Latest news with #spyware
TechCrunch
9 hours ago
- TechCrunch
Data breach reveals Catwatchful ‘stalkerware' is spying on thousands of phones
A security vulnerability in a stealthy Android spyware operation called Catwatchful has exposed thousands of its customers, including its administrator. The bug, which was discovered by security researcher Eric Daigle, spilled the spyware app's full database of email addresses and plaintext passwords that Catwatchful customers use to access the data stolen from the phones of their victims. Catwatchful is spyware masquerading as a child monitoring app that claims to be 'invisible and cannot be detected,' all the while uploading the victim's phone's private contents to a dashboard viewable by the person who planted the app. The stolen data includes the victims' photos, messages, and real-time location data. The app can also remotely tap into the live ambient audio from the phone's microphone and access both front and rear phone cameras. Spyware apps like Catwatchful are banned from the app stores and rely on being downloaded and planted by someone with physical access to a person's phone. As such, these apps are commonly referred to as 'stalkerware' (or spouseware) for their propensity to facilitate non-consensual surveillance of spouses and romantic partners, which is illegal. Catwatchful is the latest example in a growing list of stalkerware operations that have been hacked, breached, or otherwise exposed the data they obtain, and is at least the fifth spyware operation this year to have experienced a data spill. The incident shows that consumer-grade spyware continues to proliferate, despite being prone to shoddy coding and security failings that expose both paying customers and unsuspecting victims to data breaches. According to a copy of the database from early June, which TechCrunch has seen, Catwatchful had email addresses and passwords on more than 62,000 customers and the phone data from 26,000 victims' devices. Most of the compromised devices were located in Mexico, Colombia, India, Peru, Argentina, Ecuador, and Bolivia (in order of the number of victims). Some of the records date back to 2018, the data shows. The Catwatchful database also revealed the identity of the spyware operation's administrator, Omar Soca Charcov, a developer based in Uruguay. Charcov opened our emails, but did not respond to our requests for comment sent in both English and Spanish. TechCrunch asked if he was aware of the Catwatchful data breach, and if he plans to disclose the incident to its customers. Without any clear indication that Charcov will disclose the incident, TechCrunch provided a copy of the Catwatchful database to data breach notification service Have I Been Pwned. Catwatchful hosting spyware data on Google's servers Daigle, a security researcher in Canada who has previously investigated stalkerware abuses, detailed his findings in a blog post. According to Daigle, Catwatchful uses a custom-made API, which every one of the planted Android apps relies on to communicate with and send data to Catwatchful's servers. The spyware also uses Google's Firebase, a web and mobile development platform, to host and store the victim's stolen phone data, including their photos and ambient audio recordings. Daigle told TechCrunch that the API was unauthenticated, allowing anyone on the internet to interact with the Catwatchful user database without needing a login, which exposed the entire Catwatchful database of customer email addresses and passwords. When contacted by TechCrunch, the web company hosting the Catwatchful API suspended the spyware developer's account, briefly blocking the spyware from operating, but the API returned later on HostGator. A spokesperson for HostGator, Kristen Andrews, did not respond to requests for comment regarding the company hosting the spyware's operations. TechCrunch confirmed that Catwatchful uses Firebase by downloading and installing the Catwatchful spyware on a virtualized Android device, which allows us to run the spyware in an isolated sandbox without giving it any real-world data, like our location. We examined the network traffic flowing in and out of the device, which showed data from the phone uploading to a specific Firebase instance used by Catwatchful to host the victim's stolen data. After TechCrunch provided Google with copies of the Catwatchful malware, Google said it added new protections for Google Play Protect, a security tool that scans Android phones for malicious apps, like spyware. Now, Google Play Protect will alert users when it detects the Catwatchful spyware or its installer on a user's phone. TechCrunch also provided Google with details of the Firebase instance involved in storing data for the Catwatchful operation. Asked whether the stalkerware operation violates Firebase's terms of service, Google told TechCrunch on June 25 that it was investigating but would not immediately commit to taking down the operation. 'All apps using Firebase products must abide by our terms of service and policies. We are investigating this particular issue, and if we find that an app is in violation, appropriate action will be taken. Android users that attempt to install these apps are protected by Google Play Protect,' said Ed Fernandez, a spokesperson for Google. As of publication, Catwatchful remains hosted on Firebase. Opsec mistake exposes spyware administrator Like many spyware operations, Catwatchful does not publicly list its owner or disclose who runs the operation. It's not uncommon for stalkerware and spyware operators to hide their real identities, given the legal and reputational risks associated with facilitating illegal surveillance. But an operational security mishap in the dataset exposed Charcov as the operation's administrator. A review of the Catwatchful database lists Charcov as the first record in one of the files in the dataset. (In past spyware-related data breaches, some operators have been identified by early records in the database, as oftentimes the developers are testing the spyware product on their own devices.) The dataset included Charcov's full name, phone