Cybersecurity researcher Eric Daigle has uncovered a critical SQL injection vulnerability in the Android application Catwatchful, a stalkerware program disguised as a parental control tool. This security flaw has compromised sensitive personal data of over 62,000 users, including plaintext login credentials and extensive surveillance data collected from approximately 26,000 victim devices.
Understanding Catwatchful’s Surveillance Capabilities
Catwatchful operates as a comprehensive mobile surveillance platform that enables covert monitoring of target devices. The application provides attackers with extensive capabilities for real-time surveillance, including access to device cameras and microphones, monitoring of messaging applications, location tracking, and comprehensive content viewing.
The developers explicitly marketed the software’s stealth capabilities, stating that users could “monitor the target phone without their knowledge using mobile phone monitoring software. The app is invisible and undetectable on the phone.” This positioning clearly identifies Catwatchful as stalkerware rather than legitimate parental control software.
Technical Implementation and Attack Vector
The installation process requires physical access to the target device. After registration, users receive a preconfigured APK file containing unique authentication credentials. Once installed, the application operates in background mode, continuously transmitting collected data to Firebase databases while remaining hidden from the device owner.
The surveillance data is accessible through a web-based control panel, allowing attackers to remotely monitor victims’ activities across multiple device functions and applications.
Vulnerability Analysis and Exploitation
Daigle’s investigation revealed a critical SQL injection vulnerability stemming from inadequate API authentication mechanisms. The primary security flaw allowed unauthorized access to the application’s database without proper authentication protocols.
Exploitation of this vulnerability provided access to comprehensive user data including all 62,050 registered account credentials, device-to-account mapping information, surveillance data from 26,000 compromised devices, and personal information of the application developer.
Geographic Impact and Scale
Analysis of the compromised data revealed that affected devices were primarily located in Latin American and Asian countries, with the highest concentration of victims in Mexico, Colombia, India, Peru, Argentina, Ecuador, and Bolivia. Particularly concerning is evidence that some devices had been infected since 2018, indicating years of unauthorized data collection.
Developer Identification
The security breach enabled researchers to identify the application’s creator as Omar Sok Charkov from Uruguay. His contact information, including phone number and email address, was discovered within the compromised database, highlighting the ironic security failures of the surveillance software.
Response and Mitigation Efforts
Following publication of the research findings, Google implemented enhanced Play Protect protections to detect and warn users about Catwatchful installations on their devices. The hosting provider terminated the violating account, though developers quickly migrated their API to alternative infrastructure, demonstrating continued malicious intent.
Detection Method for Users
Despite claims of undetectability, Android users can verify the presence of Catwatchful on their devices using a built-in backdoor. Dialing the combination “543210” and pressing the call button will reveal the application’s presence, as this code was designed as a removal mechanism by the developers.
This incident underscores the significant security risks associated with stalkerware applications. The inadequate security measures in such software not only violate victims’ privacy rights but also expose the perpetrators themselves to data breaches and identification. Organizations and individuals must maintain robust security awareness and implement regular security assessments to protect against these evolving threats. The discovery also highlights the importance of ethical security research in exposing malicious software operations and protecting potential victims from ongoing surveillance.
