Serious Vulnerability Found in Catwatchful Spyware App, Exposing Thousands of Users' Data
A significant vulnerability has been discovered in the Catwatchful spyware app for Android, leading to the leak of data from thousands of its users, including the service's administrator. The issue was uncovered by Canadian cybersecurity expert Eric Deagle. Due to a system failure, the entire Catwatchful database became accessible, exposing emails and passwords of clients using the app to spy on others' phones.
Catwatchful, which masquerades as a parental control app, actually uploads personal data from the victim’s phone to a server, giving access to the person who installed the app. The leaked data includes photos, messages, geolocation, as well as the ability to listen to surrounding sounds and activate the device's cameras.
Such apps, commonly referred to as stalkerware or spouseware, are illegal and typically require physical access to the phone for installation. Despite being banned from official app stores, spyware apps like Catwatchful continue to be used for illicit surveillance of partners and family members.
The Catwatchful breach marks the fifth such incident this year involving the hacking or leaking of data from spyware services. This breach highlights the growing risk of stalkerware apps, which continue to spread despite their vulnerability to technical flaws and weak security measures.
The Catwatchful database contained data from over 62,000 customer accounts and information from 26,000 devices on which the app was installed. The majority of the victims were located in Mexico, Colombia, India, Peru, Argentina, Ecuador, and Bolivia, with some records dating back to 2018.
The leaked data also exposed personal information about the Catwatchful administrator, Omar Soki Charkov, a developer from Uruguay. His name, phone number, email address, and a link to the Google Firebase server storing the victims’ data were found in the exposed database. The email address matched Charkov's LinkedIn profile, which was later hidden after the incident.
The breach was caused by a basic mistake in the API settings, according to Eric Deagle. The app’s API, which was designed to send data, was completely unsecured, allowing unauthorized access to the database.
After TechCrunch contacted the hosting company for Catwatchful, the developer's account was temporarily suspended, causing a brief outage of the app. However, the service resumed operations on the HostGator platform, where company representatives refused to comment on the situation.
Further investigation by TechCrunch confirmed that Catwatchful uses Google Firebase to store the stolen data. Journalists tracked network traffic from an isolated virtual device and recorded data being sent from the phone to the Catwatchful server.
In response, Google enhanced its Google Play Protect system to detect Catwatchful and alert users about its presence. The company is investigating the use of Firebase by the spyware app and, if violations are confirmed, will take action.
While Catwatchful developers claim the app cannot be removed, there is a method to detect and remove it. If you dial “543210” on the Phone app and press the call button, the app will become visible. This code is used to access the app’s settings, even when it's hidden, and allows users to check if Catwatchful is installed.
To remove Catwatchful, follow general instructions for removing spyware on Android or consult organizations that assist victims of digital abuse.
