Catwatchful stalkerware platform vulnerable to SQL Injection exposes 62,000 customers

An SQL Injection vulnerability has exposed the entire customer database of the Catwatchful stalkerware/spyware operation, revealing the personal information of over 62,000 customers who used the stalkerware service to surveil approximately 26,000 victim devices. 

The flaw is reported by Canadian security researcher Eric Daigle, who found that a SQL injection vulnerability in the operation's unauthenticated API allowed complete access to the service's backend database.

Catwatchful is an Android stalkerware/spyware application masquerading as a child monitoring service. The service claims to be "invisible and cannot be detected" while secretly uploading victims' private phone contents to dashboards accessible by those who installed the surveillance software. The tool was capable of 

• accessing real-time location data,
• remotely activating device cameras and microphones,
• stealing personal communications without the victim's knowledge or consent.

The flaw was found in the Catwatchful's API endpoint used by the Android applications to communicate with the service's servers. According to Daigle's technical analysis, the vulnerability was present in the servicios.php endpoint on the catwatchful.pink domain, which processed device information requests without proper authentication or input validation. Using automated SQL injection tools, Daigle was able to extract the complete contents of the catwatch_system database, which contained plaintext credentials and operational data spanning back to 2018.

The compromised database exposed numerous types of sensitive information:

• Customer email addresses and plaintext passwords for all 62,050 user accounts
• Device identifiers and installation timestamps for surveillance targets
• Geographic distribution data showing victim locations
• Administrative credentials and system configuration details
• Database linking customer accounts to specific compromised devices
• Historical tracking data dating back to 2018

The breach revealed that most surveillance victims were located in Mexico, Colombia, India, Peru, Argentina, Ecuador, and Bolivia. The flaw also exposed the identity of the operation's administrator, Omar Soca Charcov, a developer based in Uruguay whose personal information was listed as the first record in the user database.

To check whether your device has such spyware:

• On Android devices, enter ✱✱001✱✱ on the phone keypad and pressing "call" can reveal the hidden apps
• Check installed apps through Android Settings menu

Catwatchful utilized a dual-infrastructure approach, combining a custom PHP-based API for user management with Google's Firebase platform for storing stolen victim data including photos, audio recordings, and location information. When TechCrunch contacted hosting providers about the operation, the initial catwatchful.pink server was temporarily suspended, but the service quickly migrated to HostGator hosting with a new domain before eventually implementing web application firewall protections to block the SQL injection attack.

Despite being contacted by TechCrunch reporters in both English and Spanish, Charcov did not respond to requests for comment regarding the data breach or plans to notify affected customers. The dumped database was subsequently provided to the Have I Been Pwned data breach notification service to alert affected users. Google added detection capabilities for Catwatchful to its Play Protect security system but had not taken action against the Firebase infrastructure hosting victim data as of the incident's public disclosure.

This incident is another major stalkerware/spyware operation breach in 2025, after SpyX, Spyzie, Cocospy and Spyic.