Android 'Safety' App Was Actually Spying on People for Years
Catwatchful, an Android app designed to run in stealth mode, was pitched as a way for parents to monitor their children, TechCrunch reported. But the app, which operated outside of the Google Play store, went far beyond basic tracking. It quietly uploaded everything from text messages and photos to real-time location data and ambient audio, all without the victim's knowledge.
A recently discovered security flaw exposed the app's entire customer database, including more than 62,000 email addresses and passwords used by those who installed the spyware. The breach also revealed stolen data from 26,000 victim devices, many located in Mexico, Colombia, India, and other countries in Latin America and South Asia.
Catwatchful relied on physical access to install, allowing it to bypass app store scrutiny. Once active, it was virtually invisible to the user, with a hidden backdoor code to bring it up only when prompted. The app also tapped into device microphones and cameras, pushing the limits of what 'monitoring' software should be allowed to do.
And while the app's victims never saw it coming, the breach also compromised the operation's creator. The database exposed the identity of the developer behind the spyware, linking him directly to the stolen data and Firebase servers hosting it. Attempts to reach him have gone unanswered.
Google, alerted to the breach, said it has added new protections to detect Catwatchful with Play Protect, its built-in Android security scanner. But as of now, the app's backend remains active.
Catwatchful is just the latest in a troubling trend.
Several stalkerware tools have leaked or been hacked this year, reinforcing how insecure and invasive these apps truly are. While marketed as parenting tools, many of them enable covert surveillance in relationships or workplaces, crossing legal and ethical lines.
Android users can check for Catwatchful by dialing 543210 into the phone app. If it appears, it's installed, and it's time to remove it.
In a tech-driven world, the promise of safety often comes with a hidden cost. With Catwatchful exposed, it's clear that in the age of smartphones, the line between protection and intrusion isn't always where you think it is.Android 'Safety' App Was Actually Spying on People for Years first appeared on Men's Journal on Jul 3, 2025
Try Our AI Features
Explore what Daily8 AI can do for you:
Comments
No comments yet...
Related Articles
CNET
an hour ago
- CNET
AI Is Taking Over Your Search Engine. Here's a Look Under the Hood
For decades, the way we find information on the internet changed only in small ways. Doing a traditional Google search today doesn't feel all that different from when, in the 1990s, you would Ask Jeeves. Sure, a lot has changed under the hood, the results are likely far more relevant and the interface has some new features, but you're still typing in keywords and getting a list of websites that might hold the answer. That way of searching, it seems, is starting to go the way of AltaVista, may it rest in peace. In May, Google announced the rollout of its new AI Mode for search, which uses a generative AI model (based on the company's Gemini large language model) to give you conversational answers that feel a lot more like having a chat and less like combing through a set of links. Other companies, like Perplexity and OpenAI, have also deployed search tools based on gen AI. These tools, which merge the functionality of a chatbot and a traditional search engine, are quickly gaining steam. You can't even escape AI by doing just a regular Google search: AI Overviews have been popping up atop those results pages since last year, and about one in five searches are now showing this kind of summary, according to a Pew Research Center report. I'm surprised it's not even more than that. These newfangled search tools feel a lot like your typical chatbot, like ChatGPT, but they do things a little differently. Those differences share a lot of DNA with their search engine ancestors. Here's a look under the hood at how these new tools work, and how you can use them effectively. Everything Announced at Google I/O 2025 Everything Announced at Google I/O 2025 Click to unmute Video Player is loading. Play Video Pause Skip Backward Skip Forward Next playlist item Unmute Current Time 0:13 / Duration 15:40 Loaded : 6.33% 00:13 Stream Type LIVE Seek to live, currently behind live LIVE Remaining Time - 15:27 Share Fullscreen This is a modal window. Beginning of dialog window. Escape will cancel and close the window. Text Color White Black Red Green Blue Yellow Magenta Cyan Opacity Opaque Semi-Transparent Text Background Color Black White Red Green Blue Yellow Magenta Cyan Opacity Opaque Semi-Transparent Transparent Caption Area Background Color Black White Red Green Blue Yellow Magenta Cyan Opacity Transparent Semi-Transparent Opaque Font Size 50% 75% 100% 125% 150% 175% 200% 300% 400% Text Edge Style None Raised Depressed Uniform Drop shadow Font Family Proportional Sans-Serif Monospace Sans-Serif Proportional Serif Monospace Serif Casual Script Small Caps Reset Done Close Modal Dialog End of dialog window. Close Modal Dialog This is a modal window. This modal can be closed by pressing the Escape key or activating the close button. Close Modal Dialog This is a modal window. This modal can be closed by pressing the Escape key or activating the close button. Everything Announced at Google I/O 2025 Search engines vs. AI search: What's the difference? The underlying technology of a search engine is kinda like an old library card catalog. The engine uses bots to crawl the vast expanses of the internet to find, analyze and index the endless number of web pages. Then, when you do a search to ask who played Dr. Angela Hicks on ER, because you're trying to remember what else you've seen her in, it will return pages for things like the cast of ER or the biography of the actor, CCH Pounder. From there, you