Security flaw highlights the ongoing risks of consumer-grade spying apps—and the need for greater public awareness.
A covert Android application called Catwatchful, marketed as an “invisible” child-monitoring tool, has suffered a major data breach that laid bare the email addresses and plaintext passwords of more than 62,000 paying customers and leaked stolen data from at least 26,000 victims’ phones. The discovery, first reported by TechCrunch and attributed to security researcher Eric Daigle, shows that Catwatchful’s unauthenticated programming interface allowed anyone on the internet to query its entire user database. Most victims were located in Mexico, Colombia, India, Peru, Argentina, Ecuador and Bolivia.
Catwatchful is best described as stalkerware: consumer spyware that must be installed manually on a target’s handset and then operates in secret, siphoning off photos, messages, real-time location data and even live microphone and camera feeds to a web dashboard controlled by the perpetrator. Although such apps are banned from official app stores, their availability via third-party sites continues to fuel intimate-partner surveillance and other forms of tech-enabled abuse.
The leaked database also exposed the identity of the app’s administrator, Omar Soca Charcov, a developer based in Uruguay who has so far declined to comment on the breach. Catwatchful is at least the fifth stalkerware service this year to suffer a hacking-related data spill, underscoring a pattern of lax security across the industry and the double-edged privacy threat these tools pose to both victims and buyers.
Kaspersky, which classifies Catwatchful as stalkerware and has been detecting it since 2018, says the incident is further evidence that users and policymakers must remain vigilant. Tatyana Shishkova, Lead Security Researcher at Kaspersky GReAT, offered the following rapid response:
“Stalkerware remains a global and serious problem, as confirmed by the recent reports on the Catwatchful app. While such products are typically marketed as legitimate parental control apps, they pose significant risks: they operate stealthily, being installed without a person’s knowledge or consent, and provide a perpetrator with the means to secretly monitor the victim’s most private information.
Moreover, such apps, despite the developer’s claims about security, pose privacy risks to the perpetrators themselves. There are frequent data leaks, as recent media reports confirm.
Although it was reported that the app ‘is invisible and undetectable on the phone’, Kaspersky has been detecting Catwatchful as stalkerware since 2018. The ‘Who’s spying on me’ functionality enables users of the Kaspersky app for Android with a dedicated notification when this stalkerware is detected.
This case reinforces the need to continuously raise awareness about stalkerware and tech-enabled abuse, empowering individuals with the knowledge on how to protect both their digital and physical lives.”
Why it matters
Catwatchful’s breach illustrates three persistent dangers:
- Victim exposure – Intimate data can be harvested without consent and then leak wholesale when attackers exploit poor security hygiene.
- Perpetrator risk – Buyers entrust their credentials and sometimes incriminating evidence to vendors whose safeguards are minimal.
- Policy gaps – Stalkerware occupies a grey zone in many jurisdictions, complicating enforcement and takedown efforts.
Cyber-safety advocates, including the global Coalition Against Stalkerware, argue that the only sustainable fix is a combination of tougher regulation, stricter platform policing and wider public education on detecting and removing clandestine tracking apps.
For Android users concerned about possible compromise, Kaspersky and other security vendors recommend running a reputable mobile security suite, checking for unfamiliar accessibility-service permissions and keeping devices updated with the latest patches. Victims of tech-facilitated abuse can also seek specialised support from local domestic-violence hotlines and digital-safety organisations.
