FHN 
A newly uncovered Android spyware platform is changing how surveillance malware spreads. Instead of being a single tool, it works like a service that anyone can subscribe to, customize, and sell under their own name.
Researchers at Certo identified a spyware tool called KidsProtect, which presents itself as a parental monitoring app. This is a common disguise in the stalkerware space, where intrusive tracking features are marketed as safety tools.
But the reality is different. The platform is openly promoted in hacking communities with claims of stealth and stability, clearly targeting covert surveillance use rather than legitimate parental control.
Through a web dashboard, operators can monitor a device remotely with capabilities that go far beyond basic tracking. This includes listening to calls, accessing messages, tracking live location, and even capturing keystrokes—all without the victim’s knowledge.
Deep Device Control and Evasion Tactics
Once installed, the spyware runs silently in the background and gives attackers near-total visibility into the device.
Key functions include:
- Live microphone access and call recording
- Real-time GPS tracking
- Reading SMS and app messages (including WhatsApp and Telegram)
- Keystroke logging for capturing passwords
- Remote access to cameras
- Monitoring screen activity in real time
To achieve this level of control, the app abuses sensitive Android permissions such as access to location, microphone, camera, and storage. One of the most critical features it exploits is the Accessibility Service, which allows it to read screen content and interact with other apps—making real-time surveillance possible.
The spyware is also built to stay hidden and resist removal. It disguises itself as a system-like app (for example, “WiFi Service”), registers as a Device Administrator, and includes anti-uninstall protection. Even after a device restart, it automatically relaunches using a BootReceiver component.
Victims are often tricked into disabling built-in protections like Google Play Protect, allowing the malware to operate freely without interruption.
A Growing Threat Through White-Label Resale
What makes this platform especially dangerous is its white-label model. Buyers can rebrand the spyware, set their own pricing, and distribute it as if it were their own product. This turns malware into a scalable business model rather than a single tool.
With entry costs starting relatively low, even non-technical users can launch their own spyware operation. This lowers the barrier to entry and allows the ecosystem to grow quickly, even when authorities shut down known stalkerware providers.
The spyware operates under package names like com.example.parentguard and supports Android devices from version 7 onwards. It also allows unencrypted (cleartext) traffic, increasing the risk of data exposure.
Overall, this platform shows how stalkerware is evolving—from isolated tools into commercialized services that enable widespread surveillance with minimal effort.
About the Author
