A surveillance app marketed as a stealthy tool for parents has exposed sensitive data from over 62,000 users, raising fresh concerns about the real audience for apps like it.
The app, called Catwatchful, claims to offer invisible monitoring for Android phones. According to its creators, it’s intended to help parents keep tabs on their children’s digital activity. But the app’s heavy emphasis on secrecy and undetectability tells a different story. On its website, Catwatchful boasts that it “cannot be detected,” “cannot be uninstalled,” and “only you can access the information it collects.”
Security researchers recently found that Catwatchful had a major vulnerability that allowed anyone to download its full database. The flaw, a SQL injection hole in its infrastructure, exposed a wide array of sensitive information—including email addresses and passwords stored in plain text. It also gave access to data collected from the monitored phones.
The app hides itself completely on the target device and silently uploads data in real time to a remote dashboard. According to researchers, it even includes a hidden uninstall trigger that only works when a specific code is typed into the phone’s dialer.
Beyond the user data, the database leak also revealed backend information about the app’s operators and the services they use. Daigle said this opened the door to reporting the developers to cloud hosts and service providers. One web host initially dropped the app after being contacted, but Catwatchful soon resurfaced under another provider.
Google has since updated its Play Protect security features to detect Catwatchful and its installer. If the app is present on a phone, Google Play Protect will now alert users and take action.
While Catwatchful’s developers continue to insist that the app is for legitimate monitoring, its marketing language and stealth design have drawn criticism. Security experts see it as a classic example of stalkerware—a tool that enables invasive surveillance under the guise of parenting. And with a full user database now exposed, even the watchers are no longer safe from being watched.
