Catwatchful Stalkerware Breach Exposes 62,000 User Accounts

Figure 1: Visual representation of the BeyondTrust vulnerability chain

Security researcher Eric Daigle discovered critical SQL injection vulnerabilities in the infrastructure supporting Catwatchful, a commercial stalkerware application marketed for covert surveillance of Android devices. The breach exposed approximately 62,000 user accounts, including email addresses and passwords stored in plaintext, according to Daigle's technical disclosure published on July 3, 2025.

Catwatchful markets itself with claims of being "invisible" and impossible to detect or uninstall. The application operates by requiring physical access to a target device for installation, after which it transmits location data, call logs, text messages, and other sensitive information to remote servers controlled by the purchaser.

The vulnerability allowed Daigle to access the application's backend database through a straightforward SQL injection attack against the web dashboard. Beyond user credentials, the exposed data included device identifiers and surveillance data collected from monitored phones. Daigle reported the vulnerability to Catwatchful but received no response prior to publication.

The breach affects both the operators who purchased Catwatchful subscriptions and the individuals being monitored without their knowledge. Stalkerware applications occupy a legally ambiguous space, often marketed for parental monitoring or employee oversight while frequently deployed for intimate partner surveillance and harassment.

Daigle's research also revealed an undocumented method to remove the application from infected devices. Dialing a specific code sequence from the phone's dialer triggers an uninstall routine, contradicting the vendor's marketing claims about the software being impossible to remove.

Eric Daigle, a Canadian security researcher, began investigating Catwatchful's infrastructure as part of ongoing research into commercial surveillance software. His findings, published on July 3, 2025, detail a series of security failures in the stalkerware's web-based control panel.

The primary vulnerability consisted of a SQL injection flaw in the authentication mechanism. By manipulating input fields on the login page, Daigle gained unauthorized access to the backend MySQL database. The database contained user account information for approximately 62,000 registered accounts.

Passwords were stored without hashing or encryption, appearing in plaintext within the database tables. Email addresses, registration dates, and subscription status were also exposed. The database additionally contained device identifiers and configuration data for monitored phones.

Daigle attempted to contact Catwatchful through multiple channels to report the vulnerability. The company did not respond to these disclosure attempts. After a reasonable waiting period, Daigle proceeded with public disclosure.

TechCrunch reported on the breach on July 2, 2025, noting that the exposed data revealed thousands of Android devices actively being monitored through the platform. The publication confirmed the vulnerability through independent verification.

Figure 2: How the authentication bypass vulnerability works

Daigle's technical writeup provides detailed evidence of the SQL injection vulnerability. The attack required no authentication bypass or sophisticated exploitation techniques. Standard SQL injection payloads submitted through the web interface returned database contents directly.

The researcher documented the database schema, revealing tables containing user credentials, device registrations, and surveillance logs. Screenshots in the disclosure show plaintext password storage, a practice widely considered unacceptable in modern application security.

Catwatchful's marketing materials claim the application "cannot be detected" and "cannot be uninstalled." Daigle's research contradicts these claims. The application responds to a specific dialer code sequence that triggers removal. Entering the code 543210 from the phone's dialer application initiates an uninstall process, according to Daigle's analysis of the application's code.

The application requires physical access to the target device for initial installation. Once installed, it operates without visible indicators and transmits data to Catwatchful's servers. The collected data includes GPS location, call history, SMS messages, and application usage information.

The disclosure provides actionable information for individuals who suspect their devices may be compromised by Catwatchful. The documented removal method offers a path to eliminating the surveillance software without requiring technical expertise or device reset.

Security researchers and anti-stalkerware organizations can use the technical details to improve detection capabilities. The documented behavior patterns and network indicators may help identify Catwatchful installations through endpoint security tools.

The breach demonstrates the inherent security risks in stalkerware infrastructure. Operators who deploy such software expose themselves to credential theft and potential legal liability when these platforms experience security failures.

Figure 3: Privilege escalation from user to SYSTEM level

The exposed database contains information about both stalkerware operators and their targets. Victims of surveillance may face additional risks if their monitoring status becomes known to abusers through secondary data exposure.

Plaintext password storage suggests broader security deficiencies throughout the platform. Users of Catwatchful who reused passwords across services face credential stuffing attacks against their other accounts.

