TL;DR
- Google suspended Catwatchful, a phone spyware operation, after a month-long delay following a TechCrunch tip.
- The spyware used Firebase to store stolen user data from 26,000 compromised Android devices.
- The database also exposed over 62,000 customer emails and passwords in plaintext.
- Google declined to explain the delay in shutting down the spyware operation.
- The spyware’s developer, Omar Soca Charcov, did not respond to breach notification inquiries.
A Month of Silence Before Action
Google has finally taken down Catwatchful, an Android phone spyware app, after it was found using Google’s Firebase platform to store and manage surveillance data. The spyware was first flagged to Google by TechCrunch in June 2025. However, Google did not act until nearly a month later, suspending the operator’s account only this past week.
The spyware was disguised as a child-monitoring tool, but it operated much like so-called “stalkerware” — apps used for non-consensual monitoring of partners or individuals.
“We’ve investigated these reported Firebase operations and suspended them for violating our terms of service,”
— Google spokesperson Ed Fernandez told TechCrunch.
Google’s delay in taking action, despite its policies against malicious use of its platforms, has raised concerns about its enforcement effectiveness.
The Mechanics Behind Catwatchful
Catwatchful required the physical installation of the spyware on an Android device. Once installed, it became invisible on the home screen and began collecting:
- Private messages
- Photos and videos
- Location data
- Call logs and app usage details
This data was uploaded to a remote dashboard accessible only to the person who installed the app. A hidden feature allowed users to access the app by dialing 543210 on the phone’s dial pad.
The spyware’s operations ceased only after Google’s suspension, as confirmed by a network traffic analysis conducted by TechCrunch.
Major Security Lapse Exposed
Security researcher Eric Daigle uncovered a critical vulnerability in Catwatchful’s infrastructure in June. The app’s backend was misconfigured to allow open, unauthenticated access. This exposed:
| Breached Data | Details |
| Customer emails & passwords | 62,000+ entries, stored in plaintext |
| Victim device data | 26,000 Android phones identified as compromised |
| Admin identity | Omar Soca Charcov, a developer based in Uruguay |
Despite repeated attempts, Charcov did not respond to TechCrunch’s inquiries. The data was eventually submitted to Have I Been Pwned to help victims identify whether they were compromised.
A Broader Pattern in Spyware Failures
Catwatchful is now the fifth spyware platform in 2025 alone to suffer a massive data breach. These incidents highlight poor security practices in the spyware industry. Since 2017, over two dozen spyware operators have inadvertently leaked user data due to inadequate backend security or poor coding standards.
These breaches often reveal not just victim information but also customer credentials and operational infrastructure. This trend underscores the ethical and technical bankruptcy of the commercial spyware industry.
What Victims Can Do
If you suspect Catwatchful may be installed on your Android device:
- Dial 543210 in the phone app and press “Call” to access the hidden interface.
- Avoid removing the app immediately if you are in a vulnerable or unsafe situation.
- Consult experts or support services before taking action.
📞 The National Domestic Violence Hotline: 1-800-799-7233
🛡️ Coalition Against Stalkerware Resources: stalkerware resourcesRemoving spyware can trigger retaliation from an abuser. Always have a safety plan in place before attempting to delete surveillance tools.
