Pulse News

**Amazon is still hosting stalkerware victims’ data weeks after breach alert**

Zack Whittaker 12:05 PM PDT - March 13, 2025

Amazon will not say if it plans to take action against three phone surveillance apps that are storing troves of individuals' private phone data on Amazon's cloud servers, despite TechCrunch notifying the tech giant weeks earlier that it was hosting the stolen phone data.

Amazon told TechCrunch it was "following [its] process" after our February notice, but as of the time of this article's publication, the stalkerware operations Cocospy, Spyic, and Spyzie continue to upload and store photos exfiltrated from people's phones on Amazon Web Services.

Cocospy, Spyic, and Spyzie are three near-identical Android apps that share the same source code and a common security bug, according to a security researcher who discovered it and provided details to TechCrunch. The researcher revealed that the operations exposed the phone data on a collective 3.1 million people, many of whom are victims with no idea that their devices have been compromised. The researcher shared the data with breach notification site Have I Been Pwned.

As part of our investigation into the stalkerware operations, which included analyzing the apps themselves, TechCrunch found that some of the contents of a device compromised by the stalkerware apps are being uploaded to storage servers run by Amazon Web Services, or AWS.

TechCrunch notified Amazon on February 20 by email that it is hosting data exfiltrated by Cocospy and Spyic, and again earlier this week when we notified Amazon it was also hosting stolen phone data exfiltrated by Spyzie. In both emails, TechCrunch included the name of each specific Amazon-hosted storage "bucket" that contains data taken from victims' phones.

In response, Amazon spokesperson Ryan Walsh told TechCrunch: "AWS has clear terms that require our customers to use our services in compliance with applicable laws. When we receive reports of potential violations of our terms, we act quickly to review and take steps to disable prohibited content." Walsh provided a link to an Amazon web page hosting an abuse reporting form, but would not comment on the status of the Amazon servers used by the apps.

In a follow-up email this week, TechCrunch referenced the earlier February 20 email that included the Amazon-hosted storage bucket names. In response, Walsh thanked TechCrunch for "bringing this to our attention," and provided another link to Amazon's report abuse form. When asked again if Amazon plans to take action against the buckets, Walsh replied: "We haven't yet received an abuse report from TechCrunch via the link we provided earlier." Amazon spokesperson Casey McGee, who was copied on the email thread, claimed it would be "inaccurate of TechCrunch to characterize the substance of this thread as a [sic] constituting a 'report' of any potential abuse."

Amazon Web Services, which has a commercial interest in retaining paying customers, made $39.8 billion in profit during 2024, per the company's 2024 full-year earnings, representing a majority share of Amazon's total annual income.

**Why this matters**

Amazon's own acceptable use policy broadly spells out what the company allows customers to host on its platform. Amazon does not appear to dispute that it disallows spyware and stalkerware operations to upload data on its platform. Instead, Amazon's dispute appears to be entirely procedural. It's not a journalist's job - or anyone else's to police what is hosted on Amazon's platform, or the cloud platform of any other company. Amazon has huge resources, both financially and technologically, to use to enforce its own policies by ensuring that bad actors are not abusing its service. In the end, TechCrunch provided notice to Amazon, including information that directly points to the locations of the troves of stolen private phone data. Amazon made a choice not to act on the information it received.

**How we found victims' data hosted on Amazon**

When TechCrunch learns of a surveillance-related data breach—there have been dozens of stalkerware hacks and leaks in recent years—we investigate to learn as much about the operations as possible. Our investigations can help to identify victims whose phones were hacked, but can also reveal the oft-hidden real-world identities of the surveillance operators themselves, as well as which platforms are used to facilitate the surveillance or host the victims' stolen data. TechCrunch will also analyze the apps (where available) to help victims determine how to identify and remove the apps.

As part of our reporting process, TechCrunch will reach out to any company we identify as hosting or supporting spyware and stalkerware operations, as is standard practice for reporters who plan to mention a company in a story. It is also not uncommon for companies, such as web hosts and payment processors, to suspend accounts or remove data that violate their own terms of service, including previous spyware operations that have been hosted on Amazon.

In February, TechCrunch learned that Cocospy and Spyic had been breached and we set out to investigate further. Since the data showed that the majority of victims were Android device owners, TechCrunch started by identifying, downloading, and installing the Cocospy and Spyic apps on a virtual Android device. (A virtual device allows us to run the stalkerware apps in a protected sandbox without giving either app any real-world data, such as our location.) Both Cocospy and Spyic appeared as identical-looking and nondescript apps named "System Service" that try to evade detection by blending in with Android's built-in apps.

We used a network traffic analysis tool to inspect the data flowing in and out of the apps, which can help to understand how each app works and to determine what phone data is being stealthily uploaded from our test device. The web traffic showed the two stalkerware apps were uploading some victims' data, like photos, to their namesake storage buckets hosted on Amazon Web Services.

We confirmed this further by logging into the Cocospy and Spyic user dashboards, which allow the people who plant the stalkerware apps to view the target's stolen data. The web dashboards allowed us to access the contents of our virtual Android device's photo gallery once we had deliberately compromised our virtual device with the stalkerware apps. When we opened the contents of our device's photo gallery from each app's web dashboard, the images loaded from web addresses containing their respective bucket names hosted on the amazonaws.com domain, which is run by Amazon Web Services.

Following later news of Spyzie's data breach, TechCrunch also analyzed Spyzie's Android app using a network analysis tool and found the traffic data to be identical to Cocospy and Spyic. The Spyzie app was similarly uploading victims' device data to its own namesake storage bucket on Amazon's cloud, which we alerted Amazon to on March 10.

If you or someone you know needs help, the National Domestic Violence Hotline (1-800-799-7233) provides 24/7 free, confidential support to victims of domestic abuse and violence. If you are in an emergency situation, call 911. The Coalition Against Stalkerware has resources if you think your phone has been compromised by spyware.