Amazon is still hosting private data stolen by phone surveillance apps weeks after being alerted to the stalkerware breach. The tech giant has yet to confirm whether it will take action against three spyware operations — Cocospy, Spyic, and Spyzie — which are storing sensitive user data on Amazon Web Services (AWS).
Despite being notified in February that AWS was being used to store exfiltrated phone data, Amazon has yet to disable the storage servers. These stalkerware apps, which operate almost identically and share the same security vulnerabilities, have exposed the private data of approximately 3.1 million individuals, many of whom are unaware their devices were compromised.
A security researcher discovered the breach and shared the findings with breach notification site Have I Been Pwned. Investigations confirmed that sensitive device data was being uploaded to Amazon’s cloud servers.
Amazon’s Response to the Breach
Amazon was first contacted on February 20 regarding Cocospy and Spyic storing stolen data. A follow-up notification regarding Spyzie was sent more recently. In both instances, Amazon received specific details, including the names of the AWS storage “buckets” where the compromised data was being stored.
When questioned about the issue, Amazon spokesperson Ryan Walsh stated, “AWS has clear terms that require our customers to use our services in compliance with applicable laws. When we receive reports of potential violations of our terms, we act quickly to review and take steps to disable prohibited content.”
Despite providing an abuse reporting form, Amazon has not confirmed any actions taken. A follow-up inquiry referencing the original report resulted in another referral to the abuse form. Amazon spokesperson Casey McGee later asserted that Amazon did not consider the email exchanges a formal report.
Amazon’s Financial Interests in AWS
Amazon Web Services generated $39.8 billion in profit in 2024, making up the majority of Amazon’s total annual earnings. The reluctance to disable the stalkerware data storage could stem from the company’s commercial interests in retaining paying customers.
As of publication, the storage buckets used by Cocospy, Spyic, and Spyzie remain active. There are also reports of an AI reasoning model in construction.
The Larger Issue of Stalkerware Hosting
Amazon’s policies prohibit hosting spyware and stalkerware operations. However, the company appears to be avoiding direct intervention, treating the issue as a procedural matter rather than an urgent security concern.
Industry experts argue that it should not be the responsibility of journalists or independent researchers to monitor Amazon’s platform for misuse. Amazon has both the financial and technological resources to proactively enforce its own policies, yet it has chosen not to act despite receiving detailed evidence of the breach.
How the Breach Was Discovered
Investigating surveillance-related data breaches has uncovered numerous stalkerware hacks and leaks in recent years. This research helps identify victims and often exposes the entities behind these spyware operations.
In this case, analysis of the Cocospy and Spyic apps revealed that victims’ data was being stored on AWS. Researchers installed these apps on a virtual Android device, which prevented them from accessing real-world data. The apps, disguised as “System Service,” aimed to blend in with legitimate Android applications.
Network traffic analysis confirmed that these apps were stealthily uploading victims’ photos and other data to AWS storage servers.
Will Amazon Act?
Many web hosting providers and payment processors have previously removed spyware operations when notified of violations. Despite its clear policies, Amazon has yet to take similar action against Cocospy, Spyic, and Spyzie.
For now, the private data of millions remains stored on AWS, raising concerns over Amazon’s commitment to user security and ethical responsibility.
