Latest news with #Catwatchful
Tahawul Tech
07-07-2025
- Tahawul Tech
Catwatchful data breach exposes thousands in latest stalkerware scandal
Security flaw highlights the ongoing risks of consumer-grade spying apps—and the need for greater public awareness. A covert Android application called Catwatchful, marketed as an 'invisible' child-monitoring tool, has suffered a major data breach that laid bare the email addresses and plaintext passwords of more than 62,000 paying customers and leaked stolen data from at least 26,000 victims' phones. The discovery, first reported by TechCrunch and attributed to security researcher Eric Daigle, shows that Catwatchful's unauthenticated programming interface allowed anyone on the internet to query its entire user database. Most victims were located in Mexico, Colombia, India, Peru, Argentina, Ecuador and Bolivia. Catwatchful is best described as stalkerware: consumer spyware that must be installed manually on a target's handset and then operates in secret, siphoning off photos, messages, real-time location data and even live microphone and camera feeds to a web dashboard controlled by the perpetrator. Although such apps are banned from official app stores, their availability via third-party sites continues to fuel intimate-partner surveillance and other forms of tech-enabled abuse. The leaked database also exposed the identity of the app's administrator, Omar Soca Charcov, a developer based in Uruguay who has so far declined to comment on the breach. Catwatchful is at least the fifth stalkerware service this year to suffer a hacking-related data spill, underscoring a pattern of lax security across the industry and the double-edged privacy threat these tools pose to both victims and buyers. Kaspersky, which classifies Catwatchful as stalkerware and has been detecting it since 2018, says the incident is further evidence that users and policymakers must remain vigilant. Tatyana Shishkova, Lead Security Researcher at Kaspersky GReAT, offered the following rapid response: 'Stalkerware remains a global and serious problem, as confirmed by the recent reports on the Catwatchful app. While such products are typically marketed as legitimate parental control apps, they pose significant risks: they operate stealthily, being installed without a person's knowledge or consent, and provide a perpetrator with the means to secretly monitor the victim's most private information. Moreover, such apps, despite the developer's claims about security, pose privacy risks to the perpetrators themselves. There are frequent data leaks, as recent media reports confirm. Although it was reported that the app 'is invisible and undetectable on the phone', Kaspersky has been detecting Catwatchful as stalkerware since 2018. The 'Who's spying on me' functionality enables users of the Kaspersky app for Android with a dedicated notification when this stalkerware is detected. This case reinforces the need to continuously raise awareness about stalkerware and tech-enabled abuse, empowering individuals with the knowledge on how to protect both their digital and physical lives.' Why it matters Catwatchful's breach illustrates three persistent dangers: Victim exposure – Intimate data can be harvested without consent and then leak wholesale when attackers exploit poor security hygiene. Perpetrator risk – Buyers entrust their credentials and sometimes incriminating evidence to vendors whose safeguards are minimal. Policy gaps – Stalkerware occupies a grey zone in many jurisdictions, complicating enforcement and takedown efforts. Cyber-safety advocates, including the global Coalition Against Stalkerware, argue that the only sustainable fix is a combination of tougher regulation, stricter platform policing and wider public education on detecting and removing clandestine tracking apps. For Android users concerned about possible compromise, Kaspersky and other security vendors recommend running a reputable mobile security suite, checking for unfamiliar accessibility-service permissions and keeping devices updated with the latest patches. Victims of tech-facilitated abuse can also seek specialised support from local domestic-violence hotlines and digital-safety organisations.
