Cerberus Stalkerware Abuses Google Play for Leverages Accessibility

A dangerous piece of Android stalkerware, identified as Cerberus Anti-theft, has been actively available on the Google Play Store since October 4, 2023.

Sold under the package name com.ssurebrec and marketed as a legitimate anti-theft tool, the app is capable of silently photographing victims, tracking their location, recording audio, and wiping their devices, all without their knowledge.

The app is available through a subscription priced at just 5 euros per month and is operated by LSDroid SRL, a company based in Milan, Italy.

What makes this case alarming is not just the app’s capabilities but the fact that it has stayed on the world’s most widely used app marketplace, fully active and collecting payments, for well over a year.

The core threat here goes beyond what most people would expect from an app listed on an official store.

When a victim receives a seemingly normal notification on their locked phone and taps it, the app silently takes a front camera photo within fifteen seconds, logs the device’s location, and carries out any other commands that the abuser had pre-configured.

The victim never sees a single prompt or indication that anything unusual happened. Cerberus is built to trigger across a wide range of device events, including device boot, screen unlock, network changes, app installations, and even physical movement detected by the phone’s motion sensor.

This ensures the app stays active around the clock, regardless of whether the controlling party is logged into the dashboard or not.

Hexproof researchers identified the full operational scope of Cerberus in April 2026, revealing that the app supports 44 remote commands sent through a web dashboard at cerberusapp.com.

Their analysis found that the surveillance capabilities described in a 2018 academic paper by Cornell Tech and NYU researchers are still intact in the current Play Store version.

The researchers also noted that the app returned to Google Play under a renamed package, effectively evading the removal that Google carried out in 2018 under a policy unrelated to stalkerware.

In 2020, Cerberus accounted for 52 percent of all stalkerware detections tracked by F-Secure globally, making it the single most detected stalkerware family on earth that year.

Firebase-Backed Command Infrastructure

One of the most technically significant aspects of this stalkerware is how it uses Google’s own infrastructure to run its command-and-control operations.

Cerberus routes all remote commands through Firebase Cloud Messaging, a Google-owned service, meaning the abuser’s instructions, such as “take a photo” or “wipe the device,” travel through Google’s servers before reaching the victim’s phone.

Five Firebase projects, all tied to the same LSDroid developer account, host the command channels and the real-time database that synchronizes the operator dashboard with installed devices.

Researchers noted that suspending these Firebase projects would instantly disconnect every active Cerberus installation from its controlling party.

The companion app, Lock Screen Protector (com.lsdroid.lsp), plays a critical role in extending the stalkerware’s reach.

Once granted the Android accessibility service permission, it reads all on-screen content, performs touch gestures, and captures screenshots.

When a victim attempts to power off the phone, this app intercepts the shutdown dialog, dismisses it, and sends a screenshot of the lock screen to the main Cerberus app.

The result is a fake shutdown: the screen goes dark, but the camera, microphone, and GPS remain fully active.

This feature, combined with the use of an open-source library called HiddenApiBypass to defeat Android’s own internal restrictions, represents a deliberate effort to survive both user detection and platform-level review.

Victims who suspect compromise are strongly advised to contact the National Domestic Violence Hotline at 1-800-799-7233 in the United States or reach out to the Coalition Against Stalkerware before taking any action directly on the device.

Even checking the phone’s settings can alert the abuser, since Cerberus reports permission changes to the operator in real time.

Forensic evidence needed for legal protection orders can also be lost during removal. Organizations such as Cornell Tech’s Clinic to End Tech Abuse (CETA) and the NNEDV Safety Net Project can assist survivors with a safe, planned removal process.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.