Cocospy, Spyic, and Spyzie continued to upload and store exfltated photos from the mobile phones of people on Amazon Web Services.
Cocospy, Spyic and Spyzie are three almost identical Android apps that share the same source code and a common security bug, according to security researchers who discovered it and provided it with details to TechCrunch. Researchers revealed that the operation exposed telephone data in a population of 3.1 million people. The researchers shared the data with the violation notification site where I was pwled.
As part of an investigation into Stalkerware operations, including an analysis of the app itself, TechCrunch discovered that some of the content of devices compromised by the Stalkerware app has been uploaded to Amazon Web Services or storage servers running by AWS.
TechCrunch emailed Amazon on February 20, notifying them that they were hosting the data they extracted by Cocospy and Spyic, and earlier this week they also hosted stolen phone data Spyzie excluded.
In both emails, TechCrunch included each name of a specific Amazon hosted storage “bucket” containing data obtained from the victim’s mobile phone.
In response, Amazon spokesman Ryan Walsh told TechCrunch: When we receive a report of a potential violation of the Terms, we will act promptly and take steps to disable prohibited content. “Walsh provides links to Amazon web pages, but will not comment on the status of the Amazon servers the app uses.
In this week’s follow-up email, TechCrunch referenced an email from before February 20th that includes the storage bucket name hosted on Amazon.
In response, Walsh thanked TechCrunch for “taking our attention” and provided another link to Amazon’s report abuse form. When asked if Amazon was planning to take action against the bucket, Walsh replied.
Casey McGee, a spokesman for Amazon, copied in an email thread, argued that “TechCrunch is inaccurate to characterize the content of this thread as a “report” (sic) of potential abuse.”
Amazon Web Services, which has a commercial interest in retaining payment customers, earned $39.8 billion in 2024, accounting for the majority of Amazon’s total annual income, according to full-year revenue for 2024.
The storage buckets used by Cocospy, Spyic, and Spyzie are still active at the time of publication.
Why is this important?
Amazon’s own acceptable usage policy broadly explains what the company can host on the platform. It appears that Amazon has not objected to uploading data to the platform by denialing spyware and Stalkerware operations. Instead, the Amazon controversy appears to be completely procedural.
Police on what is hosted on Amazon platforms or other company’s cloud platforms is not the job of a journalist or someone else’s job.
Amazon has a huge amount of resources to use to enforce its own policies by ensuring that bad actors do not abuse their services, financially and technically.
In the end, TechCrunch provided a notification to Amazon. This includes information that points directly to the location of the horde of stolen private telephone data. Amazon has chosen not to act on the information it receives.
How did you find victim data hosted on Amazon?
When TechCrunch learns of monitoring-related data breaches – there have been dozens of Stalkerware hacks and leaks in recent years, but we’ll investigate to learn as many operations as possible.
Our investigations can help identify victims of phone hacking, but they can also reveal hidden real-world identities of the surveillance operators themselves. TechCrunch also helps analyse apps (if available) to determine how victims identify and delete apps.
As part of the reporting process, TechCrunch will reach out to companies that identify them as hosting or supporting Spyware and Stalkerware operations. It is also not uncommon for businesses such as web hosts and payment processors to suspend their accounts or delete data that violates their own terms of service, including previous spyware operations hosted on Amazon.
In February, TechCrunch learned that Cocospy and Spyic had been compromised and tried to investigate further.
The data showed that the majority of victims were Android devices owners, so TechCrunch began by identifying, downloading and installing Cocospy and Spyic apps on virtual Android devices. (Virtual devices allow you to run stalkerware apps in a protected sandbox without providing real-world data such as either app.) Both Cocospy and Spyic appeared as identical-looking apps named “System Services” that attempt to avoid detection by merging with Android’s built-in apps.
We used a network traffic analysis tool to inspect the data flowing through the app. This helps you understand how each app works and determine which phone data is being stealthly uploaded from your test device.
Web traffic shows that two Stalkerware apps are uploading victim data, such as photos, to a storage bucket with a name that hosts on Amazon Web Services.
I’ve checked this more. This allows people who log in to the Cocospy and Spyic users’ dashboards and plant the Stalkerware app to view the stolen data of the target. The web dashboard allowed you to access content from your Virtual Android device’s photo gallery after intentionally breaching your virtual device using the Stalkerware app.
When you open the content of your device’s photo gallery from each app’s web dashboard, you will see an image loaded from a web address that contains the name of each bucket hosted in the Amazonaws.com domain running by Amazon Web Services.
Following the news after the Spyzie data breach, TechCrunch also analyzed Spyzie’s Android app using a network analysis tool, finding that the traffic data is the same as Cocospy and Spyic. The Spyzie app similarly uploaded victims’ device data to a named storage bucket on Amazon’s cloud, located in Amazon’s cloud.
If you or someone you know needs help, the domestic domestic violence hotline (1-800-799-7233) provides secret support to victims of domestic abuse and violence 24/7. If you are in an emergency, call 911. If you think your phone is compromised by Spyware, then the federation against Stalkerware has resources.