Android App Exposes 62,000 User Creds Due to SQL Injection

Overview

Researcher Eric Daigle recently uncovered a critical SQL injection vulnerability in the Android monitoring app Catwatchful, leaking email addresses, plain-text passwords and other sensitive metadata for over 62,000 registered users. Although marketed to parents for “legal” child monitoring, the app’s stealth-first design raises serious privacy and abuse concerns.

Technical Analysis of the SQL Injection Vulnerability

Daigle found that the app’s backend API endpoint /api/get_user_data failed to sanitize the user_id parameter, allowing attackers to append arbitrary SQL payloads. A proof-of-concept payload like 1 OR 1=1 returned the entire users table. The database in question ran on MySQL 5.7 with default configuration and no web application firewall (WAF) in front of it.

• Input validation: Absent on both client and server sides.
• Prepared statements: Not utilized; raw concatenation of parameters.
• Transport layer: HTTPS enforced, but no certificate pinning.

Operational Infrastructure and Data Flow

Catwatchful leverages the Android Accessibility Service to capture keystrokes, SMS, GPS and social media activity, then streams collected data in near-real time to a cloud console. Initial hosting was provided by a Russian-based provider; after TechCrunch notification, service moved to HostGator’s shared environment.

1. Installation: App sideloaded via APK or hidden installer.
2. Data exfiltration: HTTPS POST to api.catwatchful.io.
3. Dashboard access: Web GUI protected only by email/password.

Legal, Ethical, and Privacy Implications

“Stalkerware poses unique challenges: it’s marketed as parental control yet easily repurposed for harassment,” notes Dr. Lena Kask, privacy researcher at the Electronic Frontier Foundation.

Under GDPR and CCPA, collecting keystrokes and personal communications without explicit consent can trigger heavy fines. Many jurisdictions consider secret recording or monitoring a criminal offense.

Defense and Mitigation Strategies

• For Developers: Adopt OWASP Top 10 best practices. Use parameterized queries and implement WAF rules to detect SQLi patterns.
• For Users: Enable Google Play Protect, restrict Accessibility Service permissions, audit installed apps with anti-stalkerware tools like Kaspersky Anti-Spy.
• For Cloud Hosts: Monitor API endpoints for anomalous queries, enforce stricter password storage (bcrypt or Argon2) and multi-factor authentication.

Latest Developments

In the past week, Google announced enhancements to Play Protect that flag both the Catwatchful installer and its binaries. Meanwhile, the Dutch Data Protection Authority has opened an inquiry into the app’s compliance with EU privacy laws.