Popular Android App Allegedly Used for Hidden Surveillance

A powerful Android stalkerware app has reportedly been available on Google Play since October 2023, raising fresh concerns about how surveillance tools can appear on official app stores while being marketed as ordinary security software.

The app, called Cerberus Anti-theft, is sold by Milan-based LSDroid SRL for around €5 per month. Although it is presented as an anti-theft tool, researchers say it can be used to secretly monitor someone’s phone without their knowledge.

Cerberus can reportedly take photos using the front or rear camera, record audio and video, track a phone’s location, read call logs and SMS history, send messages, lock the device, and even wipe storage remotely. These actions can be triggered from a web dashboard controlled by another person.

Researchers at Hexproof said the app can also respond to ordinary phone events, such as a restart, screen unlock, network change, app installation, physical movement, or a location trigger. This means it may continue operating even when the person controlling it is not actively logged in.

One concerning feature involves lock-screen notifications. A message can appear on the victim’s locked phone, and if the victim taps it, Cerberus can silently take a photo and record the phone’s location shortly afterward. The victim may see no obvious sign that anything happened.

A companion app can make detection harder

Cerberus is also linked to a companion app called Lock Screen Protector, published by the same Google Play developer account. Once granted Android’s accessibility permission, it can read what appears on the screen, perform gestures, and capture screenshots.

Researchers say this companion app can interfere when someone tries to turn off the phone. Instead of shutting down normally, the screen may go dark while the phone stays awake, allowing the camera, microphone, and GPS to remain active.

This kind of “fake shutdown” can make a victim believe the phone is off when it is not. For someone facing abuse or stalking, that could create serious safety risks.

Google services allegedly support parts of the system

According to the research, Cerberus uses Firebase Cloud Messaging, a Google-owned service, to deliver remote commands from the operator’s dashboard to installed devices. Commands such as taking a photo or wiping a phone are said to pass through this infrastructure.

The researchers also reported that multiple Firebase projects tied to the same developer account help support the app’s command channels and dashboard synchronization. They argued that suspending those projects could cut off remote control for active installations.

The app’s history adds to the concern. Cerberus was previously identified in a 2018 academic paper by Cornell Tech and NYU researchers as intimate-partner-violence spyware. It was later removed from Google Play under a separate policy issue, but researchers say it returned in 2023 under a renamed package.

Cerberus has also been widely detected by security firms in the past. In 2020, it accounted for 52% of stalkerware detections tracked globally by F-Secure, making it the most detected stalkerware family in that dataset that year.

What affected users should do

Anyone who suspects Cerberus or similar stalkerware is on their phone should avoid immediately searching through settings or uninstalling apps without a safety plan. Some stalkerware can alert the person monitoring the device when permissions change or removal is attempted.

People in the United States can contact the National Domestic Violence Hotline at 1-800-799-7233. The Coalition Against Stalkerware, Cornell Tech’s Clinic to End Tech Abuse, and the NNEDV Safety Net Project also provide resources for safer detection and removal.

Where possible, victims should seek help from a trusted person or support organization using a different device. Removing stalkerware too quickly can also destroy evidence that may be useful for legal protection or a criminal complaint.

For everyday Android users, the case is a reminder to be cautious with apps that request powerful permissions, especially accessibility access, device administrator rights, camera access, microphone access, SMS access, or location tracking. Even apps from official stores can pose risks when those permissions are misused.