KidsGuard stalkerware leaks data on secretly surveilled victims – Naked Security


What an inappropriate name. It should be called KidsStalk-N-Dox, given that the makers of this consumer-grade stalkerware left a server open and unprotected, regurgitating the private data it slurped up from thousands of victims’ devices after a parent or other surveillance-happy person stealthily installed it.

The spyware app’s unprotected Alibaba cloud storage bucket was found by Till Kottmann. He’s a developer who reverse-engineers apps to see how they tick (or leak, in this case). Kottmann shared a copy of the Android version of KidsGuard with TechCrunch, which first reported on the data breach on Thursday.

Kottmann’s findings amount to “Goodness, Grandma, what enormous bites you take out of victims’ privacy with those big, keyloggy teeth of yours.”

KidsGuard comes from a company called ClevGuard that promises that its “excellent products” will deliver “all the information” from a targeted device, including real-time location, text messages, browser history, photos, videos, recordings of phone calls, keylogger data for every keystroke entered and the app where it came from, and all the data from all the social apps – hopping over the end-to-end encryption of, for example, WhatsApp.

KidsGuard Pro keylogger capture of WhatsApp message. IMAGE: ClevGuard demo

According to TechCrunch’s Zack Whittaker, the Alibaba storage bucket was apparently set to public: a common mistake with cloud storage buckets. Another mistake: it was left wide open, without a password.

After TechCrunch contacted ClevGuard, it shut down the exposed cloud storage bucket. The news outlet also contacted Alibaba, which similarly alerted the company about the leak.

Here we go again

KidsGuard is like other many other commercial-grade spyware in that the stalker needs to have physical access to a device in order to install it. It just takes a few minutes. Whittaker reports that after installation, there’s no rooting or jailbreaking required.

ClevGuard says the app can also be used for iPhones without access to the device (as long as the user doesn’t have 2FA on, in which case you would need to access the phone) if you give it the target’s iCloud credentials.

The Android version that TechCrunch and Kottmann checked out also requires that some security features be disabled, such as allowing non-Google approved apps to be installed and disabling Google Play Protect, Google’s built-in malware protection for Android.

After that, it runs in stealth mode, convincingly posing as an Android “system update” app. It’s tough for a victim to know that their device has been boobytrapped, given that there’s no app icon for them to spot.

That leaves KidsGuard to freely siphon photos, videos, recordings of phone calls, and to monitor activity on a slew of apps, including on dating apps such as Tinder. It also secretly takes screenshots of a victim’s conversations in apps such as Snapchat and Signal, which have supposedly ephemeral messages that disappear. As we’ve noted in the past with regards to Snapchat, those messages don’t disappear, KidsGuard being one of many ways for them to be captured.

National Cyber Security Consulting App







National Cyber Security Radio (Podcast) is now available for Alexa.  If you don't have an Alexa device, you can download the Alexa App for free for Google and Apple devices.