Full Report
The spyware operation's exposed customer email addresses and passwords were shared with data breach notification service Have I Been Pwned.
Analysis Summary
# Incident Report: Catwatchful Stalkerware Customer Data Exposure
## Executive Summary
A critical vulnerability in the operation of the Catwatchful Android spyware, which masquerades as child monitoring software, led to the public exposure of its entire customer database, including email addresses and plaintext passwords for over 62,000 users. The exposure resulted from an unauthenticated, custom-made API that allowed internet access to the central database, which was hosted on Google’s Firebase infrastructure. The compromise affected both the paying customers who operated the spyware and the data of the 26,000 unsuspecting victims whose phones were compromised.
## Incident Details
- Discovery Date: Early June (when database copy was obtained by TechCrunch/Researcher)
- Incident Date: Ongoing exploitation leading up to June discovery; vulnerability existed prior to this.
- Affected Organization: Catwatchful Spyware Operation (Administrator identified as Omar Soca Charcov)
- Sector: Surveillance/Malicious Software Infrastructure (Stalkerware)
- Geography: Victim devices primarily in Mexico, Colombia, India, Peru, Argentina, Ecuador, and Bolivia. Administrator based in Uruguay.
## Timeline of Events
### Initial Access (to Stalkerware Database)
- Date/Time: Prior to Early June.
- Vector: Exploitation of an unauthenticated, custom-made API used by the Catwatchful Android application.
- Details: The API lacked authentication, allowing any external entity to query and access the central user database containing customer credentials and victim data.
### Lateral Movement
Not applicable to this specific incident, as the incident involved a direct database breach via an insecure API, not network intrusion into an organization's internal network.
### Data Exfiltration/Impact
- What was stolen or damaged: The entire Catwatchful database was exposed. This included:
- Email addresses and plaintext passwords for over 62,000 customers (operators of the spyware).
- Data stolen from 26,000 victim devices (photos, messages, real-time location, ambient audio, camera access data).
- The identity of the administrator, Omar Soca Charcov.
### Detection & Response
- How it was discovered: Security researcher Eric Daigle discovered the vulnerability and obtained a copy of the database.
- Response actions taken:
- TechCrunch notified the hosting company managing the API, leading to a brief suspension of the account.
- TechCrunch provided the database copy to Have I Been Pwned (HIBP).
- TechCrunch provided malware samples and Firebase details to Google.
- Google reportedly added new protections for Google Play Protect to alert users if Catwatchful or its installer is detected.
- The API access subsequently reappeared on HostGator hosting.
## Attack Methodology
- Initial Access: Insecure API configuration (unauthenticated access).
- Persistence: Not applicable (the compromise target was the database/infrastructure, not endpoints).
- Privilege Escalation: Not applicable.
- Defense Evasion: The spyware itself claims to be "invisible and cannot be detected."
- Credential Access: Customer credentials (emails/passwords) were obtained directly from the exposed database, not via credential theft from endpoints.
- Discovery: The researcher likely used reconnaissance to map the custom API structure and test authentication methods.
- Lateral Movement: Not applicable.
- Collection: The spyware collected photos, messages, location data, ambient audio, and camera access from victim phones.
- Exfiltration: Data was uploaded via the custom API to Google’s Firebase instances.
- Impact: Massive data breach affecting both customer operational security and victim privacy/safety.
## Impact Assessment
- Financial: Not quantified, but the exposure of the operator (Charcov) could lead to legal action against the spyware operation.
- Data Breach: Highly sensitive personal data exposed: 62,000+ customer login credentials and data from 26,000 victims' phones (location, communications, audio/visual data).
- Operational: The spyware operation was briefly disrupted when the initial hosting provider suspended the account, but it shortly resumed on HostGator.
- Reputational: Significant reputational damage to the Catwatchful operation; further highlights risks associated with consumer-grade stalkerware.
## Indicators of Compromise
- Network indicators: Custom-made, unauthenticated API communicating with Catwatchful servers. Traffic directed to specific Google Firebase instances.
- File indicators: Catwatchful Android spyware application files (unknown hashes provided).
- Behavioral indicators: Android app using a backdoor code (**543210** dialed followed by call) to access hidden settings.
## Response Actions
- Containment measures: Initial suspension of the hosting account associated with the API developer (temporary).
- Eradication steps: N/A for the breach itself, but Google enhanced Play Protect capabilities.
- Recovery actions: Victim users urged to change any potentially compromised passwords; resources shared for spyware removal on Android devices.
## Lessons Learned
- Consumer-grade spyware is inherently insecure, often featuring shoddy coding and security failings that expose both customers and victims.
- Cloud hosting services (like Firebase) must rigorously vet the terms of service compliance of clients hosting sensitive data, as unauthenticated APIs are catastrophic failure points.
- Revealing the identity of the administrator (Omar Soca Charcov) through associated records linking personal and admin accounts was a critical failure for the attacker.
## Recommendations
- For Android Users: Immediately check if Catwatchful spyware is installed using the **543210** dialer code backdoor. Use official resources like the Coalition Against Stalkerware for removal guides.
- For Developers/Service Providers: Implement strict authentication and authorization checks on all APIs accessing user or customer data. Ensure data storage practices comply with security best practices, especially when dealing with highly sensitive surveillance data.
- For Hosting Providers (e.g., HostGator): Conduct thorough vetting of suspicious services like banned stalkerware applications and enforce terms of service immediately upon identification of abuse.