Cerberus stalkerware on Google Play uses Accessibility and Firebase for remote control

Cerberus Anti-theft, an Android app marketed as a phone security and anti-theft tool, has been identified by researchers as full-featured stalkerware hosted on Google Play.

Hexproof researcher Mark Esler reported that the current Play Store version has been available since October 4, 2023, under the package name com.ssurebrec. The app is developed by LSDroid SRL, a company based in Milan, Italy.

The concern is not limited to tracking a lost phone. Researchers found that Cerberus can let an operator remotely take photos, record audio, track location, read sensitive phone data, trigger actions from a dashboard, and keep the victim unaware.

What researchers found

Cerberus presents itself as an anti-theft product, but Hexproof says its active feature set matches the behavior of stalkerware. The app can collect sensitive data and perform surveillance actions that go far beyond normal device recovery.

The operator can use a web dashboard at cerberusapp.com to send remote commands to an installed device. Hexproof counted 44 remote commands available through the Cerberus ecosystem.

Researchers also found that the app works with a companion Play Store app called Lock Screen Protector. This second app asks for Android Accessibility access, which gives it powerful control over screen content and touch actions.

Detail	What was reported
Main app	Cerberus Anti-theft, listed as Anti-theft Alarm Phone Tracker
Package name	com.ssurebrec
Developer	LSDroid SRL
Companion app	Lock Screen Protector, package com.lsdroid.lsp
Main abuse path	Remote commands, Accessibility access, Firebase messaging, device admin features
Reported price	5 euros per month subscription

How the app can monitor a victim

Hexproof described a simple trigger that shows how covert the app can be. A victim can tap a normal-looking lock-screen notification, and Cerberus can silently take a front camera photo shortly afterward while also logging the phone’s location.

The app can also react to routine device events. These include boot, unlock, network changes, app installs, movement, geofence activity, and background service events.

This means surveillance does not depend on the operator watching the dashboard in real time. The app can keep running tasks in the background and later upload collected data.

• Silent front or rear camera photos
• Audio and video recording
• Screen recording
• Continuous GPS tracking
• Contacts, call log, and SMS access
• Remote lock or wipe commands
• Hidden SMS interception
• Remote triggering of Tasker automations

Firebase gives the app a command channel

One of the most important findings is Cerberus’s use of Firebase Cloud Messaging. Hexproof says remote commands pass through Google’s Firebase infrastructure before reaching the victim’s device.

The research also identified multiple Firebase projects tied to the Cerberus ecosystem. These projects support command delivery and dashboard synchronization between the operator and installed devices.

That matters because the command channel does not rely only on a private server. The system uses Google-owned infrastructure as part of the control path, which makes platform enforcement especially important.

Infrastructure element	Role in the ecosystem
Google Play	Distributes the app to Android users
Firebase Cloud Messaging	Delivers remote commands to devices
Firebase database projects	Support dashboard and device synchronization
cerberusapp.com	Provides the operator dashboard
Google AdMob	Reported by Hexproof as part of the monetization chain

Accessibility abuse expands control

The companion app Lock Screen Protector plays a key role. Once it receives Accessibility permission, it can read on-screen content, perform gestures, capture screenshots, and block parts of the user interface.

Hexproof says the companion app can interfere when a victim tries to power off the phone. It can dismiss the shutdown dialog and send a screenshot to the main Cerberus app.

The result is a fake shutdown behavior. The screen can appear dark while the phone remains active, allowing sensors such as the camera, microphone, and GPS to keep working.

Why Google Play policy is part of the story

Google’s Play Protect documentation defines stalkerware as code that collects sensitive data from a device and sends it to another party for monitoring purposes. It also says monitoring apps cannot be used to track someone such as a spouse.

Google’s Play policy also requires monitoring behavior to have proper disclosure, consent, and persistent notification. Hexproof argues that Cerberus’s feature set conflicts with those rules.

The app’s current Play Store listing describes it as an anti-theft and phone tracker tool. The developer listing shows more than 100,000 downloads for the Anti-theft Alarm Phone Tracker app.

A long history with stalkerware concerns

Cerberus is not a new name in this space. A 2018 academic paper by researchers from Cornell Tech and NYU identified Cerberus in the context of intimate partner surveillance.

Hexproof also notes that Google removed an earlier Cerberus package from Play in 2018 under a separate policy related to off-store downloads. The current version later returned under a different package name.

In 2020, Cerberus accounted for 52% of stalkerware detections tracked by F-Secure globally, according to figures cited by the Coalition Against Stalkerware and Hexproof.

Year	Relevant event
2018	Cerberus was named in research on intimate partner surveillance apps.
2018	Google removed an earlier Cerberus package under a separate Play policy.
2020	Cerberus accounted for 52% of F-Secure’s global stalkerware detections.
2023	The current Play Store version appeared under com.ssurebrec.
2026	Hexproof published new reverse-engineering research on the app ecosystem.

What victims should know before removing it

People who suspect stalkerware should not rush to change settings or remove the app from the monitored phone. Safety groups warn that removal can alert the abuser and may escalate the situation.

The NNEDV Safety Net Project advises survivors to think about safety before searching for or removing stalkerware. It also recommends using a separate safe device when seeking private help.

Hexproof gives similar guidance for Cerberus specifically. It says permission changes can be reported to the operator in real time, and removal may destroy forensic evidence that could help in legal action.

• Use a safer phone or computer to seek help.
• Talk to a domestic violence advocate before changing settings.
• Preserve evidence if legal action may follow.
• Avoid confronting the suspected abuser through the monitored device.
• Ask a trained professional for help with safe removal.

What security teams should monitor

Organizations should treat this case as a warning about dual-use and surveillance apps on managed Android devices. Apps that claim to protect a phone can still create serious privacy and safety risks.

Mobile device management teams should review installed apps for Cerberus package names, unusual Accessibility permissions, device administrator grants, and unexpected Firebase traffic tied to monitoring behavior.

Security teams should also check whether employees installed apps outside approved channels. Stalkerware and covert monitoring tools often rely on physical access, social pressure, or misleading security claims.

Area to review	Why it matters
Accessibility permissions	They can allow screen reading, gestures, and screenshots.
Device admin access	It can make removal harder and enable powerful controls.
Unknown anti-theft apps	They may hide monitoring features behind security branding.
Firebase traffic	It may support command delivery for mobile apps.
Package inventory	Known package names can help identify Cerberus-related apps.

FAQ