The Federal Trade Commission (FTC) has barred the sale of three “stalking apps” until their developer can prove they are used legally. The case is the first crackdown by the FTC on “stalkerware,” which is software that can be installed on devices to track their owners’ location, activity and more.
The apps come from a company called Retina-X Studios, owned by James N. Johns Jr., which provides software that is marketed for monitoring employees and children. The FTC said the three apps are banned unless the developers take certain steps to ensure that they will only be used for “legitimate purposes.” In addition, the FTC is requiring the developer of the apps, which have been part of two security breaches in the past three years, to take steps toward increasing security measures.
“This is our first action against a so-called ‘stalking app,'” said Andrew Smith, director of the FTC’s Bureau of Consumer Protection in a Tuesday statement. “Although there may be legitimate reasons to track a phone, these apps were designed to run surreptitiously in the background and are uniquely suited to illegal and dangerous uses. Under these circumstances, we will seek to hold app developers accountable for designing and marketing a dangerous product.”
Specifically under scrutiny are three Retina-X apps: MobileSpy, marketed for monitoring employees and children, and PhoneSheriff and TeenShield, marketed for monitoring mobile devices used by children.
Retina-X sold more than 15,000 subscriptions to all three stalking apps before the company stopped selling them in 2018, the FTC said. Once installed, the software tracks the physical movements and online activities of device users.
The FTC said that the apps violated the Children’s Online Privacy Protection Act (COPPA), which requires operators to secure the information they collect from children under 13, as well as the FTC Act‘s prohibition against unfair and deceptive practices.
While the apps pose a significant privacy risk, as they do not notify users of the devices on which they are installed, they also pose dire security dangers, the FTC said.
In order to install the apps, purchasers are required to bypass mobile device manufacturer restrictions, which the FTC alleges could expose impacted devices to security vulnerabilities.
In addition, the information itself collected from devices – GPS locations, text messages and more – was not secured by Retina-X. The company outsourced most of its product development and maintenance to third parties, and “failed to implement reasonable information security policies and procedures, conduct security testing on its mobile apps, and conduct adequate oversight of its service providers,” said the FTC.
That resulted in security breaches twice, between 2017 and 2018, which allowed a hacker to access Retina-X’s cloud storage account and delete certain information.
“The hacker accessed data collected through the PhoneSheriff and TeenShield apps, including login usernames, encrypted login passwords, text messages, GPS locations, contacts and photos,” according to the FTC. “The company and Johns did not learn about the first intrusion until April 2017 when they were contacted by a journalist, who was tipped off by the hacker.”
Moving forward, Retina-X must require purchasers to state that they will only use the app to monitor a child or an employee, or another adult who has provided written consent. The apps must also include an icon with the name of the app on the mobile device, which is only removable by a parent or legal guardian who has installed the app on their minor child’s phone. Finally, the company must implement adequate security measures, including obtaining third-party assessments of their information security program every two years.
A Retina-X spokesperson told Threatpost: “While the firm’s clients were the unfortunate victims of a skilled hacker, they would like to thank the FTC for its professionalism during the course of the investigation.”
This article was updated on Oct. 24 with a statement from Retina-X.
What are the top cybersecurity issues associated with privileged account access and credential governance? Experts from Thycotic on Oct. 23 will discuss during our upcoming free Threatpost webinar, “Hackers and Security Pros: Where They Agree & Disagree When It Comes to Your Privileged Access Security.” Click here to register.