SQL injection flaw in Catwatchful stalkerware leaks 62,000 user records

Catwatchful, an Android spyware disguised as parental-control software, contained an SQL injection vulnerability that exposed plaintext logins, passwords, and device-tracking data for more than 62,000 accounts, according to researcher Eric Daigle. The breach also revealed the operation’s administrator’s identity, Firebase database address, and linked device information, enabling complete account takeover and access to victims’ real-time audio, video, and location feeds. In response, Google bolstered Play Protect alerts, the API host suspended the account, and users can still detect the hidden app by dialing its built-in backdoor code.

Read more:

https://www.securityweek.com/undetectable-android-spyware-backfires-leaks-62000-user-logins/