Application security, Data Security, Breach, Privacy

CatWatchful stalkerware breach reveals 62K users, 26K victims

A CatWatchful Android stalkerware database was breached by a researcher last month, revealing the emails and passwords of thousands of users.

CatWatchful, which markets itself as a service for parents to monitor their children, allows users to install a hidden app on their target’s device and gain access to the target’s photos, texts, calls, location data, camera, microphone and more.

Security researcher Eric Daigle investigated the service in June and summarized his findings in a blog post Wednesday. He found that the service transmitted user account data and victim surveillance data to both a Google Firebase instance and a database hosted at the domain “catwatchful[.]pink.”

The latter was found to have a vulnerable endpoint, servicios.php, that accepts unauthenticated requests and does not sanitize input passed via the imei parameter.

Using sqlmap, Daigle confirmed that a non-blind UNION-based SQL injection leveraging the vulnerable parameter and endpoint could be used to retrieve the entire database from the catwatchful[.]pink server.

The exposed database listed, in plaintext, the login emails and passwords of CatWatchful’s more than 62,000 users, dating back to 2018. TechCrunch Security Editor Zach Whittaker, who helped Daigle contact Google and catwatchful[.]pink’s hosting service, reported that the database also included phone data from about 26,000 of the stalkerware’s victims.

The first entry in one of the database tables revealed CatWatchful’s administrator to be a Uruguay-based developer named Omar Soca Charcov. Infected devices were found to mostly be located in Mexico, India and several South American countries including Colombia, Peru and Argentina.

After being contacted by Whittaker, Google added protection against CatWatchful to its Google Play Protect tool, meaning users will be alerted if the app is installed on their phone, and said it would investigate CatWatchful’s Firebase instance, Daigle and Whittaker said.

The catwatchful[.]pink site was taken down by Hosting.com on June 25 but replaced at the URL xng[.]vju[.]temporary[.]site the next day, and a web application firewall was added soon after to prevent further SQL injection, according to Daigle. The site is now hosted by HostGator, Whittaker reported.

Daigle’s research also revealed a backdoor feature that enables anyone to find and remove the CatWatchful stalkerware by dialing 543210 on their Android phone app, but Whittaker’s report noted that this could alert the person who installed it and should be done with a safety plan in mind.

CatWatchful is not the first mobile surveillance app to be breached this year. In March, a vulnerability in the now-defunct Cocospy, Spyic and Spyzie stalkerware apps revealed about 3.2 million customer email addresses along with sensitive information from victims’ devices. The SpyX stalkerware operation was also breached last year, with nearly 2 million account records stolen

Related

Related Events

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

Related Terms

Basic AuthenticationCipherClientCryptographic Algorithm or HashCyclic Redundancy Check (CRC)Data WarehousingDigital Signature Algorithm (DSA)Digital Signature Standard (DSS)Discretionary Access Control (DAC)Dynamic Link Library

You can skip this ad in 5 seconds