Catwatchful is an app that claims to be a “child monitoring app” but is, in actuality, a spyware app that acts invisibly on phones to send a victim’s data back to a dashboard viewable by the person who downloaded it.
Also called ‘stalkerware’ this app experienced a data breach via a security flaw that exposed both the email addresses and passwords of thousands of customers – and the phone data of thousands of victims.
Security researcher Eric Daigle reported in a blog post that a vulnerability revealed the spyware app's full database of email addresses and plaintext passwords for more than 62,000 customers and phone data from 26,000 victims.
Additionally, as reported by TechCrunch, the administrator of the Catwatchful operator was also exposed in the breach. The compromised devices were from (in order of victim numbers) Mexico, Colombia, India, Peru and Argentina among others.
The Catwatchful app uploads a victim’s phone contents to a dashboard, which is viewable by the person who secretly installed the app, which includes a concerning amount of data such as photos, messages, access to front and rear cameras, microphone access and real time location data.
This presents an obvious security risk to the victim – stalkerware and spyware apps are non-consensual surveillance apps that are frequently used against domestic and romantic partners in ways that violate laws which is exactly why these types of apps are banned and need to be downloaded by someone who has direct physical access to the phone.
Catwatchful is not the first spyware app to suffer a data breach; according to TechCrunch, it's at least the fifth this year – a clear indication that consumer grade spyware offerings are spreading more widely even though what they are offering is “shoddy codding and security failings that expose both paying customers and unsuspecting victims to data breaches.”
According to Daigle, the Catwatchful API was unauthenticated which is what allowed anyone on the open internet to interact with the user database without a login; the whole database of email addresses and passwords were exposed. While the API was briefly taken down, it was then back up again. Google is apparently investigating the Firebase involvement but has added protections that enable Google Play Protect to alert users when it detects Catwatchful spyware or its installer on a user's phone.
How to stay safe from spyware
Catwatchful claims it cannot be uninstalled, however, there are still things that can be done. First, as with any spyware or stalkerware, have a safety plan in place. Disabling this type of software can potentially alert the person who installed it in the first place, so always protect yourself first. If you're looking for additional resources, you might want to contact the Coalition Against Stalkerware.
Android users who suspect they have Catwatchful installed can dial 543210 on their device's keypad and hit call. If its installed, it should appear on the screen - this code is a backdoor feature to regain access to the settings once the app has been hidden but it also shows if the app is installed, so if you use it you may also ping the person who installed it.
Next steps: Make sure Google Play Protect is enabled, and check the permissions sections of your phone. If you don’t recognize the apps that have permissions that should be a clear warning sign, particularly accessibility services. Check your Android device’s app list and remove anything you didn’t approve or don’t recognize.
Also make sure you have a lock screen enabled and protect your accounts using two-factor authentication whenever possible to prevent anyone from accessing them easily. For added security, the best Android antivirus apps can help provide you with additional protection like a VPN and identity theft protection.
Spyware and stalkerware are very real threats that need to be taken extra seriously as they typically aren't installed on your phone by hackers but by someone you know. This breach is certainly concerning for those affected by it but it also serves as a wakeup call and a reminder of the threat posed by these types of apps.
More from Tom's Guide
- 6 million hit in major airline data breach — everything you need to know
- Over half a million people impacted by major data breach — full names, SSNs, financial data and more exposed
- FBI warns scammers are posing as fraud investigators to steal sensitive healthcare info — what you need to know
You must confirm your public display name before commenting
Please logout and then login again, you will then be prompted to enter your display name.
