One recent example is Catwatchful, a spyware campaign targeting Android, which posed as a child-monitoring app. This spyware is most infamous for the fact that it boldly advertised itself as “undetectable” to users. Consequently, it ran silently in the background on compromised devices. A month after its controversial data security practices raised concerns across the country, the shutdown was announced. This hacking episode illustrates the deep-rooted issues around spyware and data breaches.
Catwatchful has become the fifth spyware operation this year alone to leak any users’ data, as first reported by TechCrunch. This makes up, in part, for a troubling trend. Since 2017, more than two dozen publicized spyware campaigns have exposed sensitive user data. The developer under whose account Catwatchful is created can be found to be Artur Soca Charcov, a developer from Uruguay.
To utilize Catwatchful, customers were required to physically install the spyware on a target’s phone, necessitating prior knowledge of the device’s passcode. This huge amount of access created ethical concerns around privacy and consent. As of Friday, Catwatchful is officially out of service and no longer transmits or receives data.
Catwatchful used Firebase to host its massive database, which included private conversations stolen from thousands of compromised phones. According to reports, the exposed database contained more than 62,000 customer email addresses—some of them in plaintext format—as well as customer plaintext passwords. Further, it included documentation pertaining to over 26,000 victim devices.
The recent data breach at Catwatchful has raised questions about both users and the site administrator. This new circumstance injects a powerful new layer of accountability in the ongoing battle against spyware. Though this is a highly concerning case, even a public health threat, Catwatchful has largely ignored repeated requests for comments about their breach.
Ed Fernandez, a representative from Google, stated, “We’ve investigated these reported Firebase operations and suspended them for violating our terms of service.” This response further illustrates the tech giant’s dedication to keeping users safe across its platforms.
TechCrunch did amazing work quickly and provided our team with a copy of the Catwatchful database. They accomplished this to support the data breach notification aggregator, Have I Been Pwned. This project works to notify impacted people that their personal information may have been affected.
The Coalition Against Stalkerware has risen to the occasion. They offer accessible and practical resources to anyone who fears that their devices may be infected with spyware such as Catwatchful. Security, like anything else, starts with awareness and vigilance, and both are core principles of NCSA’s Protecting Personal Data campaign.
As technology advances, so does the sophistication of spyware operations, including Catwatchful. This crash underscores the hazards of using these types of applications. It serves as an important reminder against adoption – particularly for solutions that promise to work under the radar. At the end of the day, it’s up to users to be vigilant and take these precautions. Most importantly, be educated on the tools they choose to load on their devices.