Stalker app maker Retina-X settles FTC charges

Spyware maker Retina-X Studio has settled charges brought by the Federal Trade Commission (FTC) about not keeping its products from being used as illegal stalking apps.

Retina-X, maker of the spyware tools PhoneSheriff, TeenShield, SniperSpy and Mobile Spy, threw in the towel on all that snooping in March 2018, putting the kibosh on the products as a result of two hacks: the first in April 2017 and the second in February 2018.

Those tools were used to track targets’ call logs (including deleted ones), text messages, photos, GPS locations, and browser histories, as well as to eavesdrop on victims, wherever they might be.

The hacker who claimed responsibility for the breaches said at the time that he got access to all that, but he didn’t post any of it online. He did, however, claim to have wiped some of the servers he’d been allegedly rooting around in.

Like we said after news of the second attack surfaced, even if you find spyware repugnant, it’s still illegal to hack the companies that make it, for good reason. The hacker wasn’t helping anybody, let alone surveillance victims. By telling others how he did it, putting out blueprints and encouraging them to do the same, he and other spyware-focused hackers put the victims at that much greater risk of having their personal data accessed, meaning they’re twice victimized. Besides, who’s to say that a hacker who claims not to have posted material isn’t lying?

At any rate, back to the FTC complaint: the FTC claimed that Retina-X wasn’t making sure that spyware purchasers were using it for legitimate purposes. In fact, to install the tools, spyware purchasers often had to weaken security protections on a targeted phone – i.e., to jailbreak or root the phone.

Once the spy had installed the app on their target’s phone, they could then remove the icon showing that it was there. Thus, the target wouldn’t know they were being monitored.

Even for legitimate users – i.e., those who are keeping track of activity on phones they own that are used by their children or by employees who are aware that they’re being monitored – the company failed to keep their data confidential and safe, the FTC charged.

The FTC said that the apps violated the Children’s Online Privacy Protection Act (COPPA), which requires operators to protect the confidentiality, security, and integrity of personal information collected from children under the age of 13. The FTC also says that Retina-X violated the Act’s prohibitions against unfair and deceptive practices.

The FTC said Retina-X failed to secure the data collected from devices by the spyware. It outsourced most product development and maintenance to third parties, and “failed to implement reasonable information security policies and procedures, conduct security testing on its mobile apps, and conduct adequate oversight of its service providers,” the Commission said. The lack of due diligence led to the two attacks, in which the hacker accessed the company’s cloud storage account and erased entire databases.

From its complaint:

The hacker accessed data collected through the PhoneSheriff and TeenShield apps, including login usernames, encrypted login passwords, text messages, GPS locations, contacts and photos. The company and [company owner James N. Johns Jr.] did not learn about the first intrusion until April 2017 when they were contacted by a journalist, who was tipped off by the hacker.

The FTC settlement requires Retina-X to make sure its monitoring apps are used only for legitimate purposes. At this point, the company’s website says that it’s not currently taking orders for the tools in question.

If and when it returns to selling spyware, Retina-X has to require purchasers to state that they’ll only use the app to monitor a child or an employee, or another adult who’s provided written consent. No fiddling with the icon, either: the apps have to include an icon with the name of the app on the mobile device, and it can only be removed by a parent or legal guardian who’s installed the app on a minor child’s phone.

Retina-X is also required to destroy data collected from its monitoring services to date. And going forward, the company is required to set up an adequate security program, including third-party assessments of that program every two years.

On Tuesday, the FTC said in a statement that this is the first time it’s gone after a “stalking app.” Andrew Smith, director of the FTC’s Bureau of Consumer Protection:

Although there may be legitimate reasons to track a phone, these apps were designed to run surreptitiously in the background and are uniquely suited to illegal and dangerous uses. Under these circumstances, we will seek to hold app developers accountable for designing and marketing a dangerous product.

Who knows? Maybe it won’t be the last.

After all, the Retina-X hacks were followed by an attack on mobile stalking app maker TheTruthSpy in August 2018.

Its tools also required jailbreaking, and the attack against it likewise let a hacker slurp sensitive material, giving them login credentials that gave them access to pictures, audio recordings, location information and text messages from the spying victims’ phones.

If we hear of the FTC going after TheTruthSpy or any other maker of stalking apps, we’ll let you know.