can click through those pages, whether they're on Wikipedia or IMDB or somewhere else, and learn that you know CCH Pounder from her Emmy-winning guest appearance on an episode of The X-Files. "When customers have a certain question, they can type that question into Google and then Google runs their ranking algorithms to find what content is the best for a particular query," Eugene Levin, president of the marketing and SEO tool company Semrush, told me. Generally, with a traditional search, you have to click through to other websites to get the answer you're looking for. When I was trying to figure out where I recognized CCH Pounder from, I clicked on at least half a dozen different sites to track it down. That included using Google's video search -- which combs an index of videos across different hosting platforms -- to find clips of her appearance on The X-Files. Google announced AI Mode at its I/O developer conference in May. Google/Screenshot by Joe Maldonado/CNET These multiple searches don't necessarily have to happen. If I just want to know the cast of ER, I can type in "cast of ER" and click on the Wikipedia page at the top. You'll usually find Wikipedia or another relevant, trustworthy site at or near the top of a search result page. That's because a main way today's search algorithms work is by tracking which sites and pages get most links from elsewhere on the web. That model, which "changed the game for search" when Google launched it in the 1990s, was more reliable than indexing systems that relied on things like just how many times a keyword appeared on a page, said Sauvik Das, associate professor at Carnegie Mellon University's Human-Computer Interaction Institute. "There's lots of cookie recipes on the web, but how do you know which ones to show first?" Das said. "Well, if a bunch of other websites are linking to this website for the keywords of 'cookie recipe,' that's pretty difficult to game." AI-powered search engines work a little differently, but operate on the same basic infrastructure. In my quest to see where I recognized CCH Pounder from, I asked Google's AI Mode, literally, "Where do I recognize the actress who plays Dr. Angie Hicks on ER from?" In a conversation that felt far more like chatting with a bot than doing searches, I narrowed it down. The first result gave me a list of shows and movies I hadn't seen, so I asked for a broader list, which featured her guest appearances on other shows. Then I could ask for more details about her X-Files appearance, and that narrowed it down. While the way I interacted with Google was different, the search mechanisms were basically the same. AI Mode just used its Gemini model to develop and process dozens of different web searches to gather the information needed, Robby Stein, vice president of product for Google Search, told me. "A user could've just queried each of those queries themselves." Basically, AI Mode did the same thing I did, just a lot faster. So many searches, so little time The approach here is called "query fan-out." The AI model takes your request and breaks it down into a series of questions, then conducts searches to answer those components of the request. It then takes the information it gathers from all those searches and websites and puts it together in an answer for you. In a heartbeat. Those searches are using the same index that a traditional search would. "They work on the same foundation," Levin said. "What changes is how they pull information from this foundation." This fan-out process allows the AI search to pull in relevant information from sites that might not have appeared on the first page of traditional search results, or to pull a paragraph of good information from a page that has a lot more irrelevant information. Instead of you going down a rabbit hole to find one tiny piece of the answer you want, the AI goes down a wide range of rabbit holes in a few seconds. "They will anticipate, if you're looking for this, what is the next thing you might be interested in?" Levin said. Read more: AI Essentials: 29 Ways You Can Make Gen AI Work for You, According to Our Experts The number of searches the AI model will do depends on the tool you're using and on how complicated your question is. AI Mode that uses Google's Deep Search will spend more time and conduct more searches, Stein said. "Increasingly, if you ask a really hard question, it will use our most powerful models to reply," Stein said. The large language models that power these search engines also have their existing training data to pull from or use to guide their searches. While a lot of the information is coming from the up-to-date content it finds by searching the web, some may come from that training data, which could include reams of information ranging from websites like this one to whole libraries of books. That training data is so extensive that lawsuits over whether AI companies actually had the right to use that information are quickly multiplying. (Disclosure: Ziff Davis, CNET's parent company, in April filed a lawsuit against OpenAI, alleging it infringed Ziff Davis copyrights in training and operating its AI systems.) AI search isn't just a chatbot Not relying on training data is one thing that sets an AI-powered search engine apart from a traditional chatbot, even though the underlying language model might be largely the same. While ChatGPT Search will scour the internet for relevant sites and answers, regular ChatGPT might rely on its own training data to answer your question. "The right answer might be in there," Das said. "It might also hallucinate a likely answer that isn't anywhere in the pre-training data." The AI search uses a concept called retrieval-augmented generation to incorporate what it finds on the internet into its answer. It collects information from a source you point it to (in this case, the search engine index) and tells it to look there instead of making something up if it can't find it in its training