← Back to Pulse Feed
PULSE DETAIL
PULSE NAME
KidsProtect - A Near-Total Surveillance Toolkit
WHITE Q.Vashti 2026-05-05 Modified: 2026-05-05
73
IOCs
HIGH VOLUME
Stalkerware developers are facing increasing legal pressure, with several high-profile platforms shut down by court order in recent years. Certo has discovered a new Android surveillance tool being openly advertised on the clear web that gives an operator near-total secret control of a victim’s phone. It can’t be removed without the attacker’s permission. And for a fee, anyone can buy it, brand it, and start selling it as their own. The tool, branded KidsProtect, is an Android Remote Access Trojan (RAT) that, once installed on a target device, operates entirely in the background without the owner’s knowledge. From a web-based dashboard, an operator can secretly record calls, stream live audio from the device’s microphone, track GPS location in real time, read SMS messages and notifications from apps including WhatsApp and Viber, log keystrokes, access contacts and photos, and remotely trigger the front and rear cameras.
capturekidsprotectandroidcertogps locationwhatsappviberwifiserviceprotectremote accesstrojanparentalstealthstreamtelegramservice installerclasses2.dexdalvik dexandroidyara detectionsfilehashav detectionsids detectionsalertsanalysis datefile scorelow riskopen thvirustotal apicommentsiocsdata uploadextractionse boypes
MITRE ATT&CK & Malware Families
ATT&CK TECHNIQUES
MALWARE FAMILIES
Remote Access ALF:AndroidOSSuspiciousPerms.A
Indicators of Compromise (5 / 73 total)
All FileHash-MD5 FileHash-SHA1 FileHash-SHA256 URL domain hostname email
TYPEINDICATORDESCRIPTIONCREATED
FileHash-SHA1 05ee54ac6eda2dd3664feb0a101722851e97d9de SHA1 of 17817d9e29920493bb20ed626c3026e3c29eb6f1d56ef9462c306066ce2ad171 2026-05-05
FileHash-SHA1 85cea2573921a252af526991bdcfd8db6987e6a4 SHA1 of 1b1d9b260deec0c612ec67579fd36fec7722b2b8446ab32284a08f44f4ea64da 2026-05-05
FileHash-SHA1 b18665190c0c143b5d13e580bd1ef64fa0974e90 SHA1 of f0d01b28ddfdbefe0697994a6b30f2b8a4e39ef1ad6c9427b921b2ccd945a8c5 2026-05-05
FileHash-SHA1 baef106a97eb2089219d7629f3b5a80a8aedda24 SHA1 of f4e9733d93ce35ecd3c83f18addf77f8ff49444d09847eaeef9c8e87837d0165 2026-05-05
FileHash-SHA1 cd25f40f33f04e84181b217528152603cd7ead05 SHA1 of 9864db6b5800d9e03b747c46fdef988e035cadde83077a41c5610d5d89f753a0 2026-05-05
References (13)
↗ The New Hacking Tool That Lets Anyone Launch Their Own Spyware Company | Article By Sophia Taylor a Senior Cybersecurity Writer at Certo ↗ https://www.certosoftware.com/insights/the-new-hacking-tool-that-lets-anyone-launch-their-own-spyware-company/ ↗ Android Permissions Below: ↗ ACCESS_BACKGROUND_LOCATION, RECORD_AUDIO, CAMERA, ↗ PROCESS_OUTGOING_CALLS, READ_CONTACTS, PACKAGE_USAGE_STATS, ↗ MANAGE_EXTERNAL_STORAGE READ_SMS, READ_CALL_LOG, ↗ The app’s package name — com.example.parentguard ↗ App requests SYSTEM_ALERT_WINDOW and REQUEST_IGNORE_BATTERY_OPTIMIZATIONS permissions ↗ A BootReceiver component ensures the spyware restarts automatically every time the device is rebooted. ↗ com.example.parentguard ↗ The software is sold on a subscription basis starting from $60. ↗ Sophia Taylor a Senior Cybersecurity Writer at Certo, digital security, privacy, and emerging threats expert . ↗ Additional research by Q.Vashti