A critical security flaw has compromised the entire customer base of Catwatchful, an Android surveillance application that covertly monitors smartphone users without their knowledge. The vulnerability, identified by Canadian security expert Eric Daigle, laid bare the complete user database containing email credentials and unencrypted passwords of those operating the spyware.
Operating under the guise of parental monitoring software, Catwatchful markets itself as completely undetectable while systematically extracting sensitive information from targeted devices. The application harvests personal photographs, text communications, and continuous location tracking. Furthermore, it possesses capabilities to activate microphones for ambient sound recording and remotely access both front-facing and rear cameras.
These surveillance tools circumvent official app marketplaces due to their prohibited nature, requiring direct physical installation on target devices. This characteristic has earned them the designation “stalkerware” or “spouseware,” as they predominantly enable unauthorized monitoring of intimate partners and family members—activities that violate privacy laws.
The Catwatchful incident represents the fifth documented spyware compromise this year, highlighting persistent security deficiencies within the consumer surveillance industry. These operations consistently demonstrate poor coding practices and inadequate security measures, placing both paying users and unwitting targets at risk of data exposure.
Database records from early June reveal the scope of the breach: over 62,000 customer accounts and surveillance data from 26,000 monitored devices. The compromised information spans back to 2018, with the highest concentration of affected devices located across Mexico, Colombia, India, Peru, Argentina, Ecuador, and Bolivia, respectively.
Administrator Identity Revealed Through Security Lapse
The database breach inadvertently exposed Omar Soca Charcov, a Uruguay-based developer, as the operation’s administrator. Charcov acknowledged receipt of inquiries submitted in both English and Spanish but provided no response regarding the security incident or plans for customer notification.
Technical Infrastructure Exploiting Google Services
Daigle’s investigation revealed that Catwatchful employs a proprietary API system enabling communication between installed applications and command servers. The spyware leverages Google’s Firebase platform for data storage, hosting stolen photographs and audio recordings on Google’s infrastructure.
The API lacked authentication protocols, permitting unrestricted access to the complete customer database from any internet connection. When notified, the original hosting provider terminated the developer’s account, temporarily disrupting operations. However, the service subsequently migrated to HostGator. Company spokesperson Kristen Andrews declined to address questions about hosting surveillance operations.
Following notification of the malware’s existence, Google implemented additional safeguards within Google Play Protect, its security scanning service. The enhanced protection now identifies Catwatchful installations and alerts users to their presence.
Regarding the Firebase hosting arrangement, Google spokesperson Ed Fernandez stated: “All apps using Firebase products must abide by our terms of service and policies. We are investigating this particular issue, and if we find that an app is in violation, appropriate action will be taken. Android users that attempt to install these apps are protected by Google Play Protect.”
Despite ongoing investigation, Catwatchful continues operating on Firebase infrastructure as of publication.
Operational Security Failure Exposes Developer
Spyware operations typically obscure their operators’ identities due to legal and reputational risks associated with facilitating unauthorized surveillance. However, database analysis revealed Charcov’s position as the first entry in system records—a pattern consistent with developers testing applications on personal devices.
The exposed information included Charcov’s complete contact details, phone number, and the specific Firebase instance address housing the surveillance database. His personal email address, matching his LinkedIn profile (subsequently made private), served as the password recovery option for his administrative account, creating a direct connection to the surveillance operation.
Detection and Removal Guidance
Despite claims of permanent installation, Catwatchful can be detected and removed from affected devices. Users should establish safety protocols before attempting removal, as disabling surveillance software may alert the installing party. The Coalition Against Stalkerware provides comprehensive resources for victims and survivors.
Android users can reveal hidden Catwatchful installations by entering 543210 into the phone application’s dialer and pressing call. This built-in access code, designed for reinstaller access after concealment, will display the application if present.
Written by Alius Noreika
