Catwatchful data breach exposes thousands in latest stalkerware scandal
A covert Android application called Catwatchful, marketed as an 'invisible' child-monitoring tool, has suffered a major data breach that laid bare the email addresses and plaintext passwords of more than 62,000 paying customers and leaked stolen data from at least 26,000 victims' phones. The discovery, first reported by TechCrunch and attributed to security researcher Eric Daigle, shows that Catwatchful's unauthenticated programming interface allowed anyone on the internet to query its entire user database. Most victims were located in Mexico, Colombia, India, Peru, Argentina, Ecuador and Bolivia.
Catwatchful is best described as stalkerware: consumer spyware that must be installed manually on a target's handset and then operates in secret, siphoning off photos, messages, real-time location data and even live microphone and camera feeds to a web dashboard controlled by the perpetrator. Although such apps are banned from official app stores, their availability via third-party sites continues to fuel intimate-partner surveillance and other forms of tech-enabled abuse.
The leaked database also exposed the identity of the app's administrator, Omar Soca Charcov, a developer based in Uruguay who has so far declined to comment on the breach. Catwatchful is at least the fifth stalkerware service this year to suffer a hacking-related data spill, underscoring a pattern of lax security across the industry and the double-edged privacy threat these tools pose to both victims and buyers.
Kaspersky, which classifies Catwatchful as stalkerware and has been detecting it since 2018, says the incident is further evidence that users and policymakers must remain vigilant. Tatyana Shishkova, Lead Security Researcher at Kaspersky GReAT, offered the following rapid response:
'Stalkerware remains a global and serious problem, as confirmed by the recent reports on the Catwatchful app. While such products are typically marketed as legitimate parental control apps, they pose significant risks: they operate stealthily, being installed without a person's knowledge or consent, and provide a perpetrator with the means to secretly monitor the victim's most private information.
Moreover, such apps, despite the developer's claims about security, pose privacy risks to the perpetrators themselves. There are frequent data leaks, as recent media reports confirm.
Although it was reported that the app 'is invisible and undetectable on the phone', Kaspersky has been detecting Catwatchful as stalkerware since 2018. The 'Who's spying on me' functionality enables users of the Kaspersky app for Android with a dedicated notification when this stalkerware is detected.
This case reinforces the need to continuously raise awareness about stalkerware and tech-enabled abuse, empowering individuals with the knowledge on how to protect both their digital and physical lives.'
Why it matters
Catwatchful's breach illustrates three persistent dangers:
Victim exposure – Intimate data can be harvested without consent and then leak wholesale when attackers exploit poor security hygiene.
Perpetrator risk – Buyers entrust their credentials and sometimes incriminating evidence to vendors whose safeguards are minimal.
Policy gaps
– Stalkerware occupies a grey zone in many jurisdictions, complicating enforcement and takedown efforts.
Cyber-safety advocates, including the global Coalition Against Stalkerware, argue that the only sustainable fix is a combination of tougher regulation, stricter platform policing and wider public education on detecting and removing clandestine tracking apps.
For Android users concerned about possible compromise, Kaspersky and other security vendors recommend running a reputable mobile security suite, checking for unfamiliar accessibility-service permissions and keeping devices updated with the latest patches. Victims of tech-facilitated abuse can also seek specialised support from local domestic-violence hotlines and digital-safety organisations.
Hashtags
Try Our AI Features
Explore what Daily8 AI can do for you:
Comments
No comments yet...
Related Articles
Zawya
2 hours ago
- Zawya
Jane Street to challenge India ban, says it engaged in basic arbitrage
BENGALURU: Jane Street has told staff it will contest a ban by India's financial regulator which has accused the U.S. high-frequency trading giant of market manipulation, adding that its practices in question were "basic index arbitrage trading". Jane Street said it was "beyond disappointed" by what it called "extremely inflammatory" accusations from the Securities and Exchange Board of India (SEBI) and is working on a formal response, according to an internal email sent to employees over the weekend that was seen by Reuters. The email did not elaborate on the potential action that Jane Street might take. SEBI on Friday barred the firm from buying and selling securities in the Indian market and seized $567 million of its funds. "The order clearly lays out SEBI's prima facie case and addresses all relevant areas and questions," SEBI said in an official comment to Reuters. At this stage, we have nothing to add to what is already contained, explained, and reasoned in that order, SEBI added. SEBI in its order had alleged that Jane Street bought large quantities of constituents in India's Bank Nifty index in the cash and futures markets to artificially support the index in morning trade, while simultaneously building large short positions in index options which were exercised or allowed to expire later in the day. The regulator, which tracked Jane Street's trading patterns for more than two years, has also widened its investigation to include other indexes and exchanges, a source has said. Over the past three years, India's derivatives market has had explosive growth as retail investors swarmed in and is now the world's largest. But that has also led to losses for many ordinary investors, which has become a concern for regulators. In its email, Jane Street said arbitrage trades were "a core and commonplace mechanism of financial markets that keeps the prices of related instruments in line." SEBI's order that this activity is "prima facie manipulative" disregards the role of liquidity providers and arbitrageurs in markets, Jane Street added. SEBI did not respond to Reuters' requests for comment. The proprietary trading firm also took issue with SEBI's claims that it had failed to respond adequately to the regulator's concerns, saying the firm's executives had met with regulators and exchange officials multiple times. "Once again, we left this process feeling that we had reached an understanding of the concerns and reflected them in modifications to our trading behaviour." "Since February, we have made ongoing efforts to communicate with SEBI and have been consistently rebuffed," the email said. India accounted for roughly 60% of global equity derivative trading volume in May, according to the Futures Industry Association. Data out on Monday showed that equity derivative losses for India's retail traders widened by 41% to 1.06 trillion Indian rupees ($12.4 billion) in the financial year that ended in March. SEBI Chairman Tuhin Kanta Pandey also said on Monday that the regulator was enhancing its surveillance to scrutinise manipulation in derivatives trading, but added that there may not be many more cases like Jane Street. Other overseas proprietary trading firms that are active in India include Citadel Securities, IMC Trading, Millennium and Optiver.
