A critical security vulnerability in the Android “stalkerware” platform Catwatchful has exposed the private data of over 26,000 victims and the credentials of more than 62,000 customers. Discovered by security researcher Eric Daigle, the breach revealed an unauthenticated database containing plaintext passwords and email addresses used by individuals to monitor stolen phone data, ranging from photos and messages to real-time location tracking.
What is Catwatchful?
Marketed as an “invisible” child monitoring tool, Catwatchful functions as invasive stalkerware. It is designed to be planted on a target’s device, granting the perpetrator remote access to microphones, cameras, and private communications. Because these apps are prohibited from official app stores, they require physical access to the victim’s device for installation, a tactic frequently linked to illegal domestic surveillance.
The breach highlights a recurring failure in the consumer spyware industry: shoddy coding that leaves both the perpetrators and their targets vulnerable. This incident marks at least the fifth major spyware data spill in 2024 alone.
Global Impact and Administrator Exposure
Data analysis indicates that the compromised devices are primarily located in Mexico, Colombia, India, Peru, Argentina, Ecuador, and Bolivia. Records within the database date back as far as 2018.
The leak also stripped away the anonymity of the operation’s administrator: Omar Soca Charcov, a developer based in Uruguay. Operational security errors, including testing the software on his own devices and linking his personal email to the administrator account, allowed investigators to confirm his identity. He has not responded to multiple requests for comment.
Infrastructure and Google’s Role
Daigle’s investigation revealed that Catwatchful relies on a custom API and Google’s Firebase platform to host stolen data. The API was left entirely unauthenticated, allowing unauthorized access to the database via the open internet.
Following the disclosure, Google updated Google Play Protect to alert Android users if the Catwatchful installer is detected on their devices. While the company is investigating whether the operation violates its terms of service, the spyware remained hosted on Firebase as of the latest report.
How to Detect and Remove Stalkerware
If you suspect your device has been compromised, proceed with caution. Disabling spyware can alert the person who installed it; prioritize your safety by consulting resources from the Coalition Against Stalkerware before taking action.
To check for Catwatchful specifically, users can dial 543210 in their phone app and hit the call button. This hidden backdoor code is designed to force the app’s settings menu to appear, even if the icon is hidden from the home screen.
For those in immediate danger, the National Domestic Violence Hotline (1-800-799-7233) offers 24/7 confidential support. If you are in an emergency situation, contact local emergency services immediately.