A security vulnerability in the Android spyware Catwatchful has exposed the data of over 62,000 customers and 26,000 victims. The spyware, which disguises itself as a child monitoring app, secretly collects private information such as photos, messages, location, and live audio and camera feeds from targeted phones.
Discovered by security researcher Eric Daigle, the flaw allowed access to Catwatchful’s full customer database, including email addresses and plaintext passwords. The app relies on physical access for installation and is part of the banned “stalkerware” category, often used for illicit surveillance of partners or spouses.
Most affected devices were in Latin America and India, with some data dating back to 2018. The database also revealed the identity of the spyware’s administrator, Omar Soca Charcov, a developer based in Uruguay, who has not responded to requests for comment.
Catwatchful uses a custom API and Google’s Firebase platform to store stolen data. Daigle found the API lacked authentication, so anyone could access the user data. After notification, the hosting service suspended Catwatchful’s account temporarily, but the API reappeared on a different hosting provider.
TechCrunch verified Catwatchful’s use of Firebase by installing the spyware in a sandboxed environment and capturing network traffic. Google responded by enhancing Google Play Protect to detect and warn users against Catwatchful and said it is investigating potential Firebase policy violations. As of now, the spyware remains hosted on Firebase.
The breach exposed operator Charcov’s personal information due to an operational security error, including his email, phone number, and Firebase instance URL.
Despite claiming to be uninstallable, Catwatchful can be detected by dialing 543210 on an Android device’s phone app, which reveals the app if installed. Removal guidance and safety planning resources are available from groups like the Coalition Against Stalkerware.
If you or someone you know is affected, the National Domestic Violence Hotline offers confidential support, and the Coalition Against Stalkerware provides resources for spyware detection and removal.