A stealth app called Catwatchful is allegedly trapped in its own web after highlighting the sensitive data of both its users and the victims. The app, which disrupts itself as a child-lover tool, is quietly stealing data from thousands of Android phones-including photos, messages, location details and even live audio from microphones and cameras. But a newly discovered vulnerability has changed the tables.

Canadian security researcher Eric Dagle found that the database of Catwatchful was fully exposed due to a wrong, informal API. This meant that anyone could reach sensitive data, including email addresses of over 62,000 customers and plain-text passwords, as well as private phone data from more than 26,000 victims.

Most of the affected equipment were located in countries such as India, Mexico, Colombia, Peru, Argentina, Ecuador and Bolivia. The data exposed include record stretching records in early 2018. In a blog post, Degley explained that catwatchful is manually installed on a victim’s device, which is a physical access by a person – often a romantic partner or family member – makes it a form of stackware.

Daigle’s investigation also revealed that Catwatchful used Google Firebase to host stolen data, such as photos and real-time audio recording of users. When vigilant, Google said it had added catwatch to his play protect tools to warn Spieware’s Android users.

Breach not only exposed the victims, also revealed the identity of the operator of Catwatchful. According to a report by Techcrunch, the developer behind the spyware was identified as Omar Soa Charkov, a software engineer living in Uruguay. Details of Charkov, including Firebase Web addresses used to store stolen data, were even found in the database, the firebase web addresses. Charcoov’s LinkedIn Profile used the same email address found in spyware data. He also linked his individual email account to the administrator account for catwatch, making him easier to trace him as an operator.

After the discovery, Degley informed the hosting provider for Catwatchful’s API, which briefly suspended spyware services. However, the API later returned through the hostgator. Google is clearly reviewing whether Catwochaful has violated his firebase terms, but at the time of writing the story, the app database remains online.