data. "You're telling the AI the answer is here, I just want you to find where," Das said. "You get the top 10 Google results, and you're telling the AI the answer is probably in here." Perplexity offers AI-powered search through its app and through a newly announced browser. Stefani Reynolds/Bloomberg via Getty Images Can you really trust AI search results? These AI-powered search tools might be more reliable than just using a chatbot itself, because they're pulling from current, relevant information and giving you links, but you still have to think critically about it. Here are some tips from the experts: Bring your human skepticism Consider how bad people are at telling when you're sarcastic on the internet. Then think about how bad a large language model might be at it. That's how Google's AI Overviews came up with the idea to put glue on pizza -- by pulling information from a humorous Reddit post and repeating it as if it were real culinary advice. "The AI doesn't know what is authentic and what is humorous," Das said. "It's going to treat all that information the same." Remember to use your own judgement and look for the sources of the information. They might not be as accurate as the LLM thinks, and you don't want to make important life decisions based on somebody's joke on an internet forum that a robot thought was real. AI can still make stuff up Even though they're supposed to be pulling from search results, these tools can still make things up in the absence of good information. That's how AI Overviews started creating fake definitions for nonsensical sayings. The retrieval-augmented generation might reduce the risk of outright hallucinations but doesn't eliminate it, according to Das. Remember that an LLM doesn't have a sense of what the right answer to a question is. "It's just predicting what is the next English word that would come after this previous stream of other English words or other language words," Das said. "It doesn't really have a concept of truthiness in that sense." Check your sources Traditional search engines are very hands-off. They will give you a list of websites that appear relevant to your search and let you decide whether you want to trust them. Because an AI search is consolidating and rewriting that information itself, it may not be obvious when it's using an untrustworthy source. "Those systems are not going to be entirely error-free, but I think the challenge is that over time you will lose an ability to catch them," Levin said. "They will be very convincing and you will not know how to really go and verify, or you will think you don't need to go and verify." But you can check every source. But that's exactly the kind of work you were probably hoping to avoid using this new system that's designed to save you time and effort. "The problem is if you're going to do this analysis for every query you perform in ChatGPT, what is the purpose of ChatGPT?" Levin said.
Business Insider
2 hours ago
- Business Insider
China Calls for Global AI Rules as U.S. Escalates Tech Fight – What Investors Should Watch
China is proposing to lead the creation of a new international body to shape the future of artificial intelligence. Speaking at the World Artificial Intelligence Conference in Shanghai, Premier Li Qiang called for a World AI Cooperation Organization, aiming to make AI development more inclusive and to prevent it from being dominated by a handful of nations or companies. Elevate Your Investing Strategy: Take advantage of TipRanks Premium at 50% off! Unlock powerful investing tools, advanced data, and expert analyst insights to help you invest with confidence. The proposal comes as the global AI race accelerates. Premier Li cited the need for shared governance to address the risks tied to AI, from job losses to security concerns. Former Google (GOOG) chief executive Eric Schmidt backed the idea of global collaboration, saying the U.S. and China should work together to maintain stability and ensure human control over powerful AI systems. Tensions Rise as China Courts Allies and the U.S. Doubles Down However, turning that vision into a working framework will not be easy, as the U.S. is taking a different path. Just days before the conference, President Donald Trump signed new executive orders to ease regulations and boost energy access for AI infrastructure, including data centers. These moves are designed to strengthen companies like OpenAI and Google while reinforcing America's lead in advanced AI. In the meantime, geopolitical friction remains high. U.S. restrictions on Nvidia Corporation (NVDA) chips continue to limit China's access to high-end semiconductors. Premier Li acknowledged these supply chain issues and reaffirmed China's goal to reduce its reliance on foreign technology. That includes support for homegrown companies like DeepSeek, which has gained attention for scaling up open-sourced models and AI agents. China's strategy also includes outreach to the Global South, including partnerships with Brazil and African nations. However, international trust remains a hurdle. Western companies and governments are hesitant to align with a governance model led by Beijing, especially regarding concerns around data access, intellectual property, and dual-use technologies. Takeaway for Investors For investors, the gap between cooperation and competition is clear. Chinese firms are racing to set their own benchmarks, while U.S. players double down on domestic infrastructure and AI regulation. The idea of a global AI framework may gain traction diplomatically, but market dynamics suggest a more fragmented path forward. Whether this initiative reshapes AI development or becomes another diplomatic flashpoint will depend on how governments and companies balance access, risk, and control in the months ahead. Using TipRanks' Comparison Tool, we've analyzed several leading AI stocks that could be influenced by geopolitical tensions, shifting regulations, and broader market dynamics.
