The New York Office of the Attorney General has imposed sanctions against Patrick Hinchy and 16 of his enterprises for distributing malware unlawfully. Since 2011, Hinchy has owned and managed a large number of businesses, including the 16 that the New York OAG is looking into for selling and advertising spyware that targets Android and iOS devices, such as Auto Forward, DDI Utilities, PhoneSpector, Highster Mobile, Easy Spy, Surepoint, and TurboSpy.
The spyware would capture and leak information such as call logs, text messages, emails, images, videos, and locations once it had been placed on the victim’s device. It would also collect information from messaging and social networking apps, including WhatsApp, Instagram, Skype, Facebook, and Twitter. The spyware was placed on the victims’ devices without their knowledge and without informing them of the data gathering and exfiltration operations. The malware was marketed to ‘customers’ wishing to spy on their partners, coworkers, or other people.
Furthermore, the malware required “root” or “jailbreak” access to view several sorts of information. For spying or listening in, some malware may let users remotely turn on the camera or microphone of the infected device. Users of the spyware apps could access the data collected by the spyware apps through a web dashboard that also permitted customers to activate device cameras, unlock the victim devices, and hide or remove the spyware from those devices. The data was being sent to servers owned by Hinchy’s companies. The New York OAG found that collected data was being sent insecurely, making it vulnerable to spying and cyberattacks.
Authorities’ investigation has shown that Hinchy and his businesses actively promoted the malware and instructed consumers to install the program covertly. Customers were also misled into thinking the spyware was lawful, even though using it without the device owner’s permission is illegal under several statutes. Hinchy and his businesses also failed to warn clients about the potential risks of using the program, presented them with unclear data protection and refund procedures, and set up fake review websites to entice users into buying the malware.
In addition to ordering them to change the software so that device users would be informed of the data-gathering activities, the New York OAG penalized Hinchy and his businesses $410,000 in penalties. Also mandated are accurate disclosures on endorsements, rooting and jailbreaking requirements, refund procedures, and data security for Hinchy and his companies. In addition, Hinchy and his businesses must erase data gathered and restrict customer access to it until clients electronically acknowledge that the spyware is legal.