KidsProtect: New Rebrandable Android Stalkerware Platform Lets Anyone Resell Covert Surveillance Malware

A new Android spyware platform called KidsProtect is being sold openly on clear-web hacking forums, and it comes with something far more dangerous than its surveillance capabilities alone: a fully operational white-label reseller model that lets any buyer rebrand it, rename it, and sell it as their own product. Security researchers at Certo have issued a warning that this business model could fundamentally undermine years of law enforcement efforts to shut down the commercial spyware industry.

KidsProtect: Stalkerware Disguised as Parental Control

KidsProtect presents itself as a parental monitoring application, but its true purpose has nothing to do with child safety. Once installed on an Android device, the app runs entirely in the background with no visible indicator, giving the operator full covert control over the victim’s phone. The tool targets Android 7 and above, claims support for Android 16, and is offered on a subscription basis starting at $60. A separate white-label package lets buyers rebrand it entirely and resell it under their own company name and pricing structure.

Certo analysts identified the platform being advertised on a hacking forum — an unusual venue for a tool that claims to protect children. The listing made little effort to hide its real purpose, advertising the app as “Built for Stability and Stealth” and offering a one-day free trial to prospective operators.

The White-Label Reseller Model: A Law Enforcement Nightmare

The truly dangerous innovation here is not the surveillance capabilities themselves — it is the business model. The white-label reseller structure means that even if one operator is taken down by law enforcement, dozens of new operators can relaunch the same underlying technology under fresh branding within hours.

This directly undermines past enforcement actions. In 2024, a New York court ordered the shutdown of PhoneSpector and Highster Mobile, two well-known stalkerware platforms. The KidsProtect reseller model is engineered specifically to make such victories far less meaningful over time, as the technology can be perpetually redistributed under new names.

How KidsProtect Hides on Infected Devices

The app employs multiple layers of concealment to avoid detection by victims:

• After installation, it does not appear under its real name. Instead, it registers as “WiFi Service” or “WiFiService Installer” — generic labels most users would overlook.
• Its accessibility service is labeled “WiFiService Assistant” and its notification listener is called “WiFiService Monitor”, keeping every visible system component looking like a harmless built-in process.
• The app’s package name, com.example.parentguard, uses a placeholder prefix associated with beginner coding tutorials — a deliberate choice to avoid leaving a traceable commercial identity within the app itself.

Extensive Permissions and Surveillance Capabilities

Certo researchers obtained and analyzed the KidsProtect APK, confirming the app requests an extensive list of Android permissions:

• ACCESS_BACKGROUND_LOCATION — continuous location tracking even when the screen is off
• RECORD_AUDIO and CAMERA — live audio streaming and remote camera access
• READ_SMS, READ_CALL_LOG, and READ_CONTACTS — full communications surveillance
• Accessibility Service abuse — the app reads any content shown on screen and intercepts passwords as they are typed, granting full visibility across the device
• SYSTEM_ALERT_WINDOW and REQUEST_IGNORE_BATTERY_OPTIMIZATIONS — prevents Android from killing the process to save battery

A BootReceiver component restarts the app automatically on every device reboot. To block removal, it registers as a Device Administrator via MyDeviceAdminReceiver, making standard uninstallation through phone settings impossible.

Installation Requires Disabling Google Play Protect

The download page for KidsProtect explicitly instructs users to disable Google Play Protect before installing — a clear signal that Android’s built-in malware scanner would flag it immediately. The APK is distributed outside the official Google Play Store and must be sideloaded, which itself requires enabling “Install unknown apps” in Android settings.

Indicators of Compromise

• Package Name: com.example.parentguard
• SHA-256: 9864db6b5800d9e03b747c46fdef988e035cadde83077a41c5610d5d89f753a0
• SHA-256: 1b1d9b260deec0c612ec67579fd36fec7722b2b8446ab32284a08f44f4ea64da
• SHA-256: f4e9733d93ce35ecd3c83f18addf77f8ff49444d09847eaeef9c8e87837d0165

How to Protect Yourself

• Keep Google Play Protect enabled at all times and never disable it at the request of any app installer.
• Never sideload APKs from sources outside the official Google Play Store.
• Review the Device Administrator list in Android security settings (Settings → Security → Device Admin Apps) and revoke any unrecognized entries.
• Check for the package name com.example.parentguard — if detected on any device, treat it as a confirmed infection and seek professional assistance to remove it.
• Audit Accessibility Services (Settings → Accessibility → Installed Services) and revoke access for any app you do not recognize or explicitly authorized.