Catwatchful Spyware Breach Exposes 62,000 Users and Developer Identity

A security lapse has exposed the full user database of Catwatchful, an Android stalkerware application marketed as a child-monitoring tool. Security researcher Eric Daigle found that the app’s custom, unauthenticated API allowed anyone on the internet to access Catwatchful’s servers, leaking more than 62,000 customer email addresses and plaintext passwords, along with data siphoned from about 26,000 victim phones. The stolen information includes messages, photos, real-time location, and ambient audio and video feeds. Analysis of the records traced the spyware operation to Uruguay-based developer Omar Soca Charcov, whose personal email, phone number and LinkedIn details were embedded in the first entries of the breached database. Catwatchful is distributed outside Google’s Play Store and requires physical installation on a target device. After receiving samples of the malware, Google said it has updated Play Protect to warn users if the app or its installer is detected, but the Firebase instance hosting the stolen data remains online while the company investigates possible policy violations. Web-hosting provider HostGator briefly suspended, then reinstated, the domain serving the spyware. The incident is the latest in a series of breaches involving consumer-grade spyware, underscoring both the proliferation of such tools and their often-shoddy security. Most compromised phones were located in Latin America and India, according to copies of the database reviewed by security researchers.