Spyware Exposed: A Critical Unpatched Flaw in TheTruthSpy Puts Thousands at Risk

The creator of the spyware TheTruthSpy—the Vietnamese company 1Byte Software, led by Vanh (Vardi) Tiu—has once again found itself at the center of a major scandal. Independent security researcher Swarang Veid has uncovered a critical vulnerability that allows an attacker to reset the password of any account in the app and its numerous Android “clones.” Once the password is changed, the intruder gains full access to stolen victim data, including messages, photos, call history, and geolocation records.

TheTruthSpy and its related products, including Copy9, iSpyoo, and MxSpy, are marketed as parental control tools, yet in practice they are widely used for covert surveillance without device owners’ knowledge. TechCrunch confirms that the discovered flaw remains unpatched: 1Byte Software admitted that portions of the source code have been lost, making a fix impossible.

This marks the fourth major security incident linked to TheTruthSpy in recent years. In 2021, a flaw in its security system exposed the personal data of more than 400,000 users, including message content, photos, and location histories. Another breach in 2023 compromised an additional 50,000 devices. These repeated failures highlight the developers’ inability to protect even their own customers—let alone the data of surveillance victims.

Beyond technical shortcomings, investigations have uncovered financial misconduct by 1Byte Software. To circumvent restrictions imposed by payment systems, the operators of TheTruthSpy engaged in money laundering and used falsified documents, enabling them to channel millions of dollars through fake accounts worldwide. Despite these revelations, the project has not been shuttered: its code and servers remain active, with some operations rebranded under the new name PhoneParental.

Infrastructure analysis reveals that the application continues to rely on the vulnerable JFramework backend (formerly Jexpa Framework) to process and transmit data. Even more concerning, the company’s latest development—MyPhones.app—is also built upon the same insecure architecture.

TechCrunch and independent experts warn that TheTruthSpy and its derivatives remain a serious threat: not only do they harvest critically sensitive information, but they also consistently demonstrate an inability to safeguard it. As long as the vulnerability remains unpatched, tens of thousands of users risk having their phones silently compromised.

Support Our Threat Intelligence

If you find our technology report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal Crypto

USDT (TRC20):

TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm Copy

USDT (ERC20):

0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce Copy