Data Breach Reveals Catwatchful 'Stalkerware' Is Spying On Thousands of Phones (techcrunch.com) 12
An anonymous reader quotes a report from TechCrunch: A security vulnerability in a stealthy Android spyware operation called Catwatchful has exposed thousands of its customers, including its administrator. The bug, which was discovered by security researcher Eric Daigle, spilled the spyware app's full database of email addresses and plaintext passwords that Catwatchful customers use to access the data stolen from the phones of their victims. [...] According to a copy of the database from early June, which TechCrunch has seen, Catwatchful had email addresses and passwords on more than 62,000 customers and the phone data from 26,000 victims' devices.
Most of the compromised devices were located in Mexico, Colombia, India, Peru, Argentina, Ecuador, and Bolivia (in order of the number of victims). Some of the records date back to 2018, the data shows. The Catwatchful database also revealed the identity of the spyware operation's administrator, Omar Soca Charcov, a developer based in Uruguay. Charcov opened our emails, but did not respond to our requests for comment sent in both English and Spanish. TechCrunch asked if he was aware of the Catwatchful data breach, and if he plans to disclose the incident to its customers. Without any clear indication that Charcov will disclose the incident, TechCrunch provided a copy of the Catwatchful database to data breach notification service Have I Been Pwned. The stalkerware operation uses a custom API and Google's Firebase to collect and store victims' stolen data, including photos and audio recordings. According to Daigle, the API was left unauthenticated, exposing sensitive user data such as email addresses and passwords.
The hosting provider temporarily suspended the spyware after TechCrunch disclosed this vulnerability but it returned later on HostGator. Despite being notified, Google has yet to take down the Firebase instance but updated Google Play Protect to detect Catwatchful.
While Catwatchful claims it "cannot be uninstalled," you can dial "543210" and press the call button on your Android phone to reveal the hidden app. As for its removal, TechCrunch has a general how-to guide for removing Android spyware that could be helpful.
Most of the compromised devices were located in Mexico, Colombia, India, Peru, Argentina, Ecuador, and Bolivia (in order of the number of victims). Some of the records date back to 2018, the data shows. The Catwatchful database also revealed the identity of the spyware operation's administrator, Omar Soca Charcov, a developer based in Uruguay. Charcov opened our emails, but did not respond to our requests for comment sent in both English and Spanish. TechCrunch asked if he was aware of the Catwatchful data breach, and if he plans to disclose the incident to its customers. Without any clear indication that Charcov will disclose the incident, TechCrunch provided a copy of the Catwatchful database to data breach notification service Have I Been Pwned. The stalkerware operation uses a custom API and Google's Firebase to collect and store victims' stolen data, including photos and audio recordings. According to Daigle, the API was left unauthenticated, exposing sensitive user data such as email addresses and passwords.
The hosting provider temporarily suspended the spyware after TechCrunch disclosed this vulnerability but it returned later on HostGator. Despite being notified, Google has yet to take down the Firebase instance but updated Google Play Protect to detect Catwatchful.
While Catwatchful claims it "cannot be uninstalled," you can dial "543210" and press the call button on your Android phone to reveal the hidden app. As for its removal, TechCrunch has a general how-to guide for removing Android spyware that could be helpful.
English and Spanish? (Score:2)
Why didn't they send the questions in Russian and Ukrainian?
Master of evading detection! (Score:3)
So he leaves "send read receipts" on, or did he forget to block remote images in messages?
Re: Master of evading detection! (Score:4, Interesting)
Either that or his email server fetches all images regardless of whether the email was read. This is increasingly common now. I looked in my work spam digest once and some sales derp was asking why I wasn't responding to his emails even though I supposedly "read them twice".
And yeah, vendors really get aggressive, especially if you're a well known company. Even if you barely do any business with them at all, they like to tell other potential marks that you're their customer in order to build rapport.
Re: (Score:2)
And yeah, vendors really get aggressive, especially if you're a well known company.
They throw all sorts of B.S. sales tactics at you even if you're not. I work for a small consulting & software development house in St. Louis, and when I actually look at my spam folder I see everything from the passive-aggressive ("Hey, is there someone else I should be talking to at your company? Clearly you're not responding to my pitch so now I expect you to do my research for me.") to the faux-pitiful ("I've tried so hard, Mr. Fisher, this is my seventeenth email this week (crying emoji) and I gues
Not sure what the complaint is about. (Score:2)
You install spyware on your phone and complain that it is spying?
GTFO.
Paging Dr. Tutone. (Score:2)
While Catwatchful claims it "cannot be uninstalled," you can dial "543210" and press the call button on your Android phone to reveal the hidden app.
Seriously?
Next thing you know you’ll be telling me to call 867-5309. I’ll bet that bitch Jenny can uninstall it.
No iOS Support? (Score:4, Insightful)
Why can't I get this in the App Store? Damn that walled garden.
/snark
plain text passwords? ??? (Score:1)
full database of email addresses and plaintext passwords
Why would anyone have plaintext passwords lying around unless they were an idio....
Oh wait, nevermind.
Biggest takeaway for me ... (Score:2)
... is that HostGator still exists in 2025.
Other than SurveyMonkey, whose childish name somehow continues to persist in a professional world [research-live.com], I thought all the [technology_function + name_of_animal] providers had gone the way of the BankruptcyDodo long ago.
Sensationalize much? (Score:3)
26,000 phones over the last 7 years - yeah, this looks like a serious Android vulnerability and not the result of idiots clicking links in spam emails and doing whatever the resulting website tells them.
A security vulnerability in a stealthy Android spyware operation...
The stalkerware operation uses a custom API and Google's Firebase...the API was left unauthenticated
An security breach in a secret Ford terrorist operation
The terrorists used a nuclear bomb and a Ford truck...the nuke was left unguarded.