A short-lived spyware operation called Oospy, which emerged earlier this year after its predecessor Spyhide was hacked, is no longer operational and has shut down.
Oospy appeared online in late July as a rebrand of a phone monitoring app called Spyhide, which was facilitating the surveillance of tens of thousands of Android device owners around the world. Spyhide shut down after a breach exposed the operation and its administrators who were profiting from it.
Although Spyhide’s website disappeared from the internet after the hack burned the operation, the spyware’s back-end server stayed online and was still communicating with the tens of thousands of phones it was monitoring since the server was hosted on an entirely different domain. That allowed the administrators to rebrand Spyhide to Oospy without affecting the spyware operation itself.
That back-end server, which stored the victim’s stolen phone data from thousands of Android devices around the world, was taken offline Thursday by the web host Hetzner, which said the service violated its terms of service.
“In addition, we have terminated the customer’s server contract in due time,” said Christian Fitz, a spokesperson for Hetzner.
In their time online, Spyhide and Oospy had at least 60,000 victims across the world, including thousands of victims in the United States. These stalkerware (also known as spouseware) apps are planted on a victim’s phone, often by someone with knowledge of their passcode. Once planted, these apps continually steal a victim’s contacts, messages, photos, call logs and recordings, and granular location history.
Following the Spyhide hack, TechCrunch identified two of the administrators behind Spyhide and Oospy. One of the administrators, Mohammad (also goes by Mojtaba) Arasteh, confirmed to TechCrunch that he worked on the project “several years ago as a programmer,” but denied involvement with Oospy.
But a mistake on Oospy’s checkout page, which used PayPal to process customer payments, exposed the name of the PayPal account holder, who shares the same family name as Arasteh.
It’s not uncommon for spyware operations to rely on payment services like PayPal to handle customer payments, despite PayPal’s policies broadly prohibiting customers from using its service to buy or sell software that facilitate illegal activity, like spyware. PayPal spokesperson Caitlin Giroguard did not comment on the accounts when reached by TechCrunch. Oospy stopped accepting PayPal for payments a short time later, though it’s not known if PayPal took action against the account.
Arasteh did not comment on the PayPal account when contacted by TechCrunch. Soon after contacting Arasteh, Oospy’s website went offline altogether.
The shutdown of the spyware’s back-end server marks the end of Spyhide and Oospy’s ability to operate, for now.
Oospy and Spyhide are the latest phone surveillance operations to drop off the internet in recent months. Polish-made stalkerware LetMeSpy shut down after an earlier data breach in June. And last year, one of the largest known Android spyware apps, SpyTrac, disappeared following a TechCrunch investigation linked the spyware operation to Support King, which was banned from the surveillance industry by the FTC following an earlier data breach.