number, and the web address of the specific Firebase instance where Catwatchful's database is stored on Google's servers. Charcov's personal email address, found in the dataset, is the same email that he lists on his LinkedIn page, which has since been set to private. Charcov also configured his Catwatchful administrator's email address as the password recovery address on his personal email account in the event he gets locked out, which directly links Charcov to the Catwatchful operation. How to remove Catwatchful spyware While Catwatchful claims it 'cannot be uninstalled,' there are ways to detect and remove the app from an affected device. Before you start, it's important to have a safety plan in place, as disabling spyware can alert the person who planted it. The Coalition Against Stalkerware does important work in this space and has resources to help victims and survivors. Android users can detect Catwatchful, even if it is hidden from view, by dialing 543210 into your Android phone app's keypad and then hitting the call button. If Catwatchful is installed, the app should appear on your screen. This code is a built-in backdoor feature that allows whoever planted the app to regain access to the settings once the app is hidden. This code can also be used by anyone to see if the app is installed. Image Credits:TechCrunch Image Credits:TechCrunch As for removing the app, TechCrunch has a general how-to guide for removing Android spyware that can help you identify and remove common types of phone stalkerware, and then enable the various settings you need to secure your Android device. — If you or someone you know needs help, the National Domestic Violence Hotline (1-800-799-7233) provides 24/7 free, confidential support to victims of domestic abuse and violence. If you are in an emergency situation, call 911. The Coalition Against Stalkerware has resources if you think your phone has been compromised by spyware.
Daily Mail
3 days ago
- Daily Mail
Tech expert reveals five warning signs that someone is spying on you through your phone - and one of them is worryingly common
An expert has revealed five warning signs that might indicate someone is spying on you through your phone. Tech expert and CEO of QR Code Generator Marc Porcar, from Spain, said there are multiple ways to check whether someone has installed monitoring software on a device. Revealing the five red flags to watch out for, Marc told The Sun that seemingly 'normal' phone annoyances can actually be something more sinister. The first tell-tale sign is when phone users notice their battery draining at an alarming or unusually rapid rate. If one's phone no longer lasts the full duration of the day but has been used as normal, this could be a sign that there's an underlying monitoring software depleting the battery. This is because these types of software run constantly in the background, requiring continuous connection to send data to third-party servers. Since this requires a significant amount of battery to run, users with spyware will often notice that their battery is slurped up at a faster rate. It may seem perfectly normal for phones to overheat at times, particularly during the summer months, but according to the tech specialist, this could be another indication of foul play. 'Phones become hot when spy applications consume processing resources,' he cautioned. Another key factor to look out for is when a device doesn't cool down - despite it not being used by its owner. Marc warned that users should be suspicious in instances where their device remains warm to the touch, even after long periods of being idle. This can happen when devices are under additional strain from spyware, which forces their internal processors to work harder than they would under normal circumstances. 'The temperature increase is in most cases a direct result of unauthorised background processes running on your phone,' the expert explained. Next on the list was an inordinate increase in data consumption because this could be a sign that there is hidden software depleting the phone's memory. He urged people to check data usage statistics in their phone's settings app because this may uncover the culprit behind the increase in data usage. Monitoring apps must send collected information to their controllers, which requires the internet to send over information and, in turn, can drive data usage through the roof. 'These applications will show up as consuming data in the background sometimes using substantial amounts if they're sending images or recording audio,' Marc explained. The expert said this warning sign is often the first detected by victims unwittingly subjected to spy software, with many left perplexed by texts warning them they are nearly out of data. Next, he alerted phone users to SMS messages that contained odd or unusual characters. Some of the more basic spyware will rely on using codes to pass over information, which can come through as unusual characters. Lastly, he warned phone users to act with caution when they notice unusual activity from the phone when it's not in use. This can include a myriad of oddities, such as the screen lighting up when not in use or strange sounds coming from the phone during a call. Marc explained that this can happen when more sophisticated spyware is in use because it can allow the culprit on the other side to access microphones and cameras without the victim's knowledge. Those who have sneakily installed spyware can listen to their partner's conversations or watch them through their camera. To minimise the chances of being spied on, Marc recommended performing regular security checks and removing unrecognised applications where possible. As always, using strong passwords can also provide a barrier to pesky spies being able to install software in the first place, he added. Finally, he said that users could use a full reset as a last resort to remove most types of spyware. According to UK law, unauthorised surveillance of another person's device is a criminal offence under the Computer Misuse Act, with penalties including imprisonment in the most serious cases.
