A serious safety vulnerability within the Android adware operation Catwatchful has uncovered the entire database of over 62,000 buyer accounts, together with plaintext passwords and electronic mail addresses, in line with a safety researcher who found the breach in June 2025.
Canadian cybersecurity researcher Eric Daigle uncovered the vulnerability by a SQL injection assault that allowed him to extract all the person database from the stalkerware service.
The breach additionally uncovered knowledge from roughly 26,000 victims whose telephones had been being monitored with out their data.
Important Safety Flaw in “Undetectable” Spyware and adware
Catwatchful marketed itself as utterly invisible surveillance software program, boasting that it “can’t be detected” and “can’t be uninstalled.” Nonetheless, the service’s backend proved far much less safe than its advertising claims prompt.
The vulnerability stemmed from an unauthenticated PHP API endpoint that was inclined to SQL injection assaults. Regardless of working a hybrid structure utilizing Google’s Firebase platform for storing stolen sufferer knowledge, Catwatchful maintained a separate MySQL database containing person credentials that lacked fundamental safety protections.
Catwatchful Exposes Credentials
The leaked database revealed that Catwatchful had been working since at the least 2018, with victims primarily situated in Mexico, Colombia, India, Peru, Argentina, Ecuador, and Bolivia.
The adware collected complete private knowledge, together with images, textual content messages, name logs, location knowledge, and will remotely activate machine cameras and microphones.
The breach additionally uncovered the id of the operation’s administrator, Omar Soca Charcov, a Uruguay-based developer who failed to answer disclosure requests from journalists.
Catwatchful employed a complicated dual-server system. Person registration triggered account creation in each Google Firebase and a customized database hosted on catwatchful.pink. Whereas Firebase offered strong safety for storing sufferer knowledge, the customized server dealing with person authentication was utterly susceptible.
Daigle found that the service’s API calls had been solely unauthenticated, permitting anybody to entry machine data utilizing easy parameters.
When he examined for SQL injection vulnerabilities utilizing automated instruments, he efficiently recognized each time-based blind and union-based injection factors that allowed full database extraction.
This incident represents the fifth main stalkerware breach in 2025 alone, highlighting systemic safety failures throughout the surveillance software program business. Earlier breaches have uncovered tens of millions of sufferer data from providers together with SpyX, Cocospy, Spyic, and Spyzie.
The sample reveals that whereas these providers gather extremely delicate private knowledge, they persistently fail to implement fundamental cybersecurity measures to guard both their clients or victims.
Following accountable disclosure, TechCrunch contacted varied service suppliers. The internet hosting firm briefly suspended Catwatchful, although the service later migrated to HostGator. Google added Catwatchful to its Play Shield detection system, however has not but disabled the Firebase occasion storing sufferer knowledge.
Safety consultants word that Android customers can detect Catwatchful by dialing “543210” on their machine, which triggers a built-in backdoor revealing the hidden software.
The uncovered credentials have been added to the Have I Been Pwned breach notification service, permitting affected customers to examine if their accounts had been compromised.
This breach highlights the inherent dangers related to stalkerware operations, illustrating that these illicit surveillance instruments pose a risk to each perpetrators and victims attributable to insufficient safety practices and inadequate knowledge safety measures.
Examine stay malware habits, hint each step of an assault, and make quicker, smarter safety choices -> Attempt ANY.RUN now
