Catwatchful Data Breach: 'Stalkerware' Spies on Thousands

Android Spyware Operation 'Catwatchful' Exposed in Data Breach

A significant security flaw within the Android spyware operation known as Catwatchful has resulted in the exposure of thousands of its users, including the system's administrator.

Database Leak Reveals Customer Credentials

The vulnerability, identified by security researcher Eric Daigle, led to the release of Catwatchful’s complete database. This database contained email addresses and passwords – stored in plaintext – used by customers to access data harvested from targeted devices.

How Catwatchful Operates

Catwatchful functions as spyware, deceptively marketed as a child monitoring application. It boasts being “undetectable,” while secretly uploading a victim’s private phone data to a dashboard accessible by the individual who installed the app.

The compromised data encompasses victims’ photos, text messages, and real-time location information. Furthermore, the application possesses the capability to remotely activate the phone’s microphone for live audio recording and access both the front and rear-facing cameras.

The Problem of 'Stalkerware'

Applications like Catwatchful are prohibited from official app stores and necessitate direct installation by someone with physical access to the target device. Consequently, these apps are frequently categorized as “stalkerware” – or sometimes “spouseware” – due to their common use in facilitating unauthorized surveillance, often in domestic situations, which is frequently illegal.

A Growing Trend of Spyware Breaches

Catwatchful represents the latest instance in a concerning pattern of stalkerware operations being compromised, breached, or otherwise having their collected data exposed. This marks at least the fifth spyware operation this year to suffer a data spill.

This incident underscores the continued proliferation of consumer-level spyware, which often exhibits poor coding practices and security vulnerabilities, putting both paying customers and unsuspecting victims at risk of data breaches.

Scale of the Data Breach

A database copy reviewed by TechCrunch, dated early June, indicates that Catwatchful held email addresses and passwords for over 62,000 customers. Data from more than 26,000 victim devices was also present within the leak.

Geographic Distribution of Victims

The majority of affected devices were located in Mexico, Colombia, India, Peru, Argentina, Ecuador, and Bolivia, listed in order of the number of victims impacted. Records within the database extend back to 2018.

Administrator Identified

The Catwatchful database also revealed the identity of the spyware operation’s administrator: Omar Soca Charcov, a developer based in Uruguay.

While Charcov acknowledged receipt of our inquiries, sent in both English and Spanish, he did not provide any response. TechCrunch specifically asked if he was aware of the data breach and whether he intended to inform his customers.

Data Breach Notification

Given the lack of communication from Charcov regarding disclosure, TechCrunch shared a copy of the Catwatchful database with Have I Been Pwned, a data breach notification service.

Catwatchful Spyware: Data Storage on Google Servers Revealed

A security researcher based in Canada, previously involved in investigations concerning stalkerware misuse, has published a detailed report on their recent discoveries.

The researcher, Daigle, indicates that Catwatchful employs a uniquely designed API. This API serves as the communication pathway for all Android applications deployed by the spyware, facilitating data transmission to Catwatchful’s servers.

Furthermore, the spyware leverages Google’s Firebase, a platform for web and mobile application development, for both hosting and storing data illicitly obtained from victims. This includes sensitive information such as photographs and surrounding audio recordings.

Unsecured API Access

Daigle communicated to TechCrunch that the API lacked authentication protocols. This critical flaw permitted unrestricted access to the Catwatchful user database from any internet connection, bypassing the need for login credentials.

Consequently, the entire Catwatchful database, containing customer email addresses and passwords, was exposed.

HostGator's Response and Subsequent Reappearance

Upon notification by TechCrunch, the company initially hosting the Catwatchful API suspended the developer’s account. This action temporarily disrupted the spyware’s functionality.

However, the API was later reinstated on HostGator. Despite repeated requests, a spokesperson for HostGator, Kristen Andrews, offered no comment regarding their continued hosting of the spyware’s operations.

