Google took a month to shut down Catwatchful, a phone spyware operation hosted on its servers

Google has officially suspended the account of Catwatchful, a sophisticated phone surveillance operation that brazenly leveraged the tech giant’s own Firebase servers to host and operate its intrusive monitoring software. This significant action by Google comes a full month after TechCrunch initially alerted the company to the presence of the illicit operation on its developer platforms.

For weeks, Catwatchful relied on Firebase to store and manage vast quantities of sensitive data illicitly siphoned from thousands of Android phones compromised by its spyware. Despite Google’s own terms of use explicitly prohibiting the hosting of malicious software, the operation continued until recently.

“We’ve investigated these reported Firebase operations and suspended them for violating our terms of service,” Google spokesperson Ed Fernandez confirmed to TechCrunch. However, Google declined to elaborate on the reasons behind the perplexing month-long delay in taking action, raising questions about the responsiveness of its platform security protocols when commercial interests might be at play.

As of Friday, active network traffic analysis by TechCrunch indicates that Catwatchful is no longer operational, showing no signs of transmitting or receiving data, marking a definitive end to its clandestine activities.

Catwatchful operated as an Android-specific spyware, deceptively marketing itself as an “undetectable” child-monitoring application. Like many such clandestine apps, it required physical installation on the target’s phone, typically necessitating prior knowledge of their passcode. These monitoring tools are frequently categorized as “stalkerware” or “spouseware” due to their prevalent misuse in non-consensual surveillance, often by spouses or romantic partners, which is illegal and abusive.

Once installed, Catwatchful was designed to remain hidden from the victim’s home screen, discreetly uploading private communications, photos, precise location data, and more to a web dashboard accessible by the individual who planted the app.

The existence of Catwatchful first came to light in mid-June when security researcher Eric Daigle identified a critical security vulnerability that left the spyware operation’s back-end database exposed. This bug permitted unauthenticated access, meaning no passwords or credentials were required to view its contents.

The exposed database was a trove of sensitive information, including over 62,000 Catwatchful customer email addresses and plaintext passwords, alongside records pertaining to 26,000 victim devices compromised by the spyware. The data also inadvertently revealed the administrator behind the operation, identified as Omar Soca Charcov, a developer based in Uruguay. TechCrunch reached out to Charcov for comment on the security lapse and potential breach notification, but received no response.

With no indication of disclosure from Charcov, TechCrunch responsibly shared a copy of the Catwatchful database with data breach notification service Have I Been Pwned, ensuring affected individuals could be alerted.

Catwatchful is the latest in a troubling trend of surveillance operations experiencing data breaches, largely attributable to poor coding practices and inadequate cybersecurity measures. By TechCrunch’s count, this is the fifth spyware operation this year alone to leak user data, adding to a list of over two dozen known spyware operations since 2017 that have compromised their data banks.

For Android users concerned about potential Catwatchful installation, even if the app is hidden, you can often identify it by dialing 543210 into your phone’s keypad and pressing the call button. It is crucial to remember to have a safety plan in place before attempting to remove any spyware from your device.

—

If you or someone you know needs help, the National Domestic Violence Hotline (1-800-799-7233) provides 24/7 free, confidential support to victims of domestic abuse and violence. If you are in an emergency situation, call 911. The Coalition Against Stalkerware also offers valuable resources if you suspect your phone has been compromised by spyware.