Forbes
4 hours ago
- Forbes
Hackers Pay $30 To Steal Passwords From Chrome, Edge, Brave And Firefox
The shockingly low cost of password hacking exposed. A new hacking tool is proving popular with password hackers for very good reason: it provides everything they need to go on a browser-based credentials hunt for what is, all things considered, a bargain basement price. It's not only your passwords they can steal, but a whole bunch of other stuff as well: cryptocurrency keys, private messaging tokens and browser session data, for example. Password Hackers Can Use The Katz Infostealer Service For As Little As $30 Per Month Microsoft has given users of its Authenticator app until August 1 to save their passwords as it looks to switch users to its Edge browser. The same tech giant, which, along with others such as Google, is also trying to get users to switch to passkey technology en masse. This is hardly surprising given that passwords are so insecure, and attackers look to exploit them at every turn. While I can support the change to passkeys, I'm not so sure about moving passwords from dedicated password management apps to web browsers. If you want to know why, look no further than the newly published analysis of the Katz infostealer malware-as-a-service threat. Jim Walter knows more than a thing or two about the revolving trend and tactics employed by cybercriminals. As a senior threat researcher with SentinelOne, specializing in uncovering and analyzing emerging cybercrime services, Walter has just published an in-depth look at the Katz password hacking threat. Launched earlier this year, Katz Stealer is described by Walker as a feature-rich infostealer that has quickly gained attention within password hacking circles. Marketed through all the usual cybercrime forums, and on the surface through groups on networks such as Discord and Telegram, Katz is packed to the gills with credential and data theft capabilities, alongside an impressive suite of detection-evading features. 'The turnkey nature of the Katz Stealer service, along with accessible pricing,' Walter said, 'has led to rapid adoption by threat actors across the spectrum of capability.' Low Cost Of Entry For Password Hackers Ah, yes, the pricing. Remember, this is password theft as a service, so hackers have to pay for the privilege of using Katz, but the payouts are obviously well worth the relatively small investment. With prices starting at $50 per month, this drops to as low as $30 for a 12-month commitment. The low cost of Katz Stealer rental revealed. For this, threat actors get access to a web-based management panel, which also operates as the back-end for the infostealer, so that exfiltrated data can be processed and searched. Katz Stealer management panel. 'The infostealer can harvest data from all commonly used web browsers,' Walter said, including Chrome, Edge, Brave, Firefox and various Chromium/Gecko-offshoots. 'Saved passwords, login session cookies, saved session tokens, autofill data (including stored credit card CVV data) are all targeted.' Walter also warned that despite Google introducing application-bound encryption to Chromium in 2024, which effectively 'ties the decryption of stored passwords and cookies to the logged-in OS user,' the Katz Stealer can bypass this by 'programmatically masquerading as the browser once injected.' I have approached Brave, Google, Microsoft and Mozilla for a statement. In the meantime, I would recommend taking note Walter concluded that 'Katz Stealer still relies on social engineering and user interaction to enable a successful compromise.' You know what to do then; be careful out there, don't fall for those social engineering tricks and don't click on things when you cannot be 100% sure where they lead. The password hackers are relying upon you not to follow this advice.
