Catwatchful Spyware Data Breach Exposes Thousands of Victims and Operators

In a stark reminder of the pervasive threat posed by consumer-grade surveillance tools, a security vulnerability in a stealthy Android spyware operation known as Catwatchful has led to a massive data exposure, affecting thousands of its customers and, notably, revealing the identity of its administrator.

The vulnerability, brought to light by security researcher Eric Daigle, resulted in the spill of the spyware app’s complete database. This database contained the email addresses and plaintext passwords used by over 62,000 Catwatchful customers to access the sensitive information harvested from the phones of their unsuspecting victims. The breach underscores a critical paradox: tools designed for clandestine surveillance are often built with such shoddy security that they compromise the very individuals using them, alongside their targets.

Understanding Catwatchful and the Nature of Stalkerware

Catwatchful markets itself deceptively, often masquerading as legitimate child monitoring software. Its true purpose, however, is far more insidious. It operates invisibly on a victim's device, claiming it “cannot be detected,” while systematically uploading a wealth of private content to a remote dashboard accessible to the person who installed the app. This stolen data includes:

• Photos and videos from the device's gallery.
• Private messages from various communication apps.
• Real-time location data, allowing for constant tracking.
• Live ambient audio recordings from the phone's microphone.
• Access to both the front and rear phone cameras for remote spying.

Apps like Catwatchful are explicitly banned from official app stores like Google Play due to their malicious nature. Their distribution relies on being manually downloaded and installed by someone with physical access to the target's phone. This method of deployment, combined with their non-consensual surveillance capabilities, has earned them the chilling moniker of “stalkerware” (or spouseware). These tools are frequently misused to facilitate illegal surveillance, harassment, and control in abusive relationships, posing significant risks to victims' safety and privacy.

A Growing Trend of Spyware Breaches

The Catwatchful incident is not an isolated event. It represents the latest example in a disturbing trend of stalkerware operations that have suffered security failures, leading to data breaches or exposures. According to reports, Catwatchful is at least the fifth spyware operation this year alone to experience a data spill of this magnitude. This pattern reveals a critical vulnerability inherent in the stalkerware ecosystem: despite their claims of stealth and security, these apps are often developed with poor coding practices and inadequate security measures, making them ripe targets for breaches. Such failures not only expose the sensitive data of victims but also compromise the privacy and operational security of the paying customers and operators themselves.

Inside the Catwatchful Data Spill

TechCrunch reviewed a copy of the Catwatchful database from early June, which provided a detailed look into the scale and scope of the operation. The database contained records for more than 62,000 customers, including their email addresses and plaintext passwords. More alarmingly, it held the stolen phone data from 26,000 victim devices. Some records within the database dated back as far as 2018, indicating the operation had been active for several years.

The geographical distribution of the compromised devices revealed a significant concentration in specific regions. Most of the affected devices were located in Latin America and South Asia, with the highest numbers found in:

1. Mexico
2. Colombia
3. India
4. Peru
5. Argentina
6. Ecuador
7. Bolivia

This geographical pattern is consistent with findings in other stalkerware investigations, suggesting regional demand or targeted marketing by the spyware operators.

Operational Security Failures Expose the Administrator

Like many operators of illegal or ethically dubious services, those behind stalkerware apps typically go to great lengths to conceal their identities. Publicly listing ownership or disclosing who runs the operation would expose them to significant legal repercussions and reputational damage. However, the Catwatchful data breach included a critical operational security (opsec) mistake that inadvertently exposed the person behind the operation.

A review of the leaked database files revealed the administrator's identity: Omar Soca Charcov, a developer based in Uruguay. His record appeared as the very first entry in one of the database files. This is a common opsec error among developers who test their own products, often creating the first user account or entry in the database, thereby linking their personal information to the operation.

The dataset contained Charcov's full name, phone number, and even the web address of the specific Firebase instance used to store Catwatchful's data on Google's servers. Further linking him to the operation, Charcov's personal email address, found in the dataset, matched the one listed on his LinkedIn profile (which has since been made private). He had also configured his Catwatchful administrator email as the password recovery address for his personal email account, creating a direct, undeniable link between his personal identity and the spyware operation.

TechCrunch attempted to contact Omar Soca Charcov regarding the breach and whether he planned to notify affected customers. While he opened the emails sent in both English and Spanish, he did not provide any response. Given the lack of communication and no indication of disclosure plans, TechCrunch shared a copy of the compromised Catwatchful database with the data breach notification service Have I Been Pwned, allowing potential victims and customers to check if their data was exposed.

Technical Details: API Vulnerability and Firebase Hosting

Security researcher Eric Daigle, who has a history of investigating stalkerware abuses, detailed his findings in a blog post. According to Daigle, Catwatchful relies on a custom-built API that serves as the communication hub between the planted Android apps and the spyware's servers. This API is responsible for receiving and processing the vast amounts of data stolen from victim devices.

The critical vulnerability discovered by Daigle was that this API was unauthenticated. This meant that anyone on the internet could interact with the Catwatchful user database without needing any login credentials. This fundamental security flaw directly led to the exposure of the entire database containing customer email addresses and plaintext passwords.

