A stealth Android spyware operation security vulnerability, called Catwatchful, has exposed thousands of customers, including administrators.
A bug discovered by security researcher Eric Daigle spilled a complete database of email addresses in the Spyware app, as well as a plaintext password for the password that Catwatchful customers use to access stolen data from the victim's phone.
Catwatchful pretends to be a child surveillance app that claims to be “invisible” and it pretends to be “undetectable.” The stolen data includes victim photos, messages and real-time location data. The app also allows you to remotely tap live ambient audio from the phone's microphone and access both the front and rear phone cameras.
Spyware apps like Catwatchful are prohibited from the app store and rely on being downloaded and planted by people with physical access to a person's phone. Therefore, these apps are commonly referred to as “stalkerware” (or spouse wear) as they tend to promote nonconsensual surveillance of spouses and romantic partners.
Catwatchful is the latest example of a growth list of stalkerware operations published to data obtained by hacking, breaching, or otherwise obtaining, and is at least the fifth spyware operation due to data leakage. The incident shows that consumer-grade spyware continues to multiply despite its prone to tinsel coding and security failures that expose both customers and unsuspecting victims to data breaches.
According to a copy of the early June database seen by TechCrunch, Catwatchful had email addresses and passwords to more than 62,000 customers and phone data from the devices of 26,000 victims.
Most of the compromised devices were in Mexico, Colombia, India, Peru, Argentina, Ecuador and Bolivia (in order of number of casualties). Some of the records date back to 2018, data shows.
The CatWatchful database also revealed the identity of Omar Soca Charcov, administrator of Spyware Operation, a Uruguay-based developer. Charcov opened our email but did not respond to requests for comments sent in both English and Spanish. TechCrunch asked if he was aware of a catwatcher's data breach and if he plans to disclose the incident to his client.
Without any clear indication that CARCOV would disclose the incident, TechCrunch provided the Data Breach Notification Service with a copy of the CatWatchful database.
CatWatchFul Hosting Spyware Data on Google Servers
Daigle, a Canadian security researcher, previously investigated Stalkerware's abuse, detailed his findings in a blog post.
According to Daigle, Catwatchful uses a custom-made API. This relies on all of the planted Android apps to communicate with Catwatchful's servers and send data. SPYware uses Google's Firebase, a web and mobile development platform, to host and store stolen phone data from victims, including photos and ambient audio recordings.
Daigle told TechCrunch that the API is not recognized, allowing anyone on the internet to interact with the CatWatchful User Database without the need to log in, and has released the entire CatWatchful database of customer email addresses and passwords.
When contacted by TechCrunch, the web company hosting the CatWatchful API suspends the Spyware Developer account and temporarily blocks Spyware operations, but the API was later returned in Hostgator. Hostgator spokesman Kristen Andrews did not respond to requests for comment regarding the company hosting Spyware operations.
TechCrunch confirmed that CatWatchful uses FireBase by downloading and installing CatWatchful spyware on virtualized Android devices.
We looked into the network traffic coming and going to the device. This means that mobile phone uploads are uploading to a specific FireBase instance that CatWatchful uses to host the victim's stolen data.
After TechCrunch provided Google with a copy of Catwatchful malware, Google said it added new protection for Google Play Protect, a security tool that scans Android phones for malicious apps such as Spyware. Currently, Google Play Protect alerts users when they detect catwatch full spyware or its installer on their phone.
TechCrunch also provided Google with details of the Firebase instances involved in storing data for CatWatchful operations. Asked if Stalkerware's operations violated Firebase's terms of service, Google told TechCrunch on June 25 that it was under investigation but did not promise to remove the operation immediately.
“All apps using Firebase products must adhere to terms of use and policies. We are investigating this specific issue. If an app is found to be breached, the appropriate action will be taken. Android users who try to install these apps are protected by Google Play Protect.
At the time of publication, Catwatchful remains hosted on Firebase.
OPSEC Miss reveals spyware administrator
Like many spyware operations, Catwatchful doesn't reveal its owner or reveal who performed the operation. It is not uncommon for Stalkerware and Spyware operators to hide their actual identity given the legal and reputational risks associated with promoting illegal surveillance.
However, an operational security incident within the dataset exposed CARCOV as the administrator of the operation.
In a review of the CatWatchful database, CARCOV is listed as the first record in one of the files in the dataset. (In past spyware-related data breaches, some operators are often identified by early database records, as developers often test spyware products on their own devices.)
The dataset contained the full name, phone number, and the web address of a specific FireBase instance where the Catwatchful database was stored on Google's servers.
Carcov's personal email address in the dataset is the same email that he lists on his LinkedIn page and has since been set to private. Carcov also configured the CatWatchful Administrator email address as the password recovery address for your personal email account in an event that directly links Carcov to the CATWATCHFUL operation.
How to remove Catwatch Full Spyware
Catwatchful claims that it can't be uninstalled, but there is a way to detect and remove apps from affected devices.
Before you begin, it's important to have a safety plan as disabling spyware will alert you to planters. The Coalition against Stalkerware has the resources to do important work in this area and to assist victims and survivors.
Android users can detect Catwatchful even when hidden from view by dialing 543210 on the Android phone app's keypad and pressing the call button. If Catwatchful is installed, the app will appear on the screen. This code is a built-in backdoor feature that allows the person who planted the app to regain access to the settings once the app is hidden. This code can be used by anyone to check if the app is installed.
Image credit: TechCrunch
Image credit: TechCrunch
When it comes to app removal, TechCrunch has a general how-to guide to removing Android spyware that will help you identify and remove common types of phone stalkerware and enable the various settings needed to protect your Android device.
–
If you or someone you know needs help, the domestic domestic violence hotline (1-800-799-7233) provides secret support to victims of domestic abuse and violence 24/7. If you are in an emergency, call 911. If you think your phone is compromised by Spyware, then the federation against Stalkerware has resources.