← Back to Pulse Feed
PULSE DETAIL
PULSE NAME
KidsProtect - A Near-Total Surveillance Toolkit
WHITE Q.Vashti 2026-05-05 Modified: 2026-05-05
73
IOCs
HIGH VOLUME
Stalkerware developers are facing increasing legal pressure, with several high-profile platforms shut down by court order in recent years. Certo has discovered a new Android surveillance tool being openly advertised on the clear web that gives an operator near-total secret control of a victim’s phone. It can’t be removed without the attacker’s permission. And for a fee, anyone can buy it, brand it, and start selling it as their own. The tool, branded KidsProtect, is an Android Remote Access Trojan (RAT) that, once installed on a target device, operates entirely in the background without the owner’s knowledge. From a web-based dashboard, an operator can secretly record calls, stream live audio from the device’s microphone, track GPS location in real time, read SMS messages and notifications from apps including WhatsApp and Viber, log keystrokes, access contacts and photos, and remotely trigger the front and rear cameras.
capturekidsprotectandroidcertogps locationwhatsappviberwifiserviceprotectremote accesstrojanparentalstealthstreamtelegramservice installerclasses2.dexdalvik dexandroidyara detectionsfilehashav detectionsids detectionsalertsanalysis datefile scorelow riskopen thvirustotal apicommentsiocsdata uploadextractionse boypes
MITRE ATT&CK & Malware Families
ATT&CK TECHNIQUES
MALWARE FAMILIES
Remote Access ALF:AndroidOSSuspiciousPerms.A
Indicators of Compromise (49 / 73 total)
All FileHash-MD5 FileHash-SHA1 FileHash-SHA256 URL domain hostname email
TYPEINDICATORDESCRIPTIONCREATED
URL http://kidsprotect.live/get_camera_command.php 2026-05-05
URL https://kidsprotect.live/ 2026-05-05
URL https://kidsprotect.live/check_status.php 2026-05-05
URL https://kidsprotect.live/get_camera_command.php 2026-05-05
URL https://kidsprotect.live/get_commands.php?user_id= 2026-05-05
URL https://kidsprotect.live/update_command_status.php 2026-05-05
URL https://kidsprotect.live/upload.php 2026-05-05
URL https://kidsprotect.live/upload_ambient.php 2026-05-05
URL https://kidsprotect.live/upload_debug.php 2026-05-05
URL https://kidsprotect.live/upload_directory_list.php 2026-05-05
URL https://kidsprotect.live/upload_file_handler.php 2026-05-05
URL https://kidsprotect.live/get_commands.php 2026-05-05
URL https://kidsprotect.live/save_contacts.php 2026-05-05
URL https://kidsprotect.live/sync_calls.php 2026-05-05
URL https://kidsprotect.live/sync_permissions.php 2026-05-05
URL https://kidsprotect.live/sync_sms.php 2026-05-05
URL https://kidsprotect.live/update_permissions.php 2026-05-05
URL https://kidsprotect.live/update_screen.php 2026-05-05
URL https://kidsprotect.live/update_status.php 2026-05-05
URL https://kidsprotect.live/upload_recording.php 2026-05-05
URL https://kidsprotect.live/upload_screen.php 2026-05-05
URL https://kidsprotect.live/upload_screenshot.php 2026-05-05
URL https://kidsprotect.live/upload_social_keylog.php 2026-05-05
URL http://kidsprotect.live/update_location.php 2026-05-05
URL https://kidsprotect.live/app_login.php 2026-05-05
URL https://kidsprotect.live/get_screen_status.php?user_id= 2026-05-05
URL https://kidsprotect.live/update_location.php 2026-05-05
URL https://kidsprotect.live/upload_apps.php 2026-05-05
URL https://kidsprotect.live/upload_photo.php 2026-05-05
URL http://kidsprotect.live/sync_permissions.php 2026-05-05
URL https://kidsprotect.live 2026-05-05
URL http://schemas.android.com/apk/res 2026-05-05
URL https://developer.android.com/training/articles/direct 2026-05-05
URL https://www.googleapis.com/auth/drive 2026-05-05
URL https://www.googleapis.com/auth/drive.appdata 2026-05-05
URL https://www.googleapis.com/auth/games 2026-05-05
URL https://www.googleapis.com/auth/games.firstparty 2026-05-05
URL https://www.googleapis.com/auth/games_lite 2026-05-05
URL https://www.googleapis.com/auth/plus.login 2026-05-05
URL https://www.googleapis.com/auth/userinfo.email 2026-05-05
URL https://www.googleapis.com/auth/userinfo.profile 2026-05-05
URL http://schemas.android.com/apk/res/android 2026-05-05
URL https://issuetracker.google.com/issues/new?component=413107 2026-05-05
URL https://plus.google.com/ 2026-05-05
URL https://www.googleapis.com/auth/appstate 2026-05-05
URL https://www.googleapis.com/auth/datastoremobile 2026-05-05
URL https://www.googleapis.com/auth/drive.apps 2026-05-05
URL https://www.googleapis.com/auth/drive.file 2026-05-05
URL https://www.googleapis.com/auth/plus.me 2026-05-05
References (13)
↗ The New Hacking Tool That Lets Anyone Launch Their Own Spyware Company | Article By Sophia Taylor a Senior Cybersecurity Writer at Certo ↗ https://www.certosoftware.com/insights/the-new-hacking-tool-that-lets-anyone-launch-their-own-spyware-company/ ↗ Android Permissions Below: ↗ ACCESS_BACKGROUND_LOCATION, RECORD_AUDIO, CAMERA, ↗ PROCESS_OUTGOING_CALLS, READ_CONTACTS, PACKAGE_USAGE_STATS, ↗ MANAGE_EXTERNAL_STORAGE READ_SMS, READ_CALL_LOG, ↗ The app’s package name — com.example.parentguard ↗ App requests SYSTEM_ALERT_WINDOW and REQUEST_IGNORE_BATTERY_OPTIMIZATIONS permissions ↗ A BootReceiver component ensures the spyware restarts automatically every time the device is rebooted. ↗ com.example.parentguard ↗ The software is sold on a subscription basis starting from $60. ↗ Sophia Taylor a Senior Cybersecurity Writer at Certo, digital security, privacy, and emerging threats expert . ↗ Additional research by Q.Vashti