The lack of vendor response to security disclosures indicates ongoing risk. Without patches or infrastructure changes, the SQL injection vulnerability may remain exploitable. Additional vulnerabilities may exist in the platform's codebase.

Stalkerware applications frequently evade detection by mobile security software. The covert nature of these applications makes comprehensive detection difficult, and the documented removal method only works for Catwatchful specifically.

Stalkerware applications like Catwatchful operate through a client-server architecture. The mobile application, installed on the target device, collects data and transmits it to centralized servers. Purchasers access collected data through a web-based dashboard.

Installation requires physical access to the target Android device. The installer must enable installation from unknown sources and grant extensive permissions including location access, SMS reading, call log access, and accessibility services. These permissions enable comprehensive surveillance capabilities.

The application conceals its presence by hiding its icon from the application drawer and using generic process names. Background services maintain persistent operation and periodic data transmission. The application may also disable or interfere with security software on the device.

Data transmission typically occurs over HTTPS to avoid network-level detection. The collected information is stored on the vendor's servers, accessible through authenticated web sessions. The SQL injection vulnerability existed in this web dashboard component.

Technical context (optional): SQL injection attacks exploit improper input sanitization in database queries. When user-supplied data is concatenated directly into SQL statements without parameterization, attackers can inject additional SQL commands. The attack surface in this case was the login form, where injected SQL could bypass authentication and extract database contents.

The Catwatchful breach illustrates systemic security problems in the commercial stalkerware industry. These applications, by design, collect and store highly sensitive personal information. The operators of such platforms frequently lack the security expertise to protect this data adequately.

Stalkerware occupies a contested legal space. While marketed for legitimate purposes like parental monitoring, research consistently shows significant use in intimate partner abuse and harassment. The Coalition Against Stalkerware, a consortium of security vendors and advocacy organizations, maintains resources for identifying and removing such applications.

The plaintext password storage discovered in this breach represents a fundamental security failure. Industry standards have required password hashing for over a decade. The presence of such basic vulnerabilities suggests minimal security investment by stalkerware vendors.

Law enforcement and regulatory bodies in multiple jurisdictions have taken action against stalkerware vendors. The Federal Trade Commission has pursued enforcement actions against similar applications in the United States. The exposure of user data in breaches like this one may provide evidence for future regulatory action.

Confirmed:

• SQL injection vulnerability exists in Catwatchful's web dashboard
• Approximately 62,000 user accounts were exposed
• Passwords were stored in plaintext
• The dialer code 543210 triggers application removal
• Catwatchful did not respond to vulnerability disclosure attempts

Unclear:

• Whether the vulnerability has been exploited by other parties
• The geographic distribution of affected users and monitored devices
• Whether Catwatchful has implemented any remediation
• The full extent of surveillance data accessible through the vulnerability
• The legal status of Catwatchful's operations in various jurisdictions

Security researchers may conduct additional analysis of Catwatchful's infrastructure and mobile application. Further vulnerabilities could emerge from continued investigation.

Anti-stalkerware organizations including the Coalition Against Stalkerware may update their detection tools to identify Catwatchful installations more reliably. Mobile security vendors may incorporate the documented indicators into their scanning capabilities.

Regulatory responses to stalkerware continue to evolve. The documented security failures and potential for harm may attract attention from consumer protection agencies and law enforcement.

Affected individuals who discover Catwatchful on their devices should consider the broader security implications. The presence of stalkerware often indicates other forms of monitoring or control that require comprehensive safety planning.

1. Ars Technica - "Provider of covert surveillance app spills passwords for 62,000 users" - July 3, 2025 https://arstechnica.com/security/2025/07/provider-of-covert-surveillance-app-spills-passwords-for-62000-users/

2. Eric Daigle - "Taking Over 60k Spyware User Accounts" - July 3, 2025 https://ericdaigle.ca/posts/taking-over-60k-spyware-user-accounts/

3. TechCrunch - "Data breach reveals Catwatchful stalkerware spying on thousands of Android phones" - July 2, 2025 https://techcrunch.com/2025/07/02/data-breach-reveals-catwatchful-stalkerware-spying-on-thousands-android-phones/