A significant security failure in the Catwatchful spyware application has publicly exposed personal data from thousands of its users, including credentials belonging to the operation’s own administrator, security experts have discovered.
Catwatchful, marketed covertly as a child-monitoring tool, is a branded spyware application that allows its users to secretly track victims’ private communications, location, photographs, and other sensitive information. Installed surreptitiously on Android devices, the software remains hidden from detection, silently relaying comprehensive phone data to a remote monitoring dashboard where spyware users oversee the activities of their targets. Additionally, the app provides intrusive abilities such as activating microphones to listen in on ambient conversations and accessing live camera feeds.
Security researcher Eric Daigle uncovered a major vulnerability which exposed Catwatchful’s customer database, a collection containing email addresses and passwords stored in plaintext format. According to Daigle, a glaring oversight left the spyware’s internal systems accessible without proper authentication, enabling anyone with an internet connection full access to the customer information database.
Leaked data seen by researchers indicates Catwatchful had at least 62,000 paying customers whose details were compromised, as well as data from approximately 26,000 victim devices. The vast majority of victims appear to be in Latin America and South Asia, specifically Mexico, Colombia, India, Peru, Argentina, Ecuador, and Bolivia. Some records date as far back as 2018.
Moreover, the exposed data set allowed researchers to identify the individual behind Catwatchful. Operational security lapses revealed Omar Soca Charcov, a developer residing in Uruguay, as the alleged administrator and operator of the spyware service. Attempts to obtain comments from Charcov received no reply, despite messages being opened.
Although spyware applications like Catwatchful are banned from official app stores due to their malicious and invasive nature, installation occurs illicitly using physical handset access. Such “stalkerware” applications are commonly linked to domestic abuse and personal stalking cases, facilitating unauthorized surveillance of individuals without their consent or knowledge.
After confirming the breach, researchers shared the data with the “Have I Been Pwned” breach notification platform to alert affected users. Hosting issues related to Catwatchful initially led to its temporary suspension; however, the operation resurfaced soon afterward on HostGator’s servers. HostGator’s representatives did not respond when approached for comment.
Tech analysis of Catwatchful’s infrastructure revealed the spyware leverages Google’s Firebase platform to store victim data, potentially placing the software in violation of Google’s usage policies. Upon notification, Google implemented protective measures through Google Play Protect, their built-in security tool for Android. Now, Play Protect can detect Catwatchful and issue warnings if users attempt to install or if a device already contains traces of the spyware. Google is still investigating if further action against Catwatchful’s Firebase hosting is required.
For individuals worried they may be targeted by Catwatchful spyware, there is a simple detection mechanism. Dialing the code “543210” from the Android phone keypad will reveal the spyware application’s hidden presence if installed. Victims can then follow established guidelines provided by digital security experts for removing spyware and securing compromised Android devices.
The discovery of Catwatchful’s security breach follows a concerning pattern; multiple similar spyware operators have also been compromised recently, highlighting the weak security standards prevalent throughout this illicit sector. This incident underpins the significant ongoing threat posed by consumer-accessible spyware to privacy and personal safety globally.
