A serious security flaw in Catwatchful, an Android spyware disguised as parental control software, has exposed the login details of more than 62,000 users, according to security researcher Eric Daigle.

Catwatchful allows its users to remotely monitor a victim’s device in real time, including accessing microphones, cameras, photos, videos, chat logs, and GPS location data. The spyware operates stealthily in the background, remaining invisible to the device’s owner and preventing easy removal.

Although marketed as a parental control app, Catwatchful’s developers openly advertise its undetectable nature. They claim the app runs invisibly and undetected, offering hidden, stealth monitoring capabilities.

When a user registers, they receive a pre-configured APK file containing their credentials, which requires physical access to the target device to install. Once installed, the spyware activates its full range of monitoring features.

However, upon examining Catwatchful’s infrastructure, the researcher found that the system was vulnerable to SQL Injection attacks. This allowed unauthorized access to the Firebase database storing all the personal data collected by the spyware.

The leaked data included plaintext usernames and passwords for all 62,050 Catwatchful accounts, along with details linking accounts to specific devices and administrative tracking information. This exposed data could allow attackers to hijack any Catwatchful account.

The breach also revealed personal information about the operation’s administrator, Omar Soca Charcov, based in Uruguay, including his phone number, email address, and the location of the Firebase database.

In response, Google enhanced its Play Protect service to warn users if Catwatchful is detected on their devices. The hosting provider of Catwatchful’s API suspended the account responsible for the breach, but the API was subsequently transferred to another provider.

Currently, the Firebase database remains accessible as Google investigates whether its presence violates company policies.

Despite its claim of being undetectable, Android users can check for Catwatchful’s presence by dialing “543210” on their phone. This built-in backdoor triggers the spyware to reveal itself, enabling users to uninstall it.

Source: https://www.securityweek.com/undetectable-android-spyware-backfires-leaks-62000-user-logins/