Catwatchful Spyware Hacked: Critical Flaw Exposes 62,000 User Logins & Victim Data
A critical vulnerability has been discovered in the Android spyware app known as Catwatchful, resulting in a significant data breach that compromised the personal information of thousands of users—including the administrator of the service itself. The flaw was identified by Canadian cybersecurity researcher Eric Daigle. Due to a systemic failure, the full contents of Catwatchful’s database, including users’ email addresses and passwords, became publicly accessible. These users had employed the app to secretly monitor other people’s phones.
Catwatchful masquerades as a parental control application but in reality uploads private data from the victim’s device to a server, granting the installer access to a trove of sensitive information—photos, messages, location data, audio recordings, and even remote control of cameras.
Such applications are banned from official app stores and require physical access to the target device for installation. As a result, Catwatchful and similar apps are often labeled as stalkerware or spouseware, designed to facilitate unlawful and covert surveillance of partners or family members.
The Catwatchful breach marks the fifth incident this year involving spyware services falling victim to hacks or data leaks. This event underscores the ongoing proliferation of surveillance software despite its inherent technical vulnerabilities and inadequate security, endangering both the users and their targets.
According to documents obtained by TechCrunch, the exposed database included over 62,000 client accounts and data from 26,000 infected devices. Most victims were located in Mexico, Colombia, India, Peru, Argentina, Ecuador, and Bolivia, with some entries dating back to 2018.
Among the leaked records was the personal information of Catwatchful’s administrator, Uruguayan developer Omar Zoky Charkov. His name, phone number, email address, and a direct link to the Google Firebase server hosting victim data were all found in the unprotected database. Charkov’s email address matched contact details listed on his LinkedIn profile, which was hidden shortly after the breach came to light.
The breach stemmed from a severe misconfiguration in the app’s API. Daigle explained that all deployed versions of the spyware connected to a custom API to transmit data, but the interface lacked any authentication, leaving the database completely exposed to the public.
After TechCrunch alerted the hosting provider supporting Catwatchful, the developer’s account was temporarily suspended, disrupting the service. However, it was soon restored through HostGator, whose representatives declined to comment on the situation.
TechCrunch confirmed that Catwatchful stores stolen data on Google’s Firebase cloud platform. Journalists installed the app on a sandboxed virtual device to monitor its network behavior and successfully captured its data transmissions to the Catwatchful server.
Google was provided with samples of the malware and details of the Firebase server. In response, the company enhanced its Google Play Protect system to detect Catwatchful and alert users of its presence.
Google representatives stated that an investigation is underway to determine whether Firebase was misused in violation of its terms of service. Should the investigation confirm misconduct, the company pledged to take appropriate action. However, at present, Catwatchful continues to operate on Google’s infrastructure.
Although Catwatchful claims it cannot be removed, there is a method to detect and uninstall it. Dialing the code “543210” in the standard Phone app and pressing the call button reveals the app, even in hidden mode. This code grants access to the app’s settings and enables users to check for its presence.
To remove Catwatchful, users can follow general Android spyware removal guidelines or seek assistance from organizations that support victims of digital abuse.
