Follow Cyber Kendra on Google News! | WhatsApp | Telegram

Catwatchful Android Spyware Exposes 62,000 Users Data

Catwatchful Android Spyware

A critical SQL injection vulnerability has exposed the complete user database of Catwatchful, a sophisticated Android spyware operation that was secretly monitoring over 26,000 victims' phones across Latin America and beyond. 

The breach, discovered by Canadian security researcher Eric Daigle, reveals how easily these illegal surveillance tools can be compromised, putting both perpetrators and victims at risk.

The vulnerability emerged when Daigle investigated Catwatchful's infrastructure after creating a trial account. Unlike many hastily built spyware operations, Catwatchful appeared professionally developed with robust surveillance capabilities, including live camera access, ambient audio recording, and real-time location tracking. The app disguised itself with a generic "Settings" icon and claimed to be completely undetectable.

However, the operation's backend proved far less secure than its marketing promised. Daigle discovered that Catwatchful's API endpoint at catwatchful.pink was completely unauthenticated and vulnerable to SQL injection attacks. 

Using automated penetration testing tools, he successfully extracted the entire user database containing 62,050 customer accounts with plaintext passwords and email addresses.

The technical flaw was particularly damaging because Catwatchful operated a hybrid architecture, storing user credentials on a vulnerable custom server while hosting stolen victim data on Google's Firebase platform. This design meant that while the victim data remained relatively secure on Firebase, the user authentication system was completely exposed.

Broader Implications for Digital Safety

This breach represents the fifth major spyware operation compromise this year, highlighting a troubling pattern in the stalkerware industry. These apps, banned from official app stores, facilitate illegal surveillance of spouses and partners by requiring physical device access for installation. 

The exposed database revealed victims primarily located in Mexico, Colombia, India, Peru, Argentina, Ecuador, and Bolivia, with some surveillance dating back to 2018.

The breach also exposed the identity of the spyware operation’s administrator,  Omar Soca Charcov, a Uruguay-based developer, through poor operational security practices. Despite being contacted by journalists, Charcov has not responded to disclosure requests or warned affected users.

Android users can detect Catwatchful by dialing 543210 in their phone app, which triggers a built-in backdoor revealing the hidden spyware. For comprehensive removal guidance and safety planning, users should consult resources from the Coalition Against Stalkerware, as removing spyware can alert the person who installed it.

Post a Comment