A security vulnerability in a stealthy Android stalkerware named Catwatchful seems to have leaked more than 62,000 user credentials, including that of its administrator. The exploit was first discovered by a Canadian researcher named Eric Daigle, who claims that the leaked data includes email addresses and passwords stored in plain text. This data was used by the spyware’s customers to access data stolen from the phones of unsuspecting victims.
What makes Catwatchful so dangerous?
Catwatchful is a stalkerware for Android devices that disguises itself as a child-monitoring app. It works by uploading the victim’s private information like photos, call logs, passwords, real-time location and other information by uploading it to a dashboard that can only be accessed by the person who planted it. What makes it even more dangerous is that Catwatchful can also tap in the live ambient audio using the phone’s microphone and even access both front and rear cameras.
Unlike most spyware apps for Android, Catwatchful uses its very own infrastructure and also offers a 3-day free trial, which is a rarity for a spyware app. The app developer also says that “Catwatchful is invisible. It cannot be detected. It cannot be uninstalled. It cannot be stopped. It cannot be closed. Only you access the information it collects.”
Unsurprisingly, it is not available on the Play Store and requires users to manually download and install it, which is often referred to as sideloading, which means only someone with physical access to your device will be able to install it.
Daigle said he started by making a free trial account on the Catwatchful website, which is when he noticed that the website registered his information in two different locations, one of which was hosted on a domain called catwatchful.pink. When installed, the app requested all sorts of permissions and hid itself as a system app. Also, all of the stolen data was stored in Firebase and accessed via a web control panel. However, the custom backend the app developer was using was vulnerable to a SQL injection attack.
Daigle said he used this very flaw to access the service’s entire user database, which included email addresses and passwords of people who were using Catwatchful to spy on others, which amounted to more than 62,000. As it turns out, it also included information of devices that were being monitored.
According to TechCrunch, the majority of devices that were compromised were located in Mexico, Colombia, India, Peru, Argentina, Ecuador, and Bolivia. The publication says the list is in order of the number of victims. What’s even more surprising is that some of these records date back to 2018, which suggests that Catwatchful has been operating and stealing data for at least 7 years.
© IE Online Media Services Pvt Ltd
0
0
Average Rating