- By Prateek Levi
- Sat, 05 Jul 2025 09:30 PM (IST)
- Source:JND
A malicious Android stalkerware application known as Catwatchful has been said to have undergone a sweeping security breach, leaking personal information such as over 62,000 email addresses and passwords—eventually even those of the app's administrator. The flaw was initially discovered by Canadian security researcher Eric Daigle, whose investigation revealed that user credentials were being stored in clear text.
Catwatchful, a fake parental control application, steals extensive amounts of personal information from targeted Android phones secretly. When installed, it uploads that data to a remote online dashboard visible only to the person who installed the spyware. The application records photos, calls, passwords, and location data in real-time and even includes the ability to capture ambient audio via the device's microphone and access front and back cameras.
What makes Catwatchful particularly insidious is its claim to be completely undetectable. According to the app’s own developer:
“Catwatchful is invisible. It cannot be detected. It cannot be uninstalled. It cannot be stopped. It cannot be closed. Only you access the information it collects.”
Unlike many Android spyware tools, Catwatchful operates on a custom-built infrastructure and even offers a three-day free trial—a rarity in the stalkerware ecosystem. The app isn’t available on the Google Play Store, requiring users to sideload it onto a device, which means physical access is typically necessary for installation.
Eric Daigle began investigating Catwatchful by signing up for a free trial account. During this process, he noticed something unusual—his data was being stored in two separate locations, one of which was hosted on a domain called catwatchful.pink. Once installed, the app requested extensive permissions and disguised itself as a system app, making it nearly impossible for victims to detect.
All the collected data was stored in Firebase, and users accessed it via a web-based control panel. However, the custom backend system that powered Catwatchful’s service was left wide open to an SQL injection vulnerability.
Using this flaw, Daigle was able to access the entire user database, uncovering not only the email addresses and passwords of the people using Catwatchful to spy on others but also data from the devices being monitored.
According to TechCrunch, most of the compromised devices were located in Mexico, Colombia, India, Peru, Argentina, Ecuador, and Bolivia—listed in order based on the number of affected users. Alarming as it is, some of these leaked files go all the way back to 2018, which suggests that Catwatchful has been actively functioning and pocketing user information for at least seven years.
ALSO READ: iPhone 17 Pro Max Vs iPhone 16 Pro Max: 5 Expected Upgrades That Could Make A Big Difference
This incident provokes serious questions regarding user privacy and also the long-term activities of surveillance apps that tend to go under the radar. The affair also brings to light the larger threat of stalkerware—software that is not only unethical and invasive but also perilously insecure.