← Back to Pulse Feed
PULSE DETAIL
PULSE NAME
KidsProtect - A Near-Total Surveillance Toolkit
WHITE Q.Vashti 2026-05-05 Modified: 2026-05-05
73
IOCs
HIGH VOLUME
Stalkerware developers are facing increasing legal pressure, with several high-profile platforms shut down by court order in recent years. Certo has discovered a new Android surveillance tool being openly advertised on the clear web that gives an operator near-total secret control of a victim’s phone. It can’t be removed without the attacker’s permission. And for a fee, anyone can buy it, brand it, and start selling it as their own. The tool, branded KidsProtect, is an Android Remote Access Trojan (RAT) that, once installed on a target device, operates entirely in the background without the owner’s knowledge. From a web-based dashboard, an operator can secretly record calls, stream live audio from the device’s microphone, track GPS location in real time, read SMS messages and notifications from apps including WhatsApp and Viber, log keystrokes, access contacts and photos, and remotely trigger the front and rear cameras.
capturekidsprotectandroidcertogps locationwhatsappviberwifiserviceprotectremote accesstrojanparentalstealthstreamtelegramservice installerclasses2.dexdalvik dexandroidyara detectionsfilehashav detectionsids detectionsalertsanalysis datefile scorelow riskopen thvirustotal apicommentsiocsdata uploadextractionse boypes
MITRE ATT&CK & Malware Families
ATT&CK TECHNIQUES
MALWARE FAMILIES
Remote Access ALF:AndroidOSSuspiciousPerms.A
Indicators of Compromise (73)
All FileHash-MD5 FileHash-SHA1 FileHash-SHA256 URL domain hostname email
TYPEINDICATORDESCRIPTIONCREATED
FileHash-MD5 4c76af70feb7a821c7ad593e89839cef MD5 of f0d01b28ddfdbefe0697994a6b30f2b8a4e39ef1ad6c9427b921b2ccd945a8c5 2026-05-05
FileHash-MD5 59b7305956bb4620fa9a2be7f867b9ef MD5 of 17817d9e29920493bb20ed626c3026e3c29eb6f1d56ef9462c306066ce2ad171 2026-05-05
FileHash-MD5 ad06afb11d60d8c758cfb2b40b99fdfe MD5 of 85cea2573921a252af526991bdcfd8db6987e6a4 2026-05-05
FileHash-MD5 c2973700e23d246305aae30d5e3d42c6 MD5 of 9864db6b5800d9e03b747c46fdef988e035cadde83077a41c5610d5d89f753a0 2026-05-05
FileHash-MD5 e0e90027e6b33711892f34fc6c1c978e MD5 of f4e9733d93ce35ecd3c83f18addf77f8ff49444d09847eaeef9c8e87837d0165 2026-05-05
FileHash-SHA1 05ee54ac6eda2dd3664feb0a101722851e97d9de SHA1 of 17817d9e29920493bb20ed626c3026e3c29eb6f1d56ef9462c306066ce2ad171 2026-05-05
FileHash-SHA1 85cea2573921a252af526991bdcfd8db6987e6a4 SHA1 of 1b1d9b260deec0c612ec67579fd36fec7722b2b8446ab32284a08f44f4ea64da 2026-05-05
FileHash-SHA1 b18665190c0c143b5d13e580bd1ef64fa0974e90 SHA1 of f0d01b28ddfdbefe0697994a6b30f2b8a4e39ef1ad6c9427b921b2ccd945a8c5 2026-05-05
FileHash-SHA1 baef106a97eb2089219d7629f3b5a80a8aedda24 SHA1 of f4e9733d93ce35ecd3c83f18addf77f8ff49444d09847eaeef9c8e87837d0165 2026-05-05
FileHash-SHA1 cd25f40f33f04e84181b217528152603cd7ead05 SHA1 of 9864db6b5800d9e03b747c46fdef988e035cadde83077a41c5610d5d89f753a0 2026-05-05
FileHash-SHA256 17817d9e29920493bb20ed626c3026e3c29eb6f1d56ef9462c306066ce2ad171 2026-05-05
FileHash-SHA256 1b1d9b260deec0c612ec67579fd36fec7722b2b8446ab32284a08f44f4ea64da SHA256 of 85cea2573921a252af526991bdcfd8db6987e6a4 2026-05-05
FileHash-SHA256 9864db6b5800d9e03b747c46fdef988e035cadde83077a41c5610d5d89f753a0 2026-05-05
FileHash-SHA256 f0d01b28ddfdbefe0697994a6b30f2b8a4e39ef1ad6c9427b921b2ccd945a8c5 2026-05-05
FileHash-SHA256 f4e9733d93ce35ecd3c83f18addf77f8ff49444d09847eaeef9c8e87837d0165 SHA256 of baef106a97eb2089219d7629f3b5a80a8aedda24 2026-05-05
URL http://kidsprotect.live/get_camera_command.php 2026-05-05
URL https://kidsprotect.live/ 2026-05-05
URL https://kidsprotect.live/check_status.php 2026-05-05
URL https://kidsprotect.live/get_camera_command.php 2026-05-05
URL https://kidsprotect.live/get_commands.php?user_id= 2026-05-05