Indian Express
04-07-2025
- Indian Express
Catwatchful: The Android app that secretly stole 62,000 email addresses and passwords
A security vulnerability in a stealthy Android stalkerware named Catwatchful seems to have leaked more than 62,000 user credentials, including that of its administrator. The exploit was first discovered by a Canadian researcher named Eric Daigle, who claims that the leaked data includes email addresses and passwords stored in plain text. This data was used by the spyware's customers to access data stolen from the phones of unsuspecting victims. Catwatchful is a stalkerware for Android devices that disguises itself as a child-monitoring app. It works by uploading the victim's private information like photos, call logs, passwords, real-time location and other information by uploading it to a dashboard that can only be accessed by the person who planted it. What makes it even more dangerous is that Catwatchful can also tap in the live ambient audio using the phone's microphone and even access both front and rear cameras. Unlike most spyware apps for Android, Catwatchful uses its very own infrastructure and also offers a 3-day free trial, which is a rarity for a spyware app. The app developer also says that 'Catwatchful is invisible. It cannot be detected. It cannot be uninstalled. It cannot be stopped. It cannot be closed. Only you access the information it collects.' Unsurprisingly, it is not available on the Play Store and requires users to manually download and install it, which is often referred to as sideloading, which means only someone with physical access to your device will be able to install it. Daigle said he started by making a free trial account on the Catwatchful website, which is when he noticed that the website registered his information in two different locations, one of which was hosted on a domain called When installed, the app requested all sorts of permissions and hid itself as a system app. Also, all of the stolen data was stored in Firebase and accessed via a web control panel. However, the custom backend the app developer was using was vulnerable to a SQL injection attack. Daigle said he used this very flaw to access the service's entire user database, which included email addresses and passwords of people who were using Catwatchful to spy on others, which amounted to more than 62,000. As it turns out, it also included information of devices that were being monitored. According to TechCrunch, the majority of devices that were compromised were located in Mexico, Colombia, India, Peru, Argentina, Ecuador, and Bolivia. The publication says the list is in order of the number of victims. What's even more surprising is that some of these records date back to 2018, which suggests that Catwatchful has been operating and stealing data for at least 7 years.
Yahoo
03-07-2025
- Yahoo
Android 'Safety' App Was Actually Spying on People for Years
A so-called child safety app that secretly recorded phones for years has just been exposed along with the people who used it. Catwatchful, an Android app designed to run in stealth mode, was pitched as a way for parents to monitor their children, TechCrunch reported. But the app, which operated outside of the Google Play store, went far beyond basic tracking. It quietly uploaded everything from text messages and photos to real-time location data and ambient audio, all without the victim's knowledge. A recently discovered security flaw exposed the app's entire customer database, including more than 62,000 email addresses and passwords used by those who installed the spyware. The breach also revealed stolen data from 26,000 victim devices, many located in Mexico, Colombia, India, and other countries in Latin America and South Asia. Catwatchful relied on physical access to install, allowing it to bypass app store scrutiny. Once active, it was virtually invisible to the user, with a hidden backdoor code to bring it up only when prompted. The app also tapped into device microphones and cameras, pushing the limits of what 'monitoring' software should be allowed to do. And while the app's victims never saw it coming, the breach also compromised the operation's creator. The database exposed the identity of the developer behind the spyware, linking him directly to the stolen data and Firebase servers hosting it. Attempts to reach him have gone unanswered. Google, alerted to the breach, said it has added new protections to detect Catwatchful with Play Protect, its built-in Android security scanner. But as of now, the app's backend remains active. Catwatchful is just the latest in a troubling trend. Several stalkerware tools have leaked or been hacked this year, reinforcing how insecure and invasive these apps truly are. While marketed as parenting tools, many of them enable covert surveillance in relationships or workplaces, crossing legal and ethical lines. Android users can check for Catwatchful by dialing 543210 into the phone app. If it appears, it's installed, and it's time to remove it. In a tech-driven world, the promise of safety often comes with a hidden cost. With Catwatchful exposed, it's clear that in the age of smartphones, the line between protection and intrusion isn't always where you think it 'Safety' App Was Actually Spying on People for Years first appeared on Men's Journal on Jul 3, 2025
Tom's Guide
03-07-2025
- Tom's Guide
Catwatchful child monitoring app is actually spyware that leaked user data online — how to stay safe
