"The Code Is Lost" — Excuse of the Year. Spyware Creators Can't Fix Their Own Mistakes
TheTruthSpy exposed everyone—both victims and its own customers.
TheTruthSpy exposed everyone—both victims and its own customers.
The creator of the TheTruthSpy spyware, the Vietnamese company 1Byte Software led by Van (Vardy) Tieu, is once again at the center of a major incident. Independent security researcher Swaranag Veer discovered a critical vulnerability that allows an attacker to reset the password for any account in the application and its numerous Android "clones." After changing the password, the attacker gains full access to the victims' stolen data, including messages, photos, call history, and geolocation.
TheTruthSpy and its related products, including Copy9, iSpyoo, and MxSpy, are marketed as parental control tools but are actually used for covert surveillance without the device owners' knowledge. TechCrunch confirms that the discovered vulnerability remains unpatched: 1Byte Software admitted that the source code is partially lost and the bug cannot be fixed.
This is the fourth major security incident involving TheTruthSpy in recent years. Previously, in 2021, a flaw in the system's security led to the exposure of personal data of over 400,000 users, including the contents of messages, photos, and travel routes. In 2023, a new leak occurred, affecting another 50,000 devices. These failures repeatedly demonstrate the developers' inability to protect even their own customers, let alone the data of surveillance victims.
Beyond technical shortcomings, investigations have also uncovered 1Byte Software's financial schemes. To bypass restrictions from payment systems, the owners of TheTruthSpy resorted to money laundering and the use of fake documents. This allowed them to transfer millions of dollars through fake accounts worldwide. Despite the exposés, the project hasn't shut down: its code and servers are still operational, and some operations are masked under the new name PhoneParental.
An analysis of the infrastructure shows that the application still uses the vulnerable JFramework backend (formerly Jexpa Framework), through which data is processed and transmitted. Moreover, the company's new development—the MyPhones.app application—is also built on the same insecure architecture.
TechCrunch and independent experts warn that TheTruthSpy and its derivatives remain a serious threat: they not only collect critically sensitive information but also systematically demonstrate an inability to protect it. While the vulnerability remains open, tens of thousands of users whose phones may be secretly compromised are at risk.
