Amazon is still hosting stalkerware victims’ data weeks after breach alert
Latest
AI
Amazon
Apps
Biotech & Health
Climate
Cloud Computing
Commerce
Crypto
Enterprise
EVs
Fintech
Fundraising
Gadgets
Gaming
Government & Policy
Hardware
Layoffs
Media & Entertainment
Meta
Microsoft
Privacy
Robotics
Security
Social
Space
Startups
TikTok
Transportation
Venture
Events
Startup Battlefield
StrictlyVC
Newsletters
Podcasts
Videos
Partner Content
TechCrunch Brand Studio
Crunchboard
Contact Us
Amazon will not say if it plans to take action against three phone surveillance apps that are storing troves of individuals’ private phone data on Amazon’s cloud servers, despite TechCrunch notifying the tech giant weeks earlier that it was hosting the stolen phone data.
Amazon told TechCrunch it was “following [its] process” after our February notice, but as of the time of this article’s publication, the stalkerware operations Cocospy, Spyic, and Spyzie continue to upload and store photos exfiltrated from people’s phones on Amazon Web Services.
Cocospy, Spyic, and Spyzie are three near-identical Android apps that share the same source code and a common security bug, according to a security researcher who discovered it, and provided details to TechCrunch. The researcher revealed that the operations exposed the phone data on a collective 3.1 million people, many of whom are victims with no idea that their devices have been compromised. The researcher shared the data with breach notification site Have I Been Pwned.
As part of our investigation into the stalkerware operations, which included analyzing the apps themselves, TechCrunch found that some of the contents of a device compromised by the stalkerware apps are being uploaded to storage servers run by Amazon Web Services, or AWS.
TechCrunch notified Amazon on February 20 by email that it is hosting data exfiltrated by Cocospy and Spyic, and again earlier this week when we notified Amazon it was also hosting stolen phone data exfiltrated by Spyzie.
In both emails, TechCrunch included the name of each specific Amazon-hosted storage “bucket” that contains data taken from victims’ phones.
In response, Amazon spokesperson Ryan Walsh told TechCrunch: “AWS has clear terms that require our customers to use our services in compliance with applicable laws. When we receive reports of potential violations of our terms, we act quickly to review and take steps to disable prohibited content.” Walsh provided a link to an Amazon web page hosting an abuse reporting form, but would not comment on the status of the Amazon servers used by the apps.
In a follow-up email this week, TechCrunch referenced the earlier February 20 email that included the Amazon-hosted storage bucket names.
In response, Walsh thanked TechCrunch for “bringing this to our attention,” and provided another link to Amazon’s report abuse form. When asked again if Amazon plans to take action against the buckets, Walsh replied: “We haven’t yet received an abuse report from TechCrunch via the link we provided earlier.”
Amazon spokesperson Casey McGee, who was copied on the email thread, claimed it would be “inaccurate of TechCrunch to characterize the substance of this thread as a [sic] constituting a ‘report’ of any potential abuse.”
Amazon Web Services, which has a commercial interest in retaining paying customers, made $39.8 billion in profit during 2024, per the company’s 2024 full-year earnings, representing a majority share of Amazon’s total annual income.
The storage buckets used by Cocospy, Spyic, and Spyzie, are still active as of the time of publication.
Amazon’s own acceptable use policy broadly spells out what the company allows customers to host on its platform. Amazon does not appear to dispute that it disallows spyware and stalkerware operations to upload data on its platform. Instead, Amazon’s dispute appears to be entirely procedural.
It’s not a journalist’s job — or anyone else’s — to police what is hosted on Amazon’s platform, or the cloud platform of any other company.
Amazon has huge resources, both financially and technologically, to use to enforce its own policies by ensuring that bad actors are not abusing its service.
In the end, TechCrunch provided notice to Amazon, including information that directly points to the locations of the troves of stolen private phone data. Amazon made a choice not to act on the information it received.
When TechCrunch learns of a surveillance-related data breach — there have been dozens of stalkerware hacks and leaks in recent years — we investigate to learn as much about the operations as possible.
As part of our reporting process, TechCrunch will reach out to any company we identify as hosting or supporting spyware and stalkerware operations, as is standard practice for reporters who plan to mention a company in a story. It is also not uncommon for companies, such as web hosts and payment processors, to suspend accounts or remove data that violate their own terms of service, including previous spyware operations that have been hosted on Amazon.
In February, TechCrunch learned that Cocospy and Spyic had been breached and we set out to investigate further.
Since the data showed that the majority of victims were Android device owners, TechCrunch started by identifying, downloading, and installing the Cocospy and Spyic apps on a virtual Android device. (A virtual device allows us to run the stalkerware apps in a protected sandbox without giving either app any real-world data, such as our location.) Both Cocospy and Spyic appeared as identical-looking and nondescript apps named “System Service” that try to evade detection by blending in with Android’s built-in apps.
The web traffic showed the two stalkerware apps were uploading some victims’ data, like photos, to their namesake storage buckets hosted on Amazon Web Services.
We confirmed this further by logging into the Cocospy and Spyic user dashboards, which allow the people who plant the stalkerware apps to view the target’s stolen data. The web dashboards allowed us to access the contents of our virtual Android device’s photo gallery once we had deliberately compromised our virtual device with the stalkerware apps.
When we opened the contents of our device’s photo gallery from each app’s web dashboard, the images loaded from web addresses containing their respective bucket names hosted on the amazonaws.com domain, which is run by Amazon Web Services.
Following later news of Spyzie’s data breach, TechCrunch also analyzed Spyzie’s Android app using a network analysis tool and found the traffic data to be identical as Cocospy and Spyic. The Spyzie app was similarly uploading victims’ device data to its own namesake storage bucket on Amazon’s cloud, which we alerted Amazon to on March 10.
Topics
Security Editor
Rad Power Bikes already has a new CEO
Bluesky quickly sold out of the T-shirt its CEO wore to troll Mark Zuckerberg
Travis Kalanick thinks Uber screwed up: ‘Wish we had an autonomous ride-sharing product’
Anthropic CEO says spies are after $100M AI secrets in a ‘few lines of code’
Browser Use, one of the tools powering Manus, is also going viral
A comprehensive list of 2025 tech layoffs
DOGE axes CISA ‘red team’ staffers amid ongoing federal cuts
Subscribe for the industry’s biggest tech news
Every weekday and Sunday, you can get the best of TechCrunch’s coverage.
TechCrunch's AI experts cover the latest news in the fast-moving field.
Every Monday, gets you up to speed on the latest advances in aerospace.
Startups are the core of TechCrunch, so get our best coverage delivered weekly.
By submitting your email, you agree to our Terms and Privacy Notice.
© 2025 Yahoo.
EMEA Tribune is not responsible for this news, news agencies have provided us this news.
Follow us on our WhatsApp channel here .