Catwatchful is an app that claims to be a 'child monitoring app' but is, in actuality, a spyware app that acts invisibly on phones to send a victim's data back to a dashboard viewable by the person who downloaded it. Also called 'stalkerware' this app experienced a data breach via a security flaw that exposed both the email addresses and passwords of thousands of customers – and the phone data of thousands of victims. Security researcher Eric Daigle reported in a blog post that a vulnerability revealed the spyware app's full database of email addresses and plaintext passwords for more than 62,000 customers and phone data from 26,000 victims. Additionally, as reported by TechCrunch, the administrator of the Catwatchful operator was also exposed in the breach. The compromised devices were from (in order of victim numbers) Mexico, Colombia, India, Peru and Argentina among others. The Catwatchful app uploads a victim's phone contents to a dashboard, which is viewable by the person who secretly installed the app, which includes a concerning amount of data such as photos, messages, access to front and rear cameras, microphone access and real time location data. This presents an obvious security risk to the victim – stalkerware and spyware apps are non-consensual surveillance apps that are frequently used against domestic and romantic partners in ways that violate laws which is exactly why these types of apps are banned and need to be downloaded by someone who has direct physical access to the phone. Catwatchful is not the first spyware app to suffer a data breach; according to TechCrunch, it's at least the fifth this year – a clear indication that consumer grade spyware offerings are spreading more widely even though what they are offering is 'shoddy codding and security failings that expose both paying customers and unsuspecting victims to data breaches.' Get instant access to breaking news, the hottest reviews, great deals and helpful tips. According to Daigle, the Catwatchful API was unauthenticated which is what allowed anyone on the open internet to interact with the user database without a login; the whole database of email addresses and passwords were exposed. While the API was briefly taken down, it was then back up again. Google is apparently investigating the Firebase involvement but has added protections that enable Google Play Protect to alert users when it detects Catwatchful spyware or its installer on a user's phone. Catwatchful claims it cannot be uninstalled, however, there are still things that can be done. First, as with any spyware or stalkerware, have a safety plan in place. Disabling this type of software can potentially alert the person who installed it in the first place, so always protect yourself first. If you're looking for additional resources, you might want to contact the Coalition Against Stalkerware. Android users who suspect they have Catwatchful installed can dial 543210 on their device's keypad and hit call. If its installed, it should appear on the screen - this code is a backdoor feature to regain access to the settings once the app has been hidden but it also shows if the app is installed, so if you use it you may also ping the person who installed it. Next steps: Make sure Google Play Protect is enabled, and check the permissions sections of your phone. If you don't recognize the apps that have permissions that should be a clear warning sign, particularly accessibility services. Check your Android device's app list and remove anything you didn't approve or don't recognize. Also make sure you have a lock screen enabled and protect your accounts using two-factor authentication whenever possible to prevent anyone from accessing them easily. For added security, the best Android antivirus apps can help provide you with additional protection like a VPN and identity theft protection. Spyware and stalkerware are very real threats that need to be taken extra seriously as they typically aren't installed on your phone by hackers but by someone you know. This breach is certainly concerning for those affected by it but it also serves as a wakeup call and a reminder of the threat posed by these types of apps.
India Today
03-07-2025
- India Today
Stealth app Catwatchful caught spying on thousands of phones, leak reveals emails, passwords and its own admin
A stealth app called Catwatchful has allegedly been caught in its own trap after a major security flaw exposed sensitive data of both its users and victims. The app, which disguises itself as a child-monitoring tool, has been silently stealing data from thousands of Android phones – including photos, messages, location details, and even live audio from microphones and cameras. But a newly discovered vulnerability has turned the tables. advertisementCanadian security researcher Eric Daigle found that Catwatchful's database was completely exposed online due to a misconfigured, unauthenticated API. This meant that anyone could access sensitive data, including the email addresses and plain-text passwords of over 62,000 customers, along with private phone data from more than 26,000 victims. The majority of affected devices were located in countries like India, Mexico, Colombia, Peru, Argentina, Ecuador, and Bolivia. The exposed data includes records stretching back as early as 2018. In a blog post, Daigle explained that Catwatchful operates by being manually installed on a victim's device by someone with physical access – often a romantic partner or family member – making it a form of stalkerware. Daigle's investigation also revealed that Catwatchful used Google Firebase to host stolen data, like users' photos and real-time audio recordings. Upon being alerted, Google said it had added Catwatchful to its Play Protect tool to warn Android users of the spyware. advertisementThe breach didn't just expose victims, it also revealed the identity of Catwatchful's operator. The developer behind the spyware was identified as Omar Soca Charcov, a software engineer residing in Uruguay, according to a report by TechCrunch. Charcov's details, including his personal email, phone number, and even the Firebase web address used to store stolen data, were found in the database. Charcov's LinkedIn profile used the same email address found in the spyware data, as per the report. He reportedly also linked his personal email account to the administrator account for Catwatchful, making it easy to trace him as the operator. Following the discovery, Daigle informed the hosting provider for Catwatchful's API, which briefly suspended the spyware's services. However, the API later returned via HostGator. Google is apparently reviewing whether Catwatchful violated its Firebase terms, but at the time of writing the story, the app's database remains online.- Ends