Reuters
19-06-2025
- Politics
- Reuters
Alleged Italian phone hacking involves political gossip website, sources say
ROME, June 19 (Reuters) - Italian prosecutors are looking into the alleged hacking of seven phones, including that of the head of political gossip website Dagospia, sources said, as part of a surveillance scandal involving the technology of spyware company Paragon. The probe follows reports on the alleged spying on two investigative journalists, which have triggered opposition protests and the termination of contracts between Italy and U.S.-owned Paragon. Prime Minister Giorgia Meloni's administration has denied involvement in illicit activities. Prosecutors in Rome and Naples are investigating the crime of unauthorized access into the phones, sources with knowledge of the matter said on Thursday, adding that Dagospia founder Roberto D'Agostino was among seven journalists and activists who were allegedly spied on. D'Agostino, whose website Dagospia produces salacious gossip with political behind-the-scenes stories and is a daily must-read for many Italian reporters, was not immediately available for comment. Dagospia, however, reported on the news involving its founder, republishing reports about the investigations from other media outlets under the headline: "Dagospia ends up being spied upon! The illegal wiretaps scandal gets bigger." As part of their investigation, prosecutors are also looking into the alleged hacking of the phones of investigative reporters, Ciro Pellegrino and Francesco Cancellato, both from the Fanpage website, the sources said. Italy's domestic and foreign intelligence agencies activated contracts with Paragon in 2023 and 2024, respectively, and used it on a limited number of people with permission from a prosecutor, a report by the parliamentary committee on security, COPASIR, said. The foreign intelligence agencies used the spyware to search for fugitives, to counter illegal immigration, alleged terrorism, organised crime, fuel smuggling and for counter-espionage and internal security activities, COPASIR said. The committee said it found no evidence that Italian intelligence services used Paragon spyware on Cancellato. Separately, internet watchdog group Citizen Lab said it found evidence of spying on Pellegrino's phone. Former Prime Minister Matteo Renzi, leader of a small opposition party, called for clarity on Thursday over the hacking case, adding that one does not spy on journalists in democracies.
Phone Arena
16-06-2025
- Phone Arena
This iPhone hack needed zero clicks – and it spied on journalists
Recently, Apple patched a critical iPhone zero-day vulnerability. Reportedly, this vulnerability was quietly exploited, targeting journalists. Citizen Lab discovered the vulnerability. Basically, it allowed for Paragon's Graphite spyware to infiltrate iPhones via iMessage. The issue has been addressed in iOS 18.3.1. Back in April 2025, Apple notified a select group of iOS users (including two prominent journalists) that their devices had been targeted by spyware. Citizen Lab, which is a cybersecurity research group, confirmed the suspicions using forensic analysis. The investigation reportedly showed that a European journalist and an Italian journalist were targeted by surveillance firm Paragon. The spyware was reportedly installed via a zero-click attack in iMessage. A "zero-click" attack basically requires no action to be taken by the victim. The malicious user sends a specific malicious message and it compromises the device. Luckily, Apple has patched this vulnerability with iOS 18 .3.1. iOS is known for its security and privacy, but even iOS can fall victim to malicious users. | Image Credit – Apple Meanwhile, as Citizen Lab continued its analysis, it found that the exploited vulnerability was related to how iOS processed photos and videos sent via iCloud links. Another journalist has also been notified by Apple in January of this year about being targeted with Paragon's spyware. This could mean a broader pattern of attacks against journalists. So far, it seems only these specific people were targeted, and the vulnerability has been fixed by Apple already, so you generally have nothing to worry about. However, this incident clearly underlines the continuing fight between malicious users and is generally known for its privacy and security-centric approach, but even Apple can fall prey to the creativity and maliciousness of hackers. It's basically a cat-and-mouse game between device makers and hackers, and it's been like this since tech existed, pretty much. Although we as users can't do much in the grand scheme of things, it's important to update your device in a timely manner. When a security vulnerability has been discovered, usually companies release patches and updates to iron it out, so don't postpone or delay these when you see them waiting to be installed on your device.