Khaleej Times
14 hours ago
- Khaleej Times
India: RCB pacer Yash Dayal booked after woman alleges physical violence, mental abuse
Cricketer Yash Dayal has been booked following serious allegations made by Ujjwala Singh, a resident of Indirapuram, Ghaziabad. Police found sufficient evidence to register a case against him after investigation of the allegations. According to earlier reports, the Ghaziabad resident accused Dayal of exploitation on the pretext of marriage. In her complaint, the woman alleged that she had been in a relationship with the cricketer for the past five years, during which she was emotionally, mentally, and physically exploited. Ujjwala further alleged that when she confronted Dayal about the alleged deception, she was subjected to physical violence and mental harassment. "During the relationship, the complainant was made emotionally and financially dependent on him. Later, she found that the man was involved in similar relationships with other women as well," the complaint said. She claimed to have reached out to the women's helpline number 181 on June 14, but said that the matter did not progress at the police station level. Owing to financial and social helplessness, she turned to the Chief Minister's office seeking justice. "She has chats, screenshots, video calls, and photos as evidence," it added. "The request is to investigate this matter promptly and impartially, and to take legal action against the accused. This step is important not only for her, but also for all girls who fall victim to such relationships," it concluded. Yash Dayal was part of RCB's historic IPL 2025 title win earlier this month, taking 13 wickets in 15 matches. He has represented Uttar Pradesh in all domestic formats and is yet to make his India debut.
Khaleej Times
16 hours ago
- Khaleej Times
Some UAE residents miss school fees, medical payments after Al Ansari remittance delay
Some UAE residents who sent remittances over the weekend via Al Ansari Exchange said on July 7 that their families back home have yet to receive the money. The transactions that were supposed to be completed in minutes got delayed for more than 48 hours for some customers. The delay, caused by a technical glitch, happened on a busy weekend, when many expats — after getting their monthly salary — sent money back home earmarked for household expenses, education, rent, medical bills, and other expenditures. 'The money I sent on Saturday night is still sitting pretty in their (Al Ansari Exchange) system,' Indian expat S.P. told Khaleej Times, adding: 'I checked with them yesterday (July 6) and they were blaming NEFT (National Electronic Funds Transfer) collapse. I checked again today (Monday) and the money is still not yet credited to my family's bank account in India." 'I called an Al Ansari branch in Dubai and the staff admitted they experienced some 'technical issues' and assured the system will be up and running soon,' noted the Dubai-based Indian resident. 'Minor technical issue' In a statement sent to Khaleej Times on Monday, Al Ansari Exchange said: 'On Saturday, July 5, a minor technical issue was identified that affected the processing of certain financial transactions at Al Ansari Exchange, a wholly owned subsidiary of Al Ansari Financial Services PJSC, resulting in the unintentional transfer of funds to a small number of customer accounts." Al Ansari Exchange said their 'team responded immediately in close coordination with the relevant financial institutions, and the vast majority of the amounts were successfully recovered". 'We emphasise that regular daily transactions have not been impacted by this incident and continue to be processed as usual," the company underscored, noting: 'Additional preventative measures are being implemented to further strengthen our systems and prevent such occurrences in the future." Al Ansari Exchange also issued an apology 'for any inconvenience caused to those affected and thanked all parties for their cooperation and understanding". A quick call by Khaleej Times to one of Al Ansari Exchange branches on Monday confirmed the 'technical glitch' in the system on Saturday. 'It caused delays in processing the transactions. The system is back to normal today (Monday), but some customers might still experience some delays due to the backlogs over the weekend,' the staff added. 'I incurred a penalty' Marlon, a Filipino expat who has been using Al Ansari Exchange services for almost a decade, said it was the first time he encountered a delay in sending money to the Philippines on July 5. 'Unfortunately, the timing was so bad because I was not able to beat the deadline to pay for my son's school fees. Because of the delay, I incurred a penalty for late payment,' he told Khaleej Times. Dubai-based Kenyan expat Zee also experienced a delay in sending money for her mother's medical expenses. 'Every month, I send around Dh500 for my mother's medicines for diabetes and high blood pressure. There should be no delay for her to receive the money as it is very important for her medical condition,' she said. Both Marlon and Zee are still waiting for confirmation from their respective families if they have received the money. Popular among UAE residents Al Ansari Exchange is recognised as 'the UAE's largest remittance and foreign exchange company' and a subsidiary of Al Ansari Financial Services PJSC. It offers instant online money transfers to India and several other countries, including the Philippines, Pakistan, Bangladesh, Sri Lanka, Egypt, UK, and more. According to its website, Al Ansari Exchange 'has a network of over 260 branches, employing over 4,000 multilingual staff who cater to more than 3 million customers every month with fast, reliable and efficient service at very competitive rates.' The company also has a mobile app that contributes to around 14 per cent of the total number of transactions. Al Ansari Exchange is popular among UAE residents for its annual Dh1 Million Al Ansari Millionaire Promotion. Albert Rioflorido, a Filipino customer living in the UAE for the past 12 years, was named as this year's winner. The promotion, which ran from March 1 to May 29, attracted millions of participants who entered the draw by conducting qualifying transactions at the branch network and digital platforms. The UAE is the third-largest sender of remittances in the world, after the US and Saudi Arabia. Last year, Indian expats based in the UAE sent $21.6 billion to India, equivalent to 19.2 per cent of the total dollar inflows, ranking the UAE as the second-largest source of global remittance after the US.