URL https://kidsprotect.live/update_command_status.php 2026-05-05
URL https://kidsprotect.live/upload.php 2026-05-05
URL https://kidsprotect.live/upload_ambient.php 2026-05-05
URL https://kidsprotect.live/upload_debug.php 2026-05-05
URL https://kidsprotect.live/upload_directory_list.php 2026-05-05
URL https://kidsprotect.live/upload_file_handler.php 2026-05-05
domain kidsprotect.live 2026-05-05
URL https://kidsprotect.live/get_commands.php 2026-05-05
URL https://kidsprotect.live/save_contacts.php 2026-05-05
URL https://kidsprotect.live/sync_calls.php 2026-05-05
URL https://kidsprotect.live/sync_permissions.php 2026-05-05
URL https://kidsprotect.live/sync_sms.php 2026-05-05
URL https://kidsprotect.live/update_permissions.php 2026-05-05
URL https://kidsprotect.live/update_screen.php 2026-05-05
URL https://kidsprotect.live/update_status.php 2026-05-05
URL https://kidsprotect.live/upload_recording.php 2026-05-05
URL https://kidsprotect.live/upload_screen.php 2026-05-05
URL https://kidsprotect.live/upload_screenshot.php 2026-05-05
URL https://kidsprotect.live/upload_social_keylog.php 2026-05-05
URL http://kidsprotect.live/update_location.php 2026-05-05
URL https://kidsprotect.live/app_login.php 2026-05-05
URL https://kidsprotect.live/get_screen_status.php?user_id= 2026-05-05
URL https://kidsprotect.live/update_location.php 2026-05-05
URL https://kidsprotect.live/upload_apps.php 2026-05-05
URL https://kidsprotect.live/upload_photo.php 2026-05-05
URL http://kidsprotect.live/sync_permissions.php 2026-05-05
URL https://kidsprotect.live 2026-05-05
domain userinfo.email 2026-05-05
URL http://schemas.android.com/apk/res 2026-05-05
URL https://developer.android.com/training/articles/direct 2026-05-05
URL https://www.googleapis.com/auth/drive 2026-05-05
URL https://www.googleapis.com/auth/drive.appdata 2026-05-05
URL https://www.googleapis.com/auth/games 2026-05-05
URL https://www.googleapis.com/auth/games.firstparty 2026-05-05
URL https://www.googleapis.com/auth/games_lite 2026-05-05
URL https://www.googleapis.com/auth/plus.login 2026-05-05
URL https://www.googleapis.com/auth/userinfo.email 2026-05-05
URL https://www.googleapis.com/auth/userinfo.profile 2026-05-05
hostname developer.android.com 2026-05-05
hostname schemas.android.com 2026-05-05
hostname www.googleapis.com 2026-05-05
domain plus.me 2026-05-05
URL http://schemas.android.com/apk/res/android 2026-05-05
URL https://issuetracker.google.com/issues/new?component=413107 2026-05-05
URL https://plus.google.com/ 2026-05-05
URL https://www.googleapis.com/auth/appstate 2026-05-05
URL https://www.googleapis.com/auth/datastoremobile 2026-05-05
URL https://www.googleapis.com/auth/drive.apps 2026-05-05
URL https://www.googleapis.com/auth/drive.file 2026-05-05
URL https://www.googleapis.com/auth/plus.me 2026-05-05
email android@android.com 2026-05-05
hostname issuetracker.google.com 2026-05-05
hostname plus.google.com 2026-05-05
References (13)
↗ The New Hacking Tool That Lets Anyone Launch Their Own Spyware Company | Article By Sophia Taylor a Senior Cybersecurity Writer at Certo ↗ https://www.certosoftware.com/insights/the-new-hacking-tool-that-lets-anyone-launch-their-own-spyware-company/ ↗ Android Permissions Below: ↗ ACCESS_BACKGROUND_LOCATION, RECORD_AUDIO, CAMERA, ↗ PROCESS_OUTGOING_CALLS, READ_CONTACTS, PACKAGE_USAGE_STATS, ↗ MANAGE_EXTERNAL_STORAGE READ_SMS, READ_CALL_LOG, ↗ The app’s package name — com.example.parentguard ↗ App requests SYSTEM_ALERT_WINDOW and REQUEST_IGNORE_BATTERY_OPTIMIZATIONS permissions ↗ A BootReceiver component ensures the spyware restarts automatically every time the device is rebooted. ↗ com.example.parentguard ↗ The software is sold on a subscription basis starting from $60. ↗ Sophia Taylor a Senior Cybersecurity Writer at Certo, digital security, privacy, and emerging threats expert . ↗ Additional research by Q.Vashti