Catwatchful, a hidden Android spyware app marketed for “child monitoring,” suffered a massive security breach that exposed 62,000 customer accounts and private data from 26,000 victim devices. Security researcher Eric Daigle discovered the vulnerability that spilled email addresses, plaintext passwords, photos, messages, and location data from phones across seven countries. The breach represents the fifth stalkerware data exposure in 2025 alone, highlighting persistent security failures in an industry built on surveillance.
Your Phone Could Be Compromised Without You Knowing
Catwatchful operates like digital poison — invisible to victims but deadly effective for surveillance. The app hides completely from Android home screens while secretly uploading your photos, text messages, call logs, and real-time location to a web dashboard controlled by whoever planted it.
During testing, Daigle found the spyware could even activate your phone’s microphone and camera remotely, capturing ambient audio and taking photos without any visible indication. The surveillance extends to WhatsApp messages, browser history, and deleted content that victims assume disappeared forever.
Unlike legitimate parental control apps, Catwatchful requires manual installation outside the Google Play Store. Someone needs physical access to your unlocked phone to weaken security settings and install the malware. The app’s marketing boasted about being “invisible and undetectable,” promising users “absolute stealth” surveillance capabilities.
Most compromised devices were in Mexico, Colombia, India, Peru, Argentina, Ecuador, and Bolivia. Some surveillance records dated back to 2018, suggesting years of undetected spying on unsuspecting victims.
The Security Disaster That Exposed Everyone
Daigle discovered Catwatchful’s API was completely unauthenticated, allowing anyone online to access the entire customer database without logging in. The vulnerability exposed not just victim data but also revealed the operation’s administrator: Omar Soca Charcov, a developer based in Uruguay. Charcov failed to respond to requests for comment sent in both English and Spanish.
The breach spilled customer credentials stored in plaintext, meaning passwords weren’t encrypted or protected. Catwatchful used Google’s Firebase platform to store stolen victim data, potentially violating Firebase’s terms of service. After TechCrunch contacted Charcov about the breach without a response, they provided the compromised database to Have I Been Pwned breach notification service.
Daigle noted that, unlike many stalkerware apps cobbled together from abandoned code, Catwatchful worked smoothly with minimal latency. The live photo and microphone feature functioned “near-instantly” without alerting victims to surveillance activity.
How to Detect This Specific Threat
Android users can check for Catwatchful by dialing 543210 into their phone’s keypad and hitting call. This built-in backdoor will reveal the app even when hidden from view. The code was designed to help stalkers regain access to settings, but victims can use it for detection.
“The flaw exposed data from the victim’s devices, rendering their messages, photos, and location data visible to whomever wanted them,” explained cybersecurity experts tracking the stalkerware epidemic.
Your best defense combines vigilance with technical knowledge. Check your phone’s battery usage for suspicious background activity, monitor data consumption for unexplained spikes, and watch for performance issues that suggest hidden processes running constantly.
Catwatchful joins a growing list of compromised surveillance operations that prioritize profit over security. When spyware companies cut corners on basic protections, they endanger paying customers and innocent victims. The message is clear: surveillance apps marketed in the shadows rarely deliver the security they promise their users.
