A security vulnerability in a stealthy Android spyware operation called Catwatchful has exposed thousands of its customers, including its administrator.\u00a0<\/p>\n
The bug, which was discovered by security researcher Eric Daigle, spilled the spyware app\u2019s full database of email addresses and plaintext passwords that Catwatchful customers use to access the data stolen from the phones of their victims.<\/p>\n
Catwatchful is spyware masquerading as a child monitoring app that claims to be \u201cinvisible and cannot be detected,\u201d all the while uploading the victim\u2019s phone\u2019s private contents to a dashboard viewable by the person who planted the app. The stolen data includes the victims\u2019 photos, messages, and real-time location data. The app can also remotely tap into the live ambient audio from the phone\u2019s microphone and access both front and rear phone cameras.<\/p>\n
Spyware apps like Catwatchful are banned from the app stores and rely on being downloaded and planted by someone with physical access to a person\u2019s phone. <\/strong>As such, these apps are commonly referred to as \u201cstalkerware\u201d (or spouseware)<\/a> for their propensity to facilitate non-consensual surveillance of spouses and romantic partners, which is illegal.<\/p>\n Catwatchful is the latest example in a growing list of stalkerware operations that have been hacked, breached, or otherwise exposed the data they obtain, and is at least the fifth spyware operation this year<\/a> to have experienced a data spill. The incident shows that consumer-grade spyware continues to proliferate, despite being prone to shoddy coding and security failings that expose both paying customers and unsuspecting victims to data breaches.<\/p>\n According to a copy of the database from early June, which TechCrunch\u00a0has seen, Catwatchful had email addresses and passwords on more than 62,000 customers and the phone data from 26,000 victims\u2019 devices.<\/p>\n Most of the compromised devices were located in Mexico, Colombia, India, Peru, Argentina, Ecuador, and Bolivia (in order of the number of victims). Some of the records date back to 2018, the data shows.<\/p>\n The Catwatchful database also revealed the identity of the spyware operation\u2019s administrator, Omar Soca Charcov, a developer based in Uruguay. Charcov opened our emails, but did not respond to our requests for comment sent in both English and Spanish. TechCrunch asked if he was aware of the Catwatchful data breach, and if he plans to disclose the incident to its customers.<\/p>\n Without any clear indication that Charcov will disclose the incident, TechCrunch provided a copy of the Catwatchful database to data breach notification service Have I Been Pwned<\/a>.<\/p>\n Daigle, a security researcher in Canada who has previously investigated stalkerware abuses<\/a>, detailed his findings in a blog post<\/a>.\u00a0<\/p>\n According to Daigle, Catwatchful uses a custom-made API, which every one of the planted Android apps relies on to communicate with and send data to Catwatchful\u2019s servers. The spyware also uses Google\u2019s Firebase, a web and mobile development platform, to host and store the victim\u2019s stolen phone data, including their photos and ambient audio recordings.<\/p>\n Daigle told TechCrunch that the API was unauthenticated, allowing anyone on the internet to interact with the Catwatchful user database without needing a login, which exposed the entire Catwatchful database of customer email addresses and passwords.\u00a0<\/p>\n When contacted by TechCrunch, the web company hosting the Catwatchful API suspended the spyware developer\u2019s account, briefly blocking the spyware from operating, but the API returned later on HostGator. A spokesperson for HostGator, Kristen Andrews, did not respond to requests for comment regarding the company hosting the spyware\u2019s operations.<\/p>\n TechCrunch confirmed that Catwatchful uses Firebase by downloading and installing the Catwatchful spyware on a virtualized Android device, which allows us to run the spyware in an isolated sandbox without giving it any real-world data, like our location.\u00a0<\/p>\n We examined the network traffic flowing in and out of the device, which showed data from the phone uploading to a specific Firebase instance used by Catwatchful to host the victim\u2019s stolen data.<\/p>\n After TechCrunch provided Google with copies of the Catwatchful malware, Google said it added new protections for Google Play Protect<\/a>, a security tool that scans Android phones for malicious apps, like spyware. Now, Google Play Protect will alert users when it detects the Catwatchful spyware or its installer on a user\u2019s phone.<\/p>\n TechCrunch also provided Google with details of the Firebase instance involved in storing data for the Catwatchful operation. Asked whether the stalkerware operation violates Firebase\u2019s terms of service, Google told TechCrunch on June 25 that it was investigating but would not immediately commit to taking down the operation.<\/p>\n \u201cAll apps using Firebase products must abide by our terms of service and policies. We are investigating this particular issue, and if we find that an app is in violation, appropriate action will be taken. Android users that attempt to install these apps are protected by Google Play Protect,\u201d said Ed Fernandez, a spokesperson for Google.<\/p>\n As of publication, Catwatchful remains hosted on Firebase.\u00a0<\/p>\n Like many spyware operations, Catwatchful does not publicly list its owner or disclose who runs the operation. It\u2019s not uncommon for stalkerware and spyware operators to hide their real identities<\/a>, given the legal and reputational risks associated with facilitating illegal surveillance.<\/p>\n But an operational security<\/a> mishap in the dataset exposed Charcov as the operation\u2019s administrator.\u00a0<\/p>\n A review of the Catwatchful database lists Charcov as the first record in one of the files in the dataset. (In past spyware-related data breaches, some operators have been identified by early records in the database, as oftentimes the developers are testing the spyware product on their own devices.)<\/p>\n The dataset included Charcov\u2019s full name, phone number, and the web address of the specific Firebase instance where Catwatchful\u2019s database is stored on Google\u2019s servers.<\/p>\n Charcov\u2019s personal email address, found in the dataset, is the same email that he lists on his LinkedIn page, which has since been set to private. Charcov also configured his Catwatchful administrator\u2019s email address as the password recovery address on his personal email account in the event he gets locked out, which directly links Charcov to the Catwatchful operation.<\/p>\n While Catwatchful claims it \u201ccannot be uninstalled,\u201d there are ways to detect and remove the app from an affected device.<\/p>\n Before you start, it\u2019s important to have a safety plan in place<\/a>, as disabling spyware can alert the person who planted it. The Coalition Against Stalkerware<\/a> does important work in this space and has resources to help victims and survivors.<\/p>\n Android users can detect Catwatchful, even if it is hidden from view, by dialing 543210<\/strong> into your Android phone app\u2019s keypad and then hitting the call button. If Catwatchful is installed, the app should appear on your screen. This code is a built-in backdoor feature<\/a> that allows whoever planted the app to regain access to the settings once the app is hidden. This code can also be used by anyone to see if the app is installed.<\/p>\n As for removing the app, TechCrunch has a general how-to guide for removing Android spyware<\/a> that can help you identify and remove common types of phone stalkerware, and then enable the various settings you need to secure your Android device.<\/p>\n \u2014<\/p>\n If you or someone you know needs help, the National Domestic Violence Hotline (1-800-799-7233) provides 24\/7 free, confidential support to victims of domestic abuse and violence. If you are in an emergency situation, call 911. The<\/em> Coalition Against Stalkerware<\/em><\/a> has resources if you think your phone has been compromised by spyware.<\/em><\/p>\n<\/div>\nCatwatchful hosting spyware data on Google\u2019s servers<\/h2>\n
Opsec mistake exposes spyware administrator<\/h2>\n
How to remove Catwatchful spyware<\/h2>\n
![\"a](\"https:\/\/techcrunch.com\/wp-content\/uploads\/2025\/07\/catwatchful-backdoor-code-2-remove.jpg\")