Android spy app LetMeSpy suffers major data breach spanning 10 years

LetMeSpy, an Android-based mobile monitoring application, has disclosed a security vulnerability that has led to the theft of sensitive data from thousands of users by an unauthorized third party.

In an announcement posted on its website, LetMeSpy claims that through the attack, attackers gained access to users' email addresses, phone numbers and the content of messages collected on their accounts, noting that the incident occurred on June 21, 2023.

LetMeSpy said it notified law enforcement and data protection authorities immediately upon discovery of the hack and took steps to suspend all account-related functions until further notice. The identity of the attackers and their motives are not yet known.

LetMeSpy, a product of a Polish company called Radeal, had been advertised as a tool for parental or employee control. But as the name implies, users can spy on others simply by installing the software on their devices for a monthly subscription ($6 for Standard or $12 for Pro).

LetMeSpy has extensive features to collect call logs, text messages and geolocation, all of which can be accessed from a website. To avoid detection and deletion, the app's icon can be hidden from the device's home screen launcher. As of January 2023, the monitoring software has been used to track 236,322 phones worldwide, collecting more than 63.5 million text messages, 39.7 million call logs and 43.2 million locations.

Polish security research blog Niebezpiecznik first reported the leak and analyzed the dump of stolen data, saying it included about 26,000 email addresses, 16,000 text messages and a database of victims’ locations. Further analysis of the leaked information by TechCrunch shows that the data dates back as far as 2013, when LetMeSpy first started operating. The records also contain data from at least 13,000 infected devices, with most victims located in the United States, India and parts of Africa.