A newly discovered Android Remote Access Trojan (RAT) called KidsProtect has weaponized the white-label business model to turn covert phone surveillance into a franchise operation, making it one of the most legally resilient stalkerware threats uncovered in 2026.
A fully featured Android RAT being openly advertised on a clear-web hacking forum, not behind a dark-web paywall or closed threat actor community. Despite its family-friendly branding, KidsProtect is, in every technical sense, stalkerware: software designed to surveil another person’s phone entirely without their knowledge or consent.
The tool is sold on a subscription model starting at $60, with a white-label reseller tier that lets buyers rebrand the spyware under their own company name, logo, and pricing structure.
The developer, assessed to be Greek-speaking based on forum profile artifacts and in-app screenshots, markets the product as “Built for Stability & Stealth,” a peculiar description for software ostensibly intended to protect children.
KidsProtect Android RAT Spyware
An analysis of KidsProtect confirms that the malware’s advertised capabilities are technically substantiated and not marketing hyperbole. Once installed, the spyware operates entirely in the background as a persistent background service. From a centralized web dashboard, an operator gains complete covert control of the victim’s device, including:
- Live microphone streaming and automated background audio recording
- Real-time GPS tracking displayed on a live map
- Remote camera triggers both front and rear, activated silently
- Full keylogging of every character typed on the device
- Notification interception from WhatsApp, Viber, and Telegram
- Call recording with playable audio files accessible in the dashboard
- SMS and contact access, including full message content and address book
- Photo library browsing with remote download capability
- Live screen sharing of the victim’s active display
The app requests a sweeping array of Android permissions, including ACCESS_BACKGROUND_LOCATION, RECORD_AUDIO, CAMERA, READ_SMS, READ_CALL_LOG, PROCESS_OUTGOING_CALLS, READ_CONTACTS, PACKAGE_USAGE_STATS, and MANAGE_EXTERNAL_STORAGE.
Of particular concern is its abuse of Android’s Accessibility Service, a system-level privilege originally designed to assist users with disabilities, which grants the app the ability to read all on-screen content across every installed app, intercept typed passwords, and monitor system-wide activity.
The misuse of Accessibility Services is a well-established hallmark of advanced Android RATs, also seen in malware families such as Cerberus RAT.
One of KidsProtect’s most alarming capabilities is its anti-removal mechanism. The app registers itself as a Device Administrator via the MyDeviceAdminReceiver component, meaning it cannot be uninstalled through normal Android settings.
The developer explicitly advertises this as “Impossible Anti-Uninstall,” a feature designed to prevent victims from regaining control of their own devices. A BootReceiver component ensures the spyware automatically restarts after every reboot, maintaining persistent surveillance even if the device is power-cycled.
The app also requests SYSTEM_ALERT_WINDOW and REQUEST_IGNORE_BATTERY_OPTIMIZATIONS permissions, which prevent Android from terminating the process during battery management, ensuring uninterrupted background execution.
KidsProtect deploys several layers of obfuscation to avoid detection by victims and security tools alike:
- Displayed name: “WiFi Service” or “WiFiService Installer,” a generic label designed to blend in with system processes
- Package name:
com.example.parentguara placeholder-style identifier typically used in developer tutorials, deliberately avoiding a traceable app identity - Accessibility service label: “WiFiService Assistant.”
- Notification listener label: “WiFiService Monitor.”
Critically, the app’s website instructs users to disable Google Play Protect before sideloading the APK, a clear indication that the software would be flagged and blocked by Android’s built-in malware scanner. Clear-text traffic is also enabled in the app’s configuration, posing an additional data security risk by transmitting harvested data over unencrypted channels.
White-Label Threat
The most strategically significant element of KidsProtect is its reseller program. The developer explicitly frames white-label access as a business opportunity, allowing any buyer to launch their own branded surveillance company within hours with no technical development costs, no infrastructure overhead, and no traceable link back to the original developer.
This model is a direct response to increasing legal and regulatory pressure on stalkerware operators. Prominent platforms, including PhoneSpector and Highster Mobile, were shut down in 2024 following a New York court ruling.
The FTC has actively pursued stalkerware developers, including banning Support King LLC (SpyFone.com) from the surveillance market entirely. The Coalition Against Stalkerware has extensively documented how these tools enable intimate-partner abuse and tech-facilitated coercive control.
However, the white-label franchise model fundamentally disrupts the effectiveness of platform-level enforcement. When any buyer can launch a new branded instance within hours, shutting down individual operators leaves the core infrastructure and the surveillance capability entirely intact.
A 2025 UCL-led study found that 8 out of 20 analyzed sideloaded parental-control apps exhibited stalkerware-level indicators, highlighting how widespread this grey-market tactic has become.
| Indicator | Value |
|---|---|
| Package Name | com.example.parentguard |
| Display Name | WiFi Service / WiFiService Installer |
| Minimum Android | Android 7 |
| Target SDK | Android 14 |
| Anti-Uninstall | Device Administrator (MyDeviceAdminReceiver) |
| SHA-256 | 9864db6b5800d9e03b747c46fdef988e035cadde83077a41c5610d5d89f753a0 |
| SHA-256 | 1b1d9b260deec0c612ec67579fd36fec7722b2b8446ab32284a08f44f4ea64da |
| SHA-256 | f4e9733d93ce35ecd3c83f18addf77f8ff49444d09847eaeef9c8e87837d0165 |
| SHA-256 | 17817d9e29920493bb20ed626c3026e3c29eb6f1d56ef9462c306066ce2ad171 |
| SHA-256 | f0d01b28ddfdbefe0697994a6b30f2b8a4e39ef1ad6c9427b921b2ccd945a8c5 |
Mitigation
Users and security teams can take the steps to detect and counter KidsProtect, Certo reported:
- Check Device Administrators – Go to Settings → Security → Device Admin Apps. Any unknown app registered here is a red flag
- Review Accessibility Services – Revoke access for any app that does not legitimately require it
- Never disable Google Play Protect – Any software that demands this as an installation prerequisite should be treated as malicious.
- Run a mobile security scan – Tools like AntiSpy or reputable AV solutions can detect stalkerware APKs
- Factory reset if compromised – Because of the Device Administrator lock, a full factory reset may be required to remove the spyware fully.
FAQ
Q1: What is KidsProtect?
KidsProtect is an Android RAT disguised as a parental control app that enables full-device surveillance, sold as a white-label franchise on hacking forums for $60 per subscription.
Q2: How does KidsProtect avoid detection on Android?
It installs as “WiFi Service,” turns off Google Play Protect at install time, abuses Accessibility Services, and uses a placeholder package name (com.example.parentguard) to avoid leaving a traceable identity.
Q3: Why is the white-label model dangerous for stalkerware enforcement?
Because white-labeling allows any buyer to rebrand and resell the tool instantly, legal takedowns of individual operators leave the underlying infrastructure intact, enabling an unlimited number of new operators to emerge immediately.
Q4: How can I tell if stalkerware like KidsProtect is on my Android device?
Unexplained battery drain, unknown apps in Device Administrator settings, unrecognized Accessibility Services, or being instructed to disable Google Play Protect are the primary warning signs.
Site: thecybrdef.com
For more insights and updates, follow us on Google News, Twitter, and LinkedIn.
About the Author