Beyond the API, Catwatchful utilized Google's Firebase platform, a popular suite of tools for web and mobile development, to host and store the victim's stolen phone data. This included sensitive files like photos and ambient audio recordings. TechCrunch independently confirmed the use of Firebase by installing the Catwatchful spyware on a virtualized Android device, running it in an isolated environment to analyze its network traffic. This analysis showed data being uploaded to a specific Firebase instance associated with the Catwatchful operation.

The web company initially hosting the vulnerable Catwatchful API temporarily suspended the developer's account after being contacted by TechCrunch, briefly disrupting the spyware's operations. However, the API later reappeared, hosted on HostGator. A spokesperson for HostGator did not respond to requests for comment regarding their hosting of the spyware operation.

Google's Response and Ongoing Challenges

Upon receiving details of the Catwatchful malware from TechCrunch, Google took action to protect Android users. They announced that new protections were added to Google Play Protect, Google's built-in security tool that scans Android phones for malicious applications. Google Play Protect will now alert users if it detects the Catwatchful spyware or its installer on their device, providing a crucial layer of defense against this specific threat.

TechCrunch also informed Google about the specific Firebase instance being used by Catwatchful to store victim data. When asked if the stalkerware operation violated Firebase's terms of service, a Google spokesperson stated on June 25 that they were investigating the issue and would take appropriate action if a violation was found. However, they did not immediately commit to taking down the operation.

Ed Fernandez, a Google spokesperson, commented, “All apps using Firebase products must abide by our terms of service and policies. We are investigating this particular issue, and if we find that an app is in violation, appropriate action will be taken. Android users that attempt to install these apps are protected by Google Play Protect.”

As of the time of publication, the Catwatchful operation reportedly remained hosted on Firebase, highlighting the complexities and potential delays in addressing such issues, even when platform providers are notified.

Detecting and Removing Catwatchful Spyware

Despite Catwatchful's false claim that it “cannot be uninstalled,” there are methods to detect and remove the app from an affected Android device. However, it is crucial to approach this process with caution.

Before attempting to remove any spyware, it is highly recommended to have a safety plan in place. Disabling or removing spyware can alert the person who installed it, potentially escalating a dangerous situation. Organizations like the Coalition Against Stalkerware provide invaluable resources and support for victims and survivors of domestic abuse and non-consensual surveillance.

A unique characteristic of Catwatchful is a built-in backdoor feature that allows the installer to access hidden settings. This same feature can be used by anyone to check for the app's presence. To potentially reveal the hidden Catwatchful app, open your Android phone's dialer app and enter the code 543210, then press the call button. If Catwatchful is installed and hidden, this action should force the app to appear on your screen.

Once detected, removing spyware can be a complex process, as these apps often employ techniques to resist uninstallation. TechCrunch offers a general guide for removing Android spyware that provides steps to identify and eliminate common types of phone stalkerware. The guide also covers essential post-removal steps, such as securing your device's settings and accounts to prevent re-installation or further compromise.

The Broader Implications

The Catwatchful data breach serves as a stark reminder of the significant privacy and security risks associated with the proliferation of consumer-grade spyware. These tools, often marketed under the guise of legitimate monitoring, are fundamentally designed to violate privacy and facilitate control, frequently in abusive contexts.

The exposure of customer data, including plaintext passwords, highlights the hypocrisy and incompetence of the operators. Those who purchase and use these tools, often believing they are acting discreetly, are themselves vulnerable to having their activities and identities exposed due to the operators' poor security practices. The fact that an unauthenticated API could expose the entire customer database is a fundamental security failure that should never occur in any application handling sensitive information, let alone one involved in illegal surveillance.

Furthermore, the reliance on platforms like Google Firebase, while not inherently malicious, raises questions about platform accountability. While Google has taken steps to update Play Protect to detect Catwatchful, the continued hosting of the operation's data on Firebase underscores the challenge of identifying and shutting down abusive services that utilize legitimate cloud infrastructure. Platform providers face the difficult task of balancing user privacy and security with the need to avoid censorship, but incidents like this demonstrate the urgent need for robust policies and swift action against services that clearly violate terms of service by facilitating illegal activities.

The geographical distribution of victims also points to the global nature of the stalkerware problem. While laws and enforcement vary by country, the technology enables surveillance across borders, making international cooperation and awareness campaigns essential.

Ultimately, the Catwatchful breach is a cautionary tale for everyone. For potential victims, it highlights the importance of device security, being aware of the signs of compromise, and seeking help from support organizations. For those considering using such tools, it demonstrates the legal, ethical, and even personal security risks involved. For the tech industry, it emphasizes the ongoing responsibility to detect, block, and actively combat the spread of stalkerware and to ensure that legitimate platforms are not inadvertently enabling illegal surveillance.

The work of security researchers like Eric Daigle is crucial in exposing these hidden threats and holding operators accountable, even when law enforcement action is slow or non-existent. By bringing these vulnerabilities to light, they empower potential victims and pressure platforms and authorities to take action.

The fight against stalkerware requires a multi-pronged approach involving technical defenses, legal action, platform accountability, and, critically, support for victims. The Catwatchful breach is a vivid illustration of why this fight is necessary and urgent.

—

If you or someone you know needs help, the National Domestic Violence Hotline (1-800-799-7233) provides 24/7 free, confidential support to victims of domestic abuse and violence. If you are in an emergency situation, call 911. The Coalition Against Stalkerware has resources if you think your phone has been compromised by spyware.