Catwatchful Android Spyware Leaks Credentials of 62,000+ Users

A major security lapse has exposed the credentials of over 62,000 users of Catwatchful, a full-featured Android spyware app that openly markets itself as a tool for covert surveillance.

The breach, discovered by a security researcher, highlights the persistent risks posed by stalkerware and the dangers of storing sensitive user data without adequate safeguards.

Catwatchful is an Android application designed to monitor devices without the user’s knowledge. Unlike many similar apps that resell existing spyware platforms, Catwatchful operates its own infrastructure and offers a three-day free trial.

Its marketing materials are unusually explicit, boasting “absolute stealth” and promising that the app is “invisible, undetectable, and cannot be uninstalled or stopped.”

The app’s FAQ even assures potential customers that it can monitor a phone without the owner’s awareness.

The Security Flaw

The researcher’s investigation began with the creation of a test account, which revealed that Catwatchful registers users in both a Firebase instance and a custom backend hosted at catwatchful.pink.

After installing the app, which requests extensive permissions and disguises itself as a system app, the researcher found that all collected data—including photos, audio recordings, and more—was stored in Firebase and managed through a web control panel.

However, the real vulnerability lay in Catwatchful’s custom backend.

The app’s PHP API, used to manage user accounts and devices, was found to be susceptible to a classic SQL injection attack.

By exploiting this flaw, the researcher was able to access the entire user database, including plaintext email addresses and passwords for all 62,000+ accounts.

The exposed database contained not only user credentials but also information linking accounts to monitored devices.

This means that anyone with access to the database could potentially take over any account, access private data, and further compromise the privacy of both the app’s customers and their surveillance targets.

Timeline of Events

• June 9, 2025: Vulnerability discovered and reported to journalist Zack Whittaker.
• June 23, 2025: Google flags Catwatchful in Safe Browsing; Firebase team notified.
• June 25, 2025: Hosting provider takes down catwatchful.pink, temporarily disabling the service.
• June 26, 2025: Service reappears at a new domain, still vulnerable.
• June 27, 2025: A web application firewall is deployed, blocking the SQL injection.
• July 2, 2025: Details of the breach are published.

The Catwatchful breach underscores the inherent risks of stalkerware, not only to those being surveilled but also to the users of such services.

The exposure of thousands of credentials serves as a stark reminder that tools designed for covert surveillance are themselves often poorly secured, putting everyone involved at risk.

Exclusive Webinar Alert: Harnessing Intel® Processor Innovations for Advanced API Security – Register for Free