Data breach reveals Catwatchful ‘stalkerware’ is spying on thousands of phones

A security vulnerability in a stealthy Android spyware operation called Catwatchful has exposed thousands of its customers, including its administrator. 

The bug, which was discovered by security researcher Eric Daigle, spilled the spyware app’s full database of email addresses and plaintext passwords that Catwatchful customers use to access the data stolen from the phones of their victims.

Catwatchful is spyware masquerading as a child monitoring app that claims to be “invisible and cannot be detected,” all the while uploading the victim’s phone’s private contents to a dashboard viewable by the person who planted the app. The stolen data includes the victims’ photos, messages, and real-time location data. The app can also remotely tap into the live ambient audio from the phone’s microphone and access both front and rear phone cameras.

Spyware apps like Catwatchful are banned from the app stores and rely on being downloaded and planted by someone with physical access to a person’s phone. As such, these apps are commonly referred to as “stalkerware” (or spouseware) for their propensity to facilitate non-consensual surveillance of spouses and romantic partners, which is illegal.

Catwatchful is the latest example in a growing list of stalkerware operations that have been hacked, breached, or otherwise exposed the data they obtain, and is at least the fifth spyware operation this year to have experienced a data spill. The incident shows that consumer-grade spyware continues to proliferate, despite being prone to shoddy coding and security failings that expose both paying customers and unsuspecting victims to data breaches.

According to a copy of the database from early June, which TechCrunch has seen, Catwatchful had email addresses and passwords on more than 62,000 customers and the phone data from 26,000 victims’ devices.

Most of the compromised devices were located in Mexico, Colombia, India, Peru, Argentina, Ecuador, and Bolivia (in order of the number of victims). Some of the records date back to 2018, the data shows.

The Catwatchful database also revealed the identity of the spyware operation’s administrator, Omar Soca Charcov, a developer based in Uruguay. Charcov opened our emails, but did not respond to our requests for comment sent in both English and Spanish. TechCrunch asked if he was aware of the Catwatchful data breach, and if he plans to disclose the incident to its customers.

Without any clear indication that Charcov will disclose the incident, TechCrunch provided a copy of the Catwatchful database to data breach notification service Have I Been Pwned.

Catwatchful hosting spyware data on Google’s servers

Daigle, a security researcher in Canada who has previously investigated stalkerware abuses, detailed his findings in a blog post. 

According to Daigle, Catwatchful uses a custom-made API, which every one of the planted Android apps relies on to communicate with and send data to Catwatchful’s servers. The spyware also uses Google’s Firebase, a web and mobile development platform, to host and store the victim’s stolen phone data, including their photos and ambient audio recordings.

Daigle told TechCrunch that the API was unauthenticated, allowing anyone on the internet to interact with the Catwatchful user database without needing a login, which exposed the entire Catwatchful database of customer email addresses and passwords. 

When contacted by TechCrunch, the web company hosting the Catwatchful API suspended the spyware developer’s account, briefly blocking the spyware from operating, but the API returned later on HostGator. A spokesperson for HostGator, Kristen Andrews, did not respond to requests for comment regarding the company hosting the spyware’s operations.

TechCrunch confirmed that Catwatchful uses Firebase by downloading and installing the Catwatchful spyware on a virtualized Android device, which allows us to run the spyware in an isolated sandbox without giving it any real-world data, like our location. 

We examined the network traffic flowing in and out of the device, which showed data from the phone uploading to a specific Firebase instance used by Catwatchful to host the victim’s stolen data.

After TechCrunch provided Google with copies of the Catwatchful malware, Google said it added new protections for Google Play Protect, a security tool that scans Android phones for malicious apps, like spyware. Now, Google Play Protect will alert users when it detects the Catwatchful spyware or its installer on a user’s phone.

TechCrunch also provided Google with details of the Firebase instance involved in storing data for the Catwatchful operation. Asked whether the stalkerware operation violates Firebase’s terms of service, Google told TechCrunch on June 25 that it was investigating but would not immediately commit to taking down the operation.

“All apps using Firebase products must abide by our terms of service and policies. We are investigating this particular issue, and if we find that an app is in violation, appropriate action will be taken. Android users that attempt to install these apps are protected by Google Play Protect,” said Ed Fernandez, a spokesperson for Google.

As of publication, Catwatchful remains hosted on Firebase. 

Opsec mistake exposes spyware administrator

Like many spyware operations, Catwatchful does not publicly list its owner or disclose who runs the operation. It’s not uncommon for stalkerware and spyware operators to hide their real identities, given the legal and reputational risks associated with facilitating illegal surveillance.

But an operational security mishap in the dataset exposed Charcov as the operation’s administrator. 

A review of the Catwatchful database lists Charcov as the first record in one of the files in the dataset. (In past spyware-related data breaches, some operators have been identified by early records in the database, as oftentimes the developers are testing the spyware product on their own devices.)

The dataset included Charcov’s full name, phone number, and the web address of the specific Firebase instance where Catwatchful’s database is stored on Google’s servers.

Charcov’s personal email address, found in the dataset, is the same email that he lists on his LinkedIn page, which has since been set to private. Charcov also configured his Catwatchful administrator’s email address as the password recovery address on his personal email account in the event he gets locked out, which directly links Charcov to the Catwatchful operation.

How to remove Catwatchful spyware

While Catwatchful claims it “cannot be uninstalled,” there are ways to detect and remove the app from an affected device.

Before you start, it’s important to have a safety plan in place, as disabling spyware can alert the person who planted it. The Coalition Against Stalkerware does important work in this space and has resources to help victims and survivors.

Android users can detect Catwatchful, even if it is hidden from view, by dialing 543210 into your Android phone app’s keypad and then hitting the call button. If Catwatchful is installed, the app should appear on your screen. This code is a built-in backdoor feature that allows whoever planted the app to regain access to the settings once the app is hidden. This code can also be used by anyone to see if the app is installed.

As for removing the app, TechCrunch has a general how-to guide for removing Android spyware that can help you identify and remove common types of phone stalkerware, and then enable the various settings you need to secure your Android device.

—

If you or someone you know needs help, the National Domestic Violence Hotline (1-800-799-7233) provides 24/7 free, confidential support to victims of domestic abuse and violence. If you are in an emergency situation, call 911. The Coalition Against Stalkerware has resources if you think your phone has been compromised by spyware.