Catwatchful “child monitoring” app exposes victims’ data

If an app markets itself as being for “child monitoring”, a customer might expect that their data and those of the person you’re monitoring is handled with the utmost care and respect. However, as we’ve seen many times before, stalkerware (which is what monitoring software is known as) apps have a tendency to be low quality and lack security.

Stalkerware refers to apps and other monitoring software that enable someone to secretly spy on another person’s private life via their mobile device or computer. Many stalkerware apps market themselves as parental monitoring tools, but they can be—and often are—used to stalk and spy on a person. Sadly, the most common users of stalkerware are domestic violence abusers, who load these programs onto their partner’s device without their knowledge.

To prove our point about lacking security, researcher Eric Daigle found that an Android app called Catwatchful has exposed the data of thousands of its customers, along with its administrator.

Catwatchful claims it is “invisible and cannot be detected”, and uploads the victim’s photos, messages, and real-time location data to a dashboard for the person monitoring to see. It also can remotely tap into audio recorded by the phone’s microphone, as well as access both front and rear phone cameras.

Make no mistake, this is nasty stuff.

And now it turns out that the data hasn’t been stored securely. The exposed database, which the researcher shared with TechCrunch, contained the phone data from 26,000 victims’ devices as well as the email addresses and plain text passwords of more than 62,000 customers.

Stalkerware apps continue to pose a serious threat to privacy and security. Over the past years, several cases have revealed how these apps not only violate victims’ privacy but also expose sensitive data due to poor security practices. Recent leaks revealed that apps like Spyzie, Cocospy, and Spyic exposed millions of victims’ private information, including messages, photos, and locations. The attackers also obtained the email addresses of more than three million customers. Because the flaw was so easy to exploit, researchers kept the details under wraps to prevent further damage. After the breach, these apps disappeared from the internet, likely trying to avoid legal consequences rather than fixing security.

Another case involved Spyhide, where a security researcher uncovered a decade of surveillance on tens of thousands of Android devices. The app’s poorly secured backend let attackers access call logs, messages, and location data from tens of thousands of victims.

The infamous mSpy monitoring app has suffered multiple leaks, with millions of records including personal documents and monitored activity exposed. Even high-profile users were found among its customers. Despite repeated breaches, mSpy’s security remains weak, putting victims at ongoing risk.

These cases highlight a harsh reality: Stalkerware companies put profits before privacy, leaving victims and users vulnerable to further harm. As these apps operate in legal grey areas, it’s important to stay alert about the dangers they bring.

Considering using a monitoring app?

If you are thinking about installing such an app, and you are reading this:

1. Don’t!
2. Remember that using an app like this without the person’s permission is illegal in almost every country, unless it’s done with consent of the government itself.
3. We have never heard of anyone who was able to solve a problem by using stalkerware. Usually resorting to stalkerware only makes it worse.
4. Consider the consequences of the person finding out what you did. The lack of security and repeated breaches of these apps demonstrate that it is a distinct possibility.
5. Listen to this podcast.

Malwarebytes, as one of the founding members of the Coalition Against Stalkerware makes it a priority to detect and remove stalkerware from your device. It is good to keep in mind however that by removing the stalkerware you will alert the person spying on you that you know the app is there.

Check your exposure

Unfortunately, breaches are an everyday occurrence. If you want to see how much of your personal data has been exposed online, Malwarebytes has a free tool that you can use to check. Submit your email address (it’s best to give the one you most frequently use) to our free Digital Footprint scan and we’ll give you a report and recommendations.

If you are looking for a way to remove stalkerware from your device, Malwarebytes Premium Security and Malwarebytes Mobile Security can help.