Hackers are now supposedly using commercial-grade spyware to bypass Android system vulnerabilities and track users for future cyberattacks.

TechCrunch reported on Monday that two hacking groups have been noted to be using the TheTruthSpy exploit to allow mass access of stolen devices directly from the hackers' servers.

The two hacker groups were identified as SiegedSec and ByteMeCrew. While no state relation has been found between the two groups, both SiegedSec and ByteMeCrew started during the start of the Ruso-Ukraine War.

Switzerland-based hacker maia arson crimew confirmed the reports, stating that the groups have been abusing the exploit as early as December 2023.

Thousands of Android devices from Europe, India, Indonesia, the US, and the UK are believed to be compromised.

Also Read: New US Visa Restriction Policy Targets Spyware Abusers Preying on Journalists, Activists

How Does TheTruthSpy Exploit Works?

The spyware exploit has been documented since February 2022 that allows bad actors to easily bypass its security and grants full access to victims' data, including text messages, photos, call recordings, and GPS location.

Since the spyware is designed to be undetectable, it remains hidden on home screens and is difficult to delete as it does with other apps.

Basically, the exploit continually uploads the device's contents directly to the compromised spyware's servers until it is safely removed. So far, only one vulnerability has been reported and fixed.

It does not help that the spyware has been noted for poor security and compromised servers, allowing threat actors to easily use the technology for malicious acts.

Similar problems can also be encountered in TheTruthSpy app clones.

How to Know if Devices is Exposed to Spyware?

According to TechCrunch, Android owners can check their devices for signs of spyware by verifying if the Google Play Protect or phone accessibility settings were changed.

Further looking in the phone settings, check if there is an unknown device admin app that was secretly installed on the device. Users can also check the uninstall option to see if any additional app was installed.

Since these are spywares, Android owners will not be alerted of the breach so it is better to manually check the phone settings.

If any of these changes are detected, it is recommended to immediately go to the device provider and check for security updates to better protect the phone's contents.

Related Article: Bluetooth Security Flaw Allows Hackers to Hijack Devices: How to Protect Your Phones from Cyberattacks?

More TheTruthSpy Security Incidents

The recent Android breach was not the first time TheTruthSpy was involved in security issues in the past years.

As early as 2022, several reports have already popped up claiming that new Android devices are being compromised via TheTruthSpy without even alerting the victims.

Even the company that developed the spyware, 1Byte, has been noted for laundering customer payments into fake Stripe and PayPal accounts for years.

It is estimated that 1Byte, a Vietnam-based company, made at least $2 million from these operations. Many of these accounts were linked to 1Byte employees and director, Van Thieu.

As of writing, PayPal and Stripe have already suspended the fake accounts. The US-based website providing platform for 1Byte also stopped hosting the company.