New Spyware Platform Lets Buyers Rebrand and Resell Android Surveillance Malware

HomeCyber Security News New Spyware Platform Lets Buyers Rebrand and Resell Android Surveillance Malware By Tushar Subhra Dutta May 1, 2026 A new Android spyware tool is being sold openly on the internet, and it comes with something far more dangerous than its surveillance features alone. For a fee, anyone can buy it, put their own name and logo on it, and start selling it as their own product. This is not just a malware story. It is a warning about how the spyware business model is evolving in ways that make it harder for law enforcement to shut down. The tool is called KidsProtect. It presents itself as a parental monitoring app, but its true purpose has nothing to do with child safety. Once installed on a target device, it runs completely in the background, giving the operator full control over the victim’s phone without the victim ever knowing. It works on Android 7 and above, claims support for Android 16, and is sold on a subscription basis starting at $60. A separate white-label package lets buyers rebrand it entirely and resell it under their own company name and pricing structure. Certo analysts identified KidsProtect being advertised openly on a clear-web hacking forum, an unusual place for a tool that claims to protect children. The listing made little effort to hide the tool’s real purpose, advertising it as “Built for Stability and Stealth” and offering a one-day free trial to potential buyers. The developer, based on forum profile details and in-app screenshots, appears to be Greek-speaking. The KidsProtect Operator Portal (Source – Certo) The white-label reseller model means that even if one operator is taken down by law enforcement, dozens of new operators can relaunch the same technology under fresh branding within hours. Marketing Copy From KidsProtect’s Website (Source – Certo) This directly undermines past enforcement actions. In 2024, a New York court ordered the shutdown of PhoneSpector and Highster Mobile, two well-known stalkerware platforms. The KidsProtect reseller model is designed specifically to make such victories far less meaningful over time. Hiding in Plain Sight: How KidsProtect Evades Detection Perhaps the most deliberate aspect of KidsProtect is how hard it works to remain invisible on a device. Once installed, it does not appear under its real name. Instead, it shows up as “WiFi Service” or “WiFiService Installer,” a generic label that most users would overlook without a second thought. Its accessibility service is labeled “WiFiService Assistant” and its notification listener is called “WiFiService Monitor,” keeping every visible component looking like a harmless system process. The app’s package name, com.example.parentguard, raises immediate red flags for anyone with software development knowledge. The “com.example” prefix is a placeholder used in beginner coding tutorials and almost never appears in real commercial software sold to paying customers. Its use here strongly suggests a deliberate choice to avoid leaving a traceable identity within the app itself. KidsProtect’s Features Listed on a Hacking Forum (Source – Certo) Certo researchers obtained and analyzed the APK file, confirming the app requests an extensive list of Android permissions including ACCESS_BACKGROUND_LOCATION, RECORD_AUDIO, CAMERA, READ_SMS, READ_CALL_LOG, and READ_CONTACTS, among many others. The app also abuses Android’s Accessibility Service permission, which grants it the ability to read any content shown on the screen and intercept passwords as they are typed, giving the attacker full visibility across the entire device. KidsProtect’s Live Audio Streaming Feature (Source – Certo) The app requests SYSTEM_ALERT_WINDOW and REQUEST_IGNORE_BATTERY_OPTIMIZATIONS permissions, which prevent Android from shutting it down to save battery. A BootReceiver component restarts it automatically on every device reboot. To block removal, it registers as a Device Administrator through MyDeviceAdminReceiver, making it impossible to uninstall through normal phone settings. Its download page instructs users to disable Google Play Protect before installing, a signal the app would be flagged as malware if Android’s built-in scanner were active. The Download Screen for KidsProtect (Source – Certo) Users are strongly advised to keep Google Play Protect enabled at all times and never install APK files from sources outside the official Google Play Store. Any app requesting Accessibility Service access should be carefully reviewed before granting permission. Checking the Device Administrator list in Android security settings can help identify unauthorized entries. If the package name com.example.parentguard is detected on any device, it should be treated as a confirmed infection and reported immediately. Indicators of Compromise:- Package Name: com.example.parentguard SHA-256 Hashes:– 9864db6b5800d9e03b747c46fdef988e035cadde83077a41c5610d5d89f753a0 1b1d9b260deec0c612ec67579fd36fec7722b2b8446ab32284a08f44f4ea64da f4e9733d93ce35ecd3c83f18addf77f8ff49444d09847eaeef9c8e87837d0165 17817d9e29920493bb20ed626c3026e3c29eb6f1d56ef9462c306066ce2ad171 f0d01b28ddfdbefe0697994a6b30f2b8a4e39ef1ad6c9427b921b2ccd945a8c5 Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google. Tags cyber security cyber security news Copy URL Linkedin Twitter ReddIt Telegram Tushar Subhra Dutta Tushar is a senior cybersecurity and breach reporter. He specializes in covering cybersecurity news, trends, and emerging threats, data breaches, and malware attacks. With years of experience, he brings clarity and depth to complex security topics. Trending News New Android Banking Malware Abuses Fake KYC Workflow and WhatsApp Delivery to Hijack Accounts Cursor AI Coding Agent Vulnerability Allow Attackers to Execute Code on Developer’s Machine Linux Kernel 0-Day “Copy Fail” Roots Every Major Distribution Since 2017 New Malware Uses Obfuscation and Staged Payload Delivery to Evade Detection ‘fast16’ Malware with Sabotage Capabilities Attacking Ultra Expensive Targets Latest News Cyber Attack News Hackers Breach Government and Military Servers by Exploiting cPanel Vulnerability Cyber Security News Multiple Exim Mail Server Vulnerabilities Leads to Crash with Malicious DNS data Cyber Security News Attackers Deploy AiTM Phishing Pages to Access SharePoint, HubSpot, and Google Workspace Cyber Security News Attackers Abuse Google AppSheet, Netlify, and Telegram in Facebook Phishing Campaign Cyber Security News cPanelSniper – PoC Exploit Disclosed for cPanel Vulnerability, 44,000 Servers Compromised