Forbes
13-06-2025
- Forbes
New iPhone Spyware Warning — Act Now To Prevent Attacks
A new warning has been issued to Apple iPhone users by researchers after they found forensic evidence that Paragon Graphite spyware has taken over targets' devices. Cybersecurity researchers at Citizen Lab — which is known to discover and report vulnerabilities such as spyware — found spyware made by Israeli firm Paragon targeting iPhones. It comes after the Italian government admitted using spyware to target civil society. Apple initially issued an alert on the new spyware targeting a number of iOS users including journalists on April 29. Among the group were two journalists that consented for the technical analysis of their cases, Citizen Lab's Bill Marczak and John Scott-Railton wrote in their analysis. After investigating the devices of a prominent European journalist (who requests anonymity), and Italian journalist Ciro Pellegrino, Citizen Lab found forensic evidence confirming 'with high confidence that both a were targeted with Paragon's Graphite mercenary spyware.' Citizen Lab found evidence linking both cases to the same Paragon operator. The attacker deployed Paragon's Graphite spyware using 'a sophisticated iMessage zero-click attack,' Citizen Lab said, adding: 'We believe that this infection would not have been visible to the target.' The iPhone flaw, tracked as CVE-2025-43200, was patched in iOS 18.3.1. Spyware is so dangerous because it provides adversaries complete access to your iPhone, including your microphone, camera, email and messages — even those sent via encrypted apps such as WhatsApp or Signal. Worse, spyware is often deployed via so called 'zero-click attacks' that require no user interaction, taking advantage of vulnerabilities in the iOS operating system. This means the malware ca be delivered via an image sent via iMessage or WhatsApp — and you don't need to open it to become a victim. The fact that Graphite was delivered through a zero-click exploit reflects a growing pattern where 'sophisticated spyware uses zero-day vulnerabilities to silently compromise devices,' says Adam Boynton, senior security strategy manager EMEIA at cybersecurity outfit Jamf. What makes Graphite especially dangerous is its ability to operate covertly in memory, often leaving minimal artefacts on disk, says Boynton. It is capable of creating system-level impersonations — for example, registering hidden iMessage accounts or spoofing security features — to conceal its presence from both the user and standard detection tools. 'These tactics make traditional mobile security models insufficient on their own,' says Boynton. The new spyware warning is certainly scary, but at the same time, Apple's security architecture remains 'among the strongest in the industry,' says Boynton. He points to the iPhone maker's Lockdown Mode, which reduces the functionality of your iPhone but helps protect it from spyware. Spyware is extremely targeted, as can be seen from Citizen Lab's analysis, which focused on journalist's iPhones. Other groups vulnerable to the malware include dissidents, political figures and business users operating in certain sectors. In order to help prevent being targeted, Boynton emphasises the importance of keeping iPhones up to date. He also suggests enabling Lockdown Mode on Apple devices if you are in a sensitive or high-risk role. Another way of disrupting spyware is to turn your iPhone off and on again. But it's not a permanent solution and if you do suspect the malware is on your device, contact an organization such as Amnesty or Access Now for help. As researchers reveal more details about the dangers of the Graphite spyware, it is important that you update your iPhone now to the latest software, currently iOS 18.5. Even if you are not a target, upgrading will protect you from a number of flaws that could compromise your iPhone's security.
