The Chaos Computer Club exposed the R2D2 state-backed trojan after reverse engineering a "lawful interception malware program used by German police forces”.
The group showed it could act as a keylogger and activate webcams and microphones for surveillance.
According to the group, the trojan went directly against the German constitution and four states have now admitted they have been using the software to snoop on suspects' computers.
Bavaria, Baden-Württemberg, Brandenburg and Lower Saxony have all said they have used the spyware, according to a report in Deutsche Welle.
Lower Saxony has been using the software for two years, while authorities in Brandenburg said they were using the spyware in a single, on-going investigation.
Baden-Württemberg has also used such software to investigate "individual cases", according to reports, while Bavaria had been running the software for two years, but said it had been using the trojan within the law.
Justice Minister Sabine Leutheusser-Schnarrenberger called on federal and state officials to launch a joint investigation into the matter.
"Trying to play down or trivialise the matter won't do," said Leutheusser-Schnarrenberger in a statement.
"The citizen, in both the public and private spheres, must be protected from snooping through strict state control mechanisms."
