Spy App Catwatchful Leaks Emails, Passwords, and Locations

A major data breach has revealed the disturbing extent of surveillance carried out by a spyware app called Catwatchful. Marketed as a child monitoring tool, the app is actually part of a broader category known as “stalkerware”—apps designed to secretly spy on people, often by abusive partners, without their knowledge or consent.

A Hidden App with Alarming Access

Catwatchful claims to be invisible once installed on an Android phone and gives the person who planted it access to messages, photos, location data, and even live audio and camera feeds. But a security flaw discovered by researcher Eric Daigle has exposed more than just the app’s capabilities—it also leaked sensitive information belonging to tens of thousands of users and victims.

The exposed database contained over 62,000 customer email addresses and passwords, along with data stolen from 26,000 victim devices. Photos, messages, and real-time location information were among the compromised materials. The breach affects users mainly in Latin America and South Asia, with the majority of devices located in Mexico, Colombia, India, Peru, Argentina, Ecuador, and Bolivia.

Not Just Catwatchful: A Pattern of Abuse and Neglect

Stalkerware like Catwatchful is banned from app stores, so it must be installed manually by someone who has physical access to the phone. These apps are often disguised as tools for concerned parents but are widely misused to enable covert surveillance in abusive relationships.

Catwatchful isn’t alone in its recklessness. It’s just the latest in a growing list of stalkerware operations—such as Spyzie, Spyic, Spyhide, and mSpy—that have exposed massive amounts of sensitive user data due to poor security practices. In many of these cases, companies failed to fix flaws even after being alerted, disappearing from the internet rather than facing the consequences.

In Catwatchful’s case, the database not only exposed victims and customers, but also the identity of the spyware’s administrator. Due to an apparent operational security mistake, the name, phone number, and email of the developer behind Catwatchful—linked to a man in Uruguay—were included in the leaked files.

What You Can Do to Protect Yourself

Perhaps even more troubling is the way the app stores data. Catwatchful uses Firebase, a platform by Google, to host and manage victims’ private data. Researchers found that the app’s custom-built system didn’t require any login to access sensitive information, meaning anyone on the internet could have viewed it. Though Google has added Play Protect alerts for this spyware, Catwatchful’s Firebase storage remains online as of the latest reports.

If you suspect someone has secretly installed Catwatchful on your phone, there’s a way to check. On Android, dial 543210 and press the call button. This hidden code can reveal the app if it’s been disguised. Removing it should be done carefully, as it can alert the person who planted it. The Coalition Against Stalkerware offers resources for those seeking help in these situations.

Fig 1. Revealing Catwatchful on Android. Source: TechCrunch

For your digital safety, be cautious of apps that claim to offer “monitoring” features. Not only can these tools violate privacy and local laws, but they also put users and victims at risk when their data isn’t properly secured. If you’re concerned your information may have been compromised in a breach, use trusted services to check your digital exposure and secure your accounts.

If you or someone you know is experiencing technology-enabled abuse, support is available. The National Domestic Violence Hotline (1-800-799-7233) offers 24/7 confidential help.