Cerberus Stalkerware Abuses Android Accessibility, Firebase for Remote Control
Key Takeaways A potent Android stalkerware, “Cerberus Anti-theft” (package name com.ssurebrec), has been actively distributed on the Google Play Store since October 4, 2023. The...
Key Takeaways
- A potent Android stalkerware, “Cerberus Anti-theft” (package name
com.ssurebrec), has been actively distributed on the Google Play Store since October 4, 2023. - The application facilitates covert surveillance, including location tracking, audio recording, remote photography, and device wiping, all managed via a web dashboard and Google’s Firebase infrastructure.
- Cerberus employs sophisticated techniques, such as abusing Android Accessibility services and faking device shutdowns, to maintain persistence and evade detection.
- Operated by LSDroid SRL from Milan, Italy, the stalkerware has evaded Google’s detection mechanisms for over a year, despite a prior removal in 2018.
- Victims are advised against attempting self-removal due to potential risks, and should instead seek assistance from specialized support organizations.
A sophisticated Android stalkerware known as “Cerberus Anti-theft” has been actively available on the Google Play Store since October 4, 2023. Masquerading as a legitimate anti-theft solution under the package name com.ssurebrec, this application grants malicious actors extensive, covert control over a victim’s device. Its capabilities include silently capturing photographs, tracking geographical location, recording audio, and remotely wiping all device data, all without the user’s knowledge or consent.
Table Of Content
This dangerous application is offered through a subscription model, costing approximately 5 euros per month, and is operated by LSDroid SRL, an entity based in Milan, Italy. The enduring presence of Cerberus on Google’s widely used app marketplace for over a year, actively processing payments, highlights a significant lapse in platform security and content moderation.
The threat posed by Cerberus extends beyond typical malicious applications. Upon a victim tapping a seemingly innocuous notification on a locked phone, the app can discreetly activate the front camera to take a photo within fifteen seconds, log the device’s precise location, and execute any other pre-configured commands by the abuser. Crucially, these actions occur without any visual prompts or indications to the user. Cerberus is engineered to activate across a diverse range of device events, including system boot-up, screen unlocks, network state changes, new app installations, and even movement detected by the phone’s motion sensors. This persistent activation ensures continuous surveillance, irrespective of whether the controlling party is actively logged into their management dashboard.
Researchers at Hexproof comprehensively detailed the operational scope of Cerberus in April 2026. Their findings indicate that the app supports 44 distinct remote commands, all managed via a web-based dashboard hosted at cerberusapp.com. Hexproof’s analysis confirmed that the advanced surveillance functionalities, initially documented in a 2018 academic paper by researchers from Cornell Tech and NYU, remain fully operational in the version currently available on the Play Store. The researchers also pointed out that Cerberus had previously been removed by Google in 2018 under a policy unrelated to stalkerware, only to reappear under a new package name, effectively circumventing the previous ban. In 2020, Cerberus was identified as the most prevalent stalkerware globally, accounting for 52 percent of all such detections tracked by F-Secure.
Firebase-Backed Command Infrastructure
A critical technical aspect of Cerberus is its reliance on Google’s own infrastructure for command-and-control (C2) operations. The stalkerware channels all remote commands through Firebase Cloud Messaging (FCM), a service owned by Google. This means that instructions from the abuser, such as “take a photo” or “wipe the device,” are routed via Google’s servers before reaching the targeted Android device. The researchers identified five distinct Firebase projects, all linked to the same LSDroid developer account, hosting these command channels and the real-time database that synchronizes the operator’s dashboard with infected devices. Suspending these specific Firebase projects would effectively sever the connection between every active Cerberus installation and its controlling party, rendering the stalkerware inoperable.
The companion application, “Lock Screen Protector” (com.lsdroid.lsp), is instrumental in extending Cerberus’s invasive capabilities. Once granted Android accessibility service permissions, this app gains the ability to read all on-screen content, simulate touch gestures, and capture screenshots. A particularly insidious feature involves intercepting the phone’s shutdown dialog when a victim attempts to power off the device. The app dismisses the shutdown prompt and transmits a screenshot of the lock screen to the primary Cerberus application. This results in a “fake shutdown” where the screen goes dark, creating the illusion of a powered-off device, while the camera, microphone, and GPS capabilities remain fully active and functional. This functionality, coupled with the use of the open-source library HiddenApiBypass to circumvent Android’s internal restrictions, demonstrates a deliberate and sophisticated attempt to evade both user detection and platform-level security reviews.
What You Should Do
- Do NOT attempt self-removal: Directly interacting with the device or attempting to uninstall the app can alert the abuser, as Cerberus reports permission changes in real-time. It can also lead to the loss of crucial forensic evidence required for legal protection orders.
- Contact specialized support: If you suspect your device is compromised by stalkerware, immediately reach out to organizations equipped to handle such situations. In the United States, contact the National Domestic Violence Hotline at 1-800-799-7233.
- Seek expert assistance: Organizations like Cornell Tech’s Clinic to End Tech Abuse (CETA) and the NNEDV Safety Net Project offer guidance and support for survivors, including a safe and planned removal process that prioritizes safety and evidence preservation.
- Review app permissions: Regularly check the permissions granted to applications on your Android device, especially those related to Accessibility services, camera, microphone, and location. Be wary of apps requesting excessive or unusual permissions.
- Be cautious with new installations: Exercise extreme caution when installing new applications, even from official app stores. Always verify the developer and read reviews, particularly for apps claiming “anti-theft” or “security” functionalities.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.