Cerberus Stalkerware Hits Google Play, Abuses Accessibility and Firebase for Remote Control

Severity

Medium

Detail

Cerberus Anti-theft, an Android application available on Google Play, has been identified as stalkerware capable of enabling extensive surveillance and remote control of infected devices.

Originally marketed as a security tool, the application provides near-total control over victim devices by abusing Android accessibility features and leveraging cloud-based infrastructure.

This activity poses significant privacy and security risks, as attackers can monitor user activity, collect sensitive data, and maintain persistent access without the victim’s awareness.

How?
Once installed, Cerberus enables an operator to remotely control the victim’s device through a web dashboard or paired smartwatch, with commands delivered via Firebase Cloud Messaging (FCM).

The attack can be triggered using social engineering techniques such as custom lock-screen notifications. When the victim interacts with the message, the application silently executes preconfigured actions, including activating the camera and collecting location data.

Beyond user interaction, Cerberus maintains persistent surveillance by automatically executing on multiple system events, including device startup, shutdown, unlock, network changes, geofence movement, and motion detection. This ensures continuous monitoring even without active operator input.

Cerberus exposes 44 remote commands, allowing granular control over the device. These include camera access, audio and video recording, GPS tracking, screen recording, SMS and call monitoring, device lock or wipe, and execution of arbitrary actions such as launching applications or simulating a shutdown while remaining active.

To enhance surveillance capabilities, Cerberus is paired with a companion application, Lock Screen Protector, which abuses Android Accessibility Services. This allows it to read on-screen content, perform gestures, capture screenshots, and interfere with system controls such as preventing device shutdown.

Command-and-control (C2) operations are handled through Google Firebase infrastructure, where multiple projects manage command delivery and data synchronization. This enables reliable communication between the attacker and infected devices across different network conditions.

Additional features such as Wi-Fi proximity tracking, combined with motion and geofencing triggers, allow operators to monitor victim movement with high precision, including in environments where GPS tracking is limited.

To evade detection and remain on official app stores, Cerberus incorporates techniques such as HiddenApiBypass, allowing it to bypass Android restrictions while minimizing visible permission requests.

Recommendation

Organizations and users should take the following actions to reduce the risk of stalkerware infections:

• Avoid installing applications from untrusted or unnecessary sources, even if they appear on official app stores
• Carefully review application permissions, especially requests for Accessibility Services
• Monitor mobile devices for unusual behavior such as persistent background activity or unauthorized screen interactions
• Use mobile security solutions capable of detecting stalkerware and suspicious applications
• Regularly audit installed applications and remove those that are not required or appear suspicious

Source

https://gbhackers.com/cerberus-stalkerware-hits-google-play/