The New Hacking Tool That Lets Anyone Launch Their Own Spyware Company

Stalkerware developers are facing increasing legal pressure, with several high-profile platforms shut down by court order in recent years. The latest to emerge thinks it has found a way to stay one step ahead — by turning itself into a franchise.

Certo has discovered a new Android surveillance tool being openly advertised on the clear web that gives an operator near-total secret control of a victim’s phone. It can’t be removed without the attacker’s permission. And for a fee, anyone can buy it, brand it, and start selling it as their own.

What Is It?

The tool, branded KidsProtect, is an Android Remote Access Trojan (RAT) that, once installed on a target device, operates entirely in the background without the owner’s knowledge.

From a web-based dashboard, an operator can secretly record calls, stream live audio from the device’s microphone, track GPS location in real time, read SMS messages and notifications from apps including WhatsApp and Viber, log keystrokes, access contacts and photos, and remotely trigger the front and rear cameras.

The software is sold on a subscription basis starting from $60. A separate white-label reseller option allows buyers to rebrand and sell the tool under their own company name and logo.

Fig 1. The KidsProtect operator portal.

The “Parental Control” Disguise

The use of a child-safety-themed name is a well-documented tactic in the stalkerware ecosystem. Wrapping intrusive surveillance capabilities in language about protecting children lends a veneer of legitimacy and can help tools avoid detection — by both victims and regulators.

KidsProtect’s own website leans fully into this framing, presenting itself as a parental monitoring platform offering “peace of mind” to concerned parents, complete with reassurances about data encryption and privacy.

Fig 2. Marketing copy from KidsProtect’s website.

However, we first discovered KidsProtect being advertised on a clear-web hacking forum, an odd home for a tool that claims to protect children. The forum, which hosts a range of hacking tools, leaves little ambiguity about the intended audience.

The developer, who appears to be Greek-speaking based on their forum profile and screenshots of the spyware, makes little effort to hide the tool’s true purpose. The listing advertises it openly as “Built for Stability & Stealth”, a curious claim for software supposedly designed to help parents keep their children safe.

The most telling feature is described as “Impossible Anti-Uninstall”: the app can only be removed via the operator’s dashboard, designed specifically to prevent victims from removing surveillance software from their own devices.

Fig 3. KidsProtect’s features listed on a hacking forum.

A Near-Total Surveillance Toolkit

To understand exactly what KidsProtect is capable of, we obtained and analyzed the app’s APK file — the raw Android application package that contains everything needed to install the spyware on a phone.

Deconstructing it reveals an application that requests an extensive range of device permissions, and whose internal components confirm every capability the developer advertises, and more.

From a single web dashboard, an operator can:

• Stream live audio from the device’s microphone in real time, or trigger automated background recordings.
• View a live screen share of the victim’s device.
• Take remote photographs from both the front and rear cameras without the victim’s knowledge.
• Log every keystroke typed on the device.
• Intercept notifications from WhatsApp, Viber, and Telegram.
• Read all SMS messages, including full message content.
• Record all phone calls, with audio files playable and downloadable directly from the dashboard.
• Track live GPS location on a map.
• Access the full contacts list, including names, phone numbers, addresses, and more.
• Browse all photos stored on the device.
• Block all uninstallation attempts by registering itself as a Device Administrator, the app cannot be removed through normal means.

The APK analysis confirms these claims are technically substantiated. The app requests a wide range of Android permissions, including ACCESS_BACKGROUND_LOCATION, RECORD_AUDIO, CAMERA, READ_SMS, READ_CALL_LOG, PROCESS_OUTGOING_CALLS, READ_CONTACTS, PACKAGE_USAGE_STATS, and MANAGE_EXTERNAL_STORAGE, among dozens of others.

Of particular note is the app’s request for Android’s Accessibility Service permission, a powerful system-level access originally designed to assist users with disabilities by allowing apps to read and interact with screen content.

It is also one of the most commonly abused permissions in Android malware. Once granted, it gives KidsProtect the ability to read the contents of any app on the screen, intercept passwords as they are typed, and monitor activity across the entire device.

Fig 4. KidsProtect’s live audio streaming feature.

Hiding in Plain Sight

Several features of the app’s technical implementation reveal deliberate efforts to evade detection. Analysis of the APK shows the app is installed under the name “WiFi Service” or “WiFiService Installer” — a generic, innocuous-sounding name designed to avoid arousing suspicion on the device’s home screen.

Additionally, its accessibility service is labelled “WiFiService Assistant”, and its notification listener is called “WiFiService Monitor”.

The app’s package name — com.example.parentguard — uses a placeholder-style identifier (com.example) typically only seen in developer tutorials and sample code. For a commercial product being sold to paying customers, it is a telling detail, suggesting a deliberate choice to avoid leaving a traceable identity within the app itself.

Crucially, the app’s website instructs users to “disable Google Play Protect” before installing the APK — a significant red flag.

Play Protect is Android’s built-in malware scanner; disabling it is a prerequisite for installing software that would otherwise be detected and blocked.

Fig 5. The download screen for KidsProtect.

The app also requests SYSTEM_ALERT_WINDOW and REQUEST_IGNORE_BATTERY_OPTIMIZATIONS permissions, which allow it to draw over other apps and prevent Android from shutting it down to save power — ensuring persistent, uninterrupted operation in the background.

A BootReceiver component ensures the spyware restarts automatically every time the device is rebooted.

The White-Label Threat

Perhaps the most concerning element of the KidsProtect listing is its reseller programme. The developer offers the tool as a fully white-labelled product, with buyers able to apply their own branding, set their own pricing, and integrate their own payment processing. The listing explicitly frames this as an opportunity to “start your own business.”

Fig 6. Information on how to resell KidsProtect from a hacking forum.

This model has significant implications for the stalkerware landscape as a whole. Developers and operators of surveillance tools have faced increasing legal and regulatory scrutiny in recent years — several prominent platforms, including PhoneSpector and Highster Mobile, were shut down in 2024 following a court ruling in New York.

But white-label infrastructure like KidsProtect means that closing down individual companies may have limited long-term effect. New operators can be up and running under their own brand in a matter of hours, with none of the technical development costs or expertise that previously acted as a barrier to entry.

Technical Summary

Indicators of Compromise

Wrapping Up

KidsProtect is, in substance, stalkerware: a tool designed to enable covert, comprehensive surveillance of another person’s device and communications without their knowledge or consent.

Its child-safety branding, innocuous display name, and web-based interface are cosmetic features that do nothing to change what the software actually does.

The open sale of tools like this on clear-web forums — complete with free trials and a franchise reseller model — reflects a stalkerware ecosystem that continues to adapt and expand despite legal and commercial setbacks.

The availability of white-label infrastructure in particular suggests that enforcement action against individual companies may have limited long-term effect if the underlying technology can be rapidly repackaged and relaunched under new branding.