A flaw in Catwatchful spyware exposed logins of +62,000 users
A flaw in Catwatchful spyware exposed logins of +62,000 users
A flaw in Catwatchful spyware exposed logins of 62,000 users, turning the spy tool into a data leak, security researcher Eric Daigle revealed.
A flaw in the Catwatchful Android spyware exposed its full user database, leaking email addresses and plaintext passwords of both customers and its admin, TechCrunch first reported.
Security researcher Eric Daigle first discovered the vulnerability.
Catwatchful is spyware masquerading as a child monitoring app that claims to be “invisible and cannot be detected,” all the while uploading the victim’s phone’s private contents to a dashboard viewable by the person who planted the app. The stolen data includes the victims’ photos, messages, and real-time location data. The app can also remotely tap into the live ambient audio from the phone’s microphone and access both front and rear phone cameras.
Spyware apps like Catwatchful are banned from the app stores and rely on being downloaded and planted by someone with physical access to a person’s phone. As such, these apps are commonly referred to as “stalkerware” (or spouseware) for their propensity to facilitate non-consensual surveillance of spouses and romantic partners, which is illegal.
Catwatchful is the latest example in a growing list of stalkerware operations that have been hacked, breached, or otherwise exposed the data they obtain. This incident highlights how consumer-grade spyware keeps spreading, even though it’s often poorly built and riddled with security flaws that put both users and victims at risk of data leaks.
“According to a copy of the database from early June, which TechCrunch has seen, Catwatchful had email addresses and passwords on more than 62,000 customers and the phone data from 26,000 victims’ devices.” reads the report published by TechCrunch.
Most Catwatchful spyware victims were in Mexico, Colombia, India, and other Latin American countries, with some data dating back to 2018. The database also exposed the operation’s administrator, Omar Soca Charcov from Uruguay, who did not respond to requests for comment. TechCrunch shared the leaked data with Have I Been Pwned to help inform potential victims of the breach.
Catwatchful secretly uploads victims’ data to a Firebase database, accessible to users via a web dashboard. After registering, users receive a pre-configured APK that requires physical access to install. Once active, it enables real-time spying. Security researcher Eric Daigle found a SQL injection flaw that exposed the entire Firebase database, revealing plaintext logins, passwords for 62050 accounts, and links between users and devices.
“The second notable thing is that all the personal data collected here seems to be stored in Firebase, served from Cloud Storage URLs in the form catwatchful-e03b8.appspot.com/o/usersFiles/JIOgo826TPfb0pMFKmzkE7jz9JO2/M6GPYXHZ95ULUFD0/micRecorders/grab_2025-06-09_17-04-34
. Intercepting my test phone’s traffic confirms that the files are directly uploaded to Firebase, and reveals that the commands for features like live photos are also handled through FCM.” reads the report published by Daigle.
An attacker can use the information in the database to take over any account.
Daigle shared his findings with TechCrunch security editor Zack Whittaker, who contacted Google on June 23, 2025. Google flagged it via Safe Browsing, while the Firebase team said they were investigating, but the database remained online at that time.
Below is the timeline for this vulnerability:
- 2025-06-09: Vulnerability discovered, Zack (Zack Whittaker is the security editor at TechCrunch) contacted
- 2025-06-23: Zack contacts Google who flag it in Safe Browsing, Firebase team claim they’re looking into it (DB still up as of this writing)
- 2025-06-25: Zack contacts Hosting.com who host
catwatchful.pink
(site is down by end of day, breaking the service) and individual identified as running the service (no response as of this writing) - 2025-06-26: Service is restored with
catwatchful.pink
replaced byxng.vju.temporary.site
which is still vulnerable - 2025-06-27: A WAF goes up on
xng.vju.temporary.site
, successfully blocking the SQLI - 2025-07-02: Publication
TechCrunch reported that the presence of Catwatchful can be revealed and uninstalled by dialing “543210” on the infected device.
“This code is a built-in backdoor feature that allows whoever planted the app to regain access to the settings once the app is hidden. This code can also be used by anyone to see if the app is installed.” concludes TechCrunch.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
Pierluigi Paganini
(SecurityAffairs – hacking, backdoor)