Verification of Firebase Usage

TechCrunch independently verified Catwatchful’s utilization of Firebase. This was achieved by installing the spyware on a virtualized Android device.

This isolated environment allowed for the spyware’s operation without access to real-world data, such as location information. Network traffic analysis confirmed the upload of data to a specific Firebase instance utilized by Catwatchful for storing stolen victim data.

Google's Actions and Ongoing Investigation

Following the provision of Catwatchful malware samples to Google, the company announced the implementation of enhanced protections within Google Play Protect.

Google Play Protect, a security tool that scans Android devices for malicious applications, including spyware, will now alert users upon detection of Catwatchful spyware or its installation package.

TechCrunch also shared details regarding the Firebase instance involved in data storage with Google. Google acknowledged a potential violation of Firebase’s terms of service and initiated an investigation on June 25th, but refrained from an immediate commitment to dismantle the operation.

“All applications utilizing Firebase products are required to adhere to our terms of service and policies. We are currently investigating this specific case, and appropriate measures will be taken if any violations are identified. Android users attempting to install these applications are safeguarded by Google Play Protect,” stated Ed Fernandez, a Google spokesperson.

Current Status

As of the time of this report, Catwatchful continues to be hosted on Firebase.

• Stalkerware: Catwatchful is categorized as a form of stalkerware.
• API: The spyware relies on a custom-made API for communication.
• Firebase: Google’s Firebase platform is used for data storage.
• Google Play Protect: Google has updated its security tool to detect Catwatchful.

Spyware Administrator Uncovered Due to Opsec Failure

Many spyware initiatives, such as Catwatchful, deliberately omit identifying their owners or operators from public records. Concealing true identities is a common practice among those involved in stalkerware and spyware, considering the potential legal ramifications and damage to reputation associated with enabling unlawful monitoring.

However, a security oversight within the data revealed Charcov as the individual administering the operation.

Examination of the Catwatchful database revealed Charcov listed as the initial entry in a specific file within the dataset. This mirrors previous instances of data breaches related to spyware, where operators were identified through early records – often resulting from developers testing the spyware on their own equipment.

The exposed data contained Charcov’s complete name, phone number, and the URL for the Firebase instance hosting Catwatchful’s database on Google servers.

Further investigation showed that Charcov’s personal email address, present in the dataset, corresponds to the address listed on his LinkedIn profile, which has now been made private. Critically, Charcov also designated his Catwatchful administrator email as the recovery address for his personal email account, establishing a direct connection between him and the Catwatchful operation.

Removing Catwatchful Spyware: A Comprehensive Guide

Despite claims regarding its uninstallability, methods exist to identify and eliminate the Catwatchful application from compromised devices.

Prior to initiating the removal process, establishing a safety protocol is crucial. Disabling spyware can potentially notify the individual who installed it. The Coalition Against Stalkerware offers valuable assistance and resources for individuals affected by such intrusions.

Detecting Catwatchful on Android Devices

Android users can ascertain the presence of Catwatchful, even when concealed, by entering the code 543210 via the dialer application and initiating a call. If the spyware is present, it will become visible on the screen.

This code functions as a pre-programmed backdoor, granting the installer re-entry to the application’s settings after it has been hidden. Anyone can utilize this code to verify if the app is installed on a device.

Removing Catwatchful and Securing Your Device

For guidance on removing spyware from Android devices, a general how-to guide provided by TechCrunch can be helpful. This resource assists in identifying and removing prevalent forms of phone stalkerware.

Furthermore, it details the necessary settings adjustments to enhance the security of your Android device.

• Identify the spyware using the detection method.
• Follow the TechCrunch guide for removal steps.
• Reinforce your device’s security settings.

It’s important to remember that complete removal may require multiple steps and a thorough review of device settings.

—

If you require assistance, the National Domestic Violence Hotline (1-800-799-7233) offers 24/7 confidential support to those experiencing domestic abuse. In emergency situations, please dial 911. The Coalition Against Stalkerware provides resources for individuals suspecting spyware compromise.