Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
Ghostcommit Attack Hides Malicious Prompts in Images to Exploit AI Agents
July 11, 2026
AI-powered Forg365 Phishing Platform Targets Microsoft 365 Accounts
July 11, 2026
Dell BIOS Critical Flaw Exposes Admin Passwords From SPI Flash
July 11, 2026
Home/Threats/Cerberus Stalkerware Abuses Android Accessibility, Firebase for Remote Control
Threats

Cerberus Stalkerware Abuses Android Accessibility, Firebase for Remote Control

Key Takeaways A potent Android stalkerware, “Cerberus Anti-theft” (package name com.ssurebrec), has been actively distributed on the Google Play Store since October 4, 2023. The...

Jennifer sherman
Jennifer sherman
May 5, 2026 4 Min Read
66 0

Key Takeaways

  • A potent Android stalkerware, “Cerberus Anti-theft” (package name com.ssurebrec), has been actively distributed on the Google Play Store since October 4, 2023.
  • The application facilitates covert surveillance, including location tracking, audio recording, remote photography, and device wiping, all managed via a web dashboard and Google’s Firebase infrastructure.
  • Cerberus employs sophisticated techniques, such as abusing Android Accessibility services and faking device shutdowns, to maintain persistence and evade detection.
  • Operated by LSDroid SRL from Milan, Italy, the stalkerware has evaded Google’s detection mechanisms for over a year, despite a prior removal in 2018.
  • Victims are advised against attempting self-removal due to potential risks, and should instead seek assistance from specialized support organizations.

A sophisticated Android stalkerware known as “Cerberus Anti-theft” has been actively available on the Google Play Store since October 4, 2023. Masquerading as a legitimate anti-theft solution under the package name com.ssurebrec, this application grants malicious actors extensive, covert control over a victim’s device. Its capabilities include silently capturing photographs, tracking geographical location, recording audio, and remotely wiping all device data, all without the user’s knowledge or consent.

Table Of Content

  • Key Takeaways
  • Firebase-Backed Command Infrastructure
  • What You Should Do

This dangerous application is offered through a subscription model, costing approximately 5 euros per month, and is operated by LSDroid SRL, an entity based in Milan, Italy. The enduring presence of Cerberus on Google’s widely used app marketplace for over a year, actively processing payments, highlights a significant lapse in platform security and content moderation.

The threat posed by Cerberus extends beyond typical malicious applications. Upon a victim tapping a seemingly innocuous notification on a locked phone, the app can discreetly activate the front camera to take a photo within fifteen seconds, log the device’s precise location, and execute any other pre-configured commands by the abuser. Crucially, these actions occur without any visual prompts or indications to the user. Cerberus is engineered to activate across a diverse range of device events, including system boot-up, screen unlocks, network state changes, new app installations, and even movement detected by the phone’s motion sensors. This persistent activation ensures continuous surveillance, irrespective of whether the controlling party is actively logged into their management dashboard.

Researchers at Hexproof comprehensively detailed the operational scope of Cerberus in April 2026. Their findings indicate that the app supports 44 distinct remote commands, all managed via a web-based dashboard hosted at cerberusapp.com. Hexproof’s analysis confirmed that the advanced surveillance functionalities, initially documented in a 2018 academic paper by researchers from Cornell Tech and NYU, remain fully operational in the version currently available on the Play Store. The researchers also pointed out that Cerberus had previously been removed by Google in 2018 under a policy unrelated to stalkerware, only to reappear under a new package name, effectively circumventing the previous ban. In 2020, Cerberus was identified as the most prevalent stalkerware globally, accounting for 52 percent of all such detections tracked by F-Secure.

Firebase-Backed Command Infrastructure

A critical technical aspect of Cerberus is its reliance on Google’s own infrastructure for command-and-control (C2) operations. The stalkerware channels all remote commands through Firebase Cloud Messaging (FCM), a service owned by Google. This means that instructions from the abuser, such as “take a photo” or “wipe the device,” are routed via Google’s servers before reaching the targeted Android device. The researchers identified five distinct Firebase projects, all linked to the same LSDroid developer account, hosting these command channels and the real-time database that synchronizes the operator’s dashboard with infected devices. Suspending these specific Firebase projects would effectively sever the connection between every active Cerberus installation and its controlling party, rendering the stalkerware inoperable.

The companion application, “Lock Screen Protector” (com.lsdroid.lsp), is instrumental in extending Cerberus’s invasive capabilities. Once granted Android accessibility service permissions, this app gains the ability to read all on-screen content, simulate touch gestures, and capture screenshots. A particularly insidious feature involves intercepting the phone’s shutdown dialog when a victim attempts to power off the device. The app dismisses the shutdown prompt and transmits a screenshot of the lock screen to the primary Cerberus application. This results in a “fake shutdown” where the screen goes dark, creating the illusion of a powered-off device, while the camera, microphone, and GPS capabilities remain fully active and functional. This functionality, coupled with the use of the open-source library HiddenApiBypass to circumvent Android’s internal restrictions, demonstrates a deliberate and sophisticated attempt to evade both user detection and platform-level security reviews.

What You Should Do

  • Do NOT attempt self-removal: Directly interacting with the device or attempting to uninstall the app can alert the abuser, as Cerberus reports permission changes in real-time. It can also lead to the loss of crucial forensic evidence required for legal protection orders.
  • Contact specialized support: If you suspect your device is compromised by stalkerware, immediately reach out to organizations equipped to handle such situations. In the United States, contact the National Domestic Violence Hotline at 1-800-799-7233.
  • Seek expert assistance: Organizations like Cornell Tech’s Clinic to End Tech Abuse (CETA) and the NNEDV Safety Net Project offer guidance and support for survivors, including a safe and planned removal process that prioritizes safety and evidence preservation.
  • Review app permissions: Regularly check the permissions granted to applications on your Android device, especially those related to Accessibility services, camera, microphone, and location. Be wary of apps requesting excessive or unusual permissions.
  • Be cautious with new installations: Exercise extreme caution when installing new applications, even from official app stores. Always verify the developer and read reviews, particularly for apps claiming “anti-theft” or “security” functionalities.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

Threat

Share Article

Jennifer sherman

Jennifer sherman

Jennifer is a cybersecurity news reporter covering data breaches, ransomware campaigns, and dark web markets. With a background in incident response, Jennifer provides unique insights into how organizations respond to cyber attacks and the evolving tactics of threat actors. Her reporting has covered major breaches affecting millions of users and has helped organizations understand emerging threats. Jennifer combines technical knowledge with investigative journalism to deliver in-depth coverage of cybersecurity incidents.

Previous Post

Education Sector Targeted by State-Sponsored Cyberattacks

Next Post

SilverFox Uses Fake Tax Notices to Deploy ValleyRAT and ABCDoor Backdoor

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
Top 10 Unified Threat Management Solutions for 2026
July 11, 2026
Critical OpenClaw Vulnerability Lets Attackers Hijack WhatsApp Via One Message
July 11, 2026
Progress Urges ShareFile Server Shutdown Over Critical Vulnerability
July 11, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Jennifer sherman
Jennifer sherman
Emy Elsamnoudy
Emy Elsamnoudy
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Jennifer sherman
By Jennifer sherman
Threats

ErrTraffic Cybercrime Tool Automates ClickFix Attacks

January 1, 2026
David kimber
By David kimber
Attacks

Dentsu has Disclosed that its U.S.-based Subsidiary Merkle Suffers Cyberattack

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

PoC Exploit Released HPE OneView Vulnerability that Enables Remote Code Execution

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us