The Ukrainian company mSpy producing smartphone tracking software disposed user data in free access

The mSpy open database was found out by the Indian researcher Nitin Shah. mSpy features a “family control” mobile application that allows you to monitor smartphones” activity: SMS correspondence, chat in instant messengers (WhatsApp, Messenger, Telegram), social networks” and dating websites” activity. The service cost varies from $39 of monthly fee to $264 of annual fee.

The database detected by Shah contained user data for the past six months. All these users bought the mSpy products or were authorized on the company’s website.

Among those data leaks were: names, mails, logins, passwords and encryption keys. Also, the researcher found the iCLoud user names and backup links. In addition, it appeared that any database user could read the correspondence from Facebook and WhatsApp, uploaded to the mSpy web server.

According to Shah, mSpy ignored his claims. The KrebsOnSecurity contacted mSpy’s technical support on August 30. In response, the company stated that they were working on reducing the vulnerability risks. The database stayed open until September 3.

In the official blog, mSpy denies all media statements. It indicates that most of the 5 million database records contained server error information, and only 1241 accounts” passwords and logins were actually open to public. This is less than 0.044% of the mSpy user database. Moreover, access to data was asked only twice: from India and the United States. mSpy experts are sure that those two queries were made by the researcher Nitin Shah and the journalist Brian Krebs.

There is no reason to worry about your account information or your kids data being disclosed or available elsewhere.

This is not the first time that mSpy has had privacy problems. In 2015, the company’s servers were hacked, and user data was published for sale in the dark web. mSpy denied that leak within a week, but finally admitted a fact of the extortion hacking attack.

Who owns mSpy

Mobisoft, the product company based in Kyiv, is developing the mSpy software, states Hackerfall. According to the mSpy website, the company’s offices are located in the US, Germany and the UK, but the company itself isn’t associated with none of these addresses. The owner of Mobisoft is the WeRocks investment fund, whose portfolio also includes such IT companies as Seranking, Intellectsoft and others.

KrebsOnSecurity has found out that mSpy is affiliated with the now-closed British company  MTechnology LTD, whose founders are the Russian citizen Alexei Fedorchuk and the British citizen Pavel Daletskiy. However, they are no more than legal representatives of mSpy.

According to AIN.UA, an actual owner and former CEO of Mobisoft is the Belarusian citizen Alexander Skalabanov. Officially, he makes the list of the four ultimate beneficiaries of “Intellectsoft” LLC in Ukraine. This company is a Ukrainian legal entity of “Intellectsoft”, and according to Hackerfall, it has a common beneficiary with Mobisoft.

Alexander Skalabanov. Photo: intellectsoft.net

AIN.UA has managed to get information about the ownership structure of the “Intellectsoft” Holding LLC for March 2016. It is a private company, registered in California, Palo Alto, in 2007. Skalabanov, according to Bloomberg, is the CEO of the company, although on the official website he is listed as a Board Member and Co-Founder. He allegedly owns the largest share of 35%.

The names of the American company’s owners coincide with the names of other beneficiaries of the Ukrainian “Intellectsoft”: Artem Kozel, Valery Kurilov, Dmitry Lipnitsky. Kozel is the strategic director of “Intellectsoft” LLC, the roles of the other Co-Owners are unknown.

“Intellectsoft” LLC is connected with its Ukrainian “daughter” through the intermediary company “Intellectsoft Group Corp”. This is confirmed by official data: “Іntelektrosoft Group Corporation” owns 100% of “Intellectsoft” LLC, whose registered capital is UAH 1,331.