A critical security flaw in a shadowy Android spyware operation called Catwatchful has exposed thousands of people—both the customers using the app and the unsuspecting victims whose phones were being secretly monitored.
The vulnerability, discovered by Canadian security researcher Eric Daigle, effectively spilled Catwatchful’s entire user database onto the open internet. This cache included email addresses and plaintext passwords that customers used to log in and track the stolen data from targeted devices.
Catwatchful presents itself as a “child monitoring app” that claims to be “invisible and cannot be detected.” In reality, it quietly uploads nearly everything from a victim’s phone to a remote dashboard: photos, text messages, call logs, real-time location data—even live audio from the microphone and video from both cameras.
While apps like this are banned from mainstream app stores, they still proliferate because they can be installed manually by someone with physical access to a phone. Known as stalkerware or spouseware, these apps are often used to spy on partners without their knowledge, which is illegal in many countries.
Catwatchful is only the latest example of consumer spyware companies suffering embarrassing—and dangerous—data breaches. This marks at least the fifth such incident this year alone. Despite their claims of discretion, these tools are often plagued by sloppy code and poor security, which can end up exposing not just victims but also the people using the spyware.
According to a copy of the leaked database seen by TechCrunch, Catwatchful had records for more than 62,000 customers and phone data stolen from 26,000 devices. Most victims were located in Mexico, Colombia, India, Peru, Argentina, Ecuador, and Bolivia. Some of the records date back as far as 2018.
The breach also revealed the identity of Catwatchful’s administrator: Omar Soca Charcov, a developer based in Uruguay. Despite opening emails from TechCrunch, Charcov did not respond to questions sent in English and Spanish. We asked whether he was aware of the breach and whether he planned to notify affected customers—but received no reply.
Given the lack of transparency, TechCrunch shared the leaked database with the data breach notification service Have I Been Pwned so victims can learn whether their data was compromised.
Spyware Hosted on Google’s Cloud
Daigle published a blog post detailing how Catwatchful’s apps communicate via a custom API, which every installed spyware instance uses to send stolen data to the servers. Shockingly, this API didn’t even require authentication—anyone online could query it and pull the entire database.
Catwatchful also relied on Firebase, Google’s popular cloud platform for app developers, to store victims’ photos, ambient recordings, and other private information.
When TechCrunch reached out to the hosting provider, the company briefly suspended Catwatchful’s account, taking the spyware offline. But within days, the operation resumed using servers at HostGator. HostGator did not respond to repeated requests for comment.
To confirm these findings, TechCrunch installed Catwatchful on a virtual Android device in a controlled lab environment. Our tests showed the spyware automatically uploaded stolen data to the same Firebase storage instance.
Google spokesperson Ed Fernandez said the company added new protections to Google Play Protect, the Android security feature that scans for malicious apps. From now on, Play Protect will alert users if Catwatchful or its installer is detected on their phone.
When asked whether Catwatchful violated Firebase’s policies, Google told us on June 25 that it was still investigating.
Also Read : ICEBlock App Goes Viral After Criticism from U.S. Attorney General Pam Bondi
