Cerberus is stalkerware. Google Play hosts it.
A notification appears on the victim’s locked phone with whatever text the abuser typed. The victim taps it. Fifteen seconds later, the front camera silently takes a photo, the phone records where it is, and any other actions the abuser set up run too. The victim sees none of it.
The lock-screen notification is one of many triggers. Cerberus runs whenever the phone does almost anything — turns on, turns off, gets unlocked, joins a different network, installs an app, crosses a place the abuser marked, picks up movement. Each run schedules the next one. Even if the abuser hasn’t logged in for weeks, Cerberus is still running all day — recording when it was set to, saving any photos or recordings to upload later, and picking up where it left off after a restart. The 44 remote commands the abuser can send from cerberusapp.com are on top of that.
The app is Cerberus Anti-theft, sold by LSDroid SRL of Milan, Italy, on a €5/month subscription. Google Play has hosted the current version since October 4, 2023.
The companion app Lock Screen Protector (com.lsdroid.lsp) is published by the same Google Play developer account. It requests the accessibility-service permission — the most sensitive permission on Android. Once granted, it reads all screen content, performs gestures, and captures screenshots. When the user tries to turn the phone off, it intercepts the power dialog, dismisses it, and broadcasts a screenshot of the lock screen to Cerberus. Both apps are live on Google Play today.
What the operator can do
The abuser — whom LSDroid’s dashboard calls the “operator” — can, from a web dashboard at cerberusapp.com or a paired smartwatch:
- Silently photograph using the front or rear camera, with or without flash
- Record video and audio from the microphone
- Record the screen
- Stream GPS location continuously
- Read the victim’s contacts, call log, and SMS history
- Send SMS messages from the victim’s phone, and place phone calls as the victim
- Display a chosen message on the victim’s lock screen
- Sound an alarm
- Lock the device
- Wipe internal storage or the SD card
- Launch any installed app; run any Tasker automation
- Intercept and hide incoming SMS matching a configured keyword
- Disable USB debugging remotely, to block investigators from connecting forensic tools
- Trigger a fake shutdown — a pixel-perfect Android power-off screen that dims the display to 1/255 brightness and blacks out, while the phone stays fully awake with the camera, microphone, and GPS active
The abuser can hand Cerberus a Wi-Fi network name — a feature LSDroid calls “radar”. After that, when the victim’s phone comes within signal range of that network, Cerberus tells the abuser. Wi-Fi beacon scanning works indoors, in subways, inside buildings — including domestic-violence shelters, hospitals, courthouses, and police stations, where GPS is unreliable but Wi-Fi names are predictable. If a victim visits a shelter with a known Wi-Fi name, the abuser is alerted instantly.
If the victim’s phone has Tasker installed — a popular Android automation app — Cerberus can fire Tasker macros from seven distinct event categories: power-button press, wrong device-admin password, geofence crossing, motion-sensor trigger, location update, background-service lifecycle, and battery events. Tasker’s permissions are typically broader than Cerberus’s own. Whatever Tasker is set up to do, Cerberus can trigger.
How Cerberus got back on Google Play
Cerberus is developed by LSDroid SRL in Milan, Italy. Its founder, Luca Sagaria, was interviewed by The Verge in April 2013, which at the time had 150,000 licenses sold, two engineers, and one customer service representative.
In November 2017, Google emailed LSDroid citing a Malicious Behavior Policy violation. In May 2018, Cornell Tech and NYU researchers named Cerberus as intimate-partner-violence spyware in their IEEE S&P paper and reported the apps to Google. Google did not act on the stalkerware finding. Months later, Google removed com.lsdroid.cerberus from Play, citing a different policy — “Apps that cause users to download or install applications from unknown sources outside of Google Play are prohibited”. LSDroid responded on their own website (archived snapshot) that they would “not bother to appeal” because “the full-featured app” would remain “always available on our website.” LSDroid had no Play Store presence for the next five years.
In 2020, Cerberus accounted for 52% of all stalkerware detections tracked by F-Secure globally — the single most detected stalkerware family on earth that year. Kaspersky has named Cerberus in five consecutive annual stalkerware reports. The Coalition Against Stalkerware tracks it through the stalkerware-indicators IOC database.
The return in October 2023 — three years after Google’s Stalkerware Policy took effect — was the same app under a new name (com.lsdroid.cerberus → com.ssurebrec), with the off-store link removed and the surveillance largely intact. Almost everything the 2018 paper named still runs on the Play app today.
The Play APKs ship one notable extra: an open-source library called HiddenApiBypass, whose purpose is to defeat Android’s restrictions on reaching internal system services that apps aren’t supposed to reach. The library’s own README opens with an explicit instruction to developers, verbatim:
Google Play doesn’t allow apps to use hidden APIs, reporting library usage will cause your app to fail app review, you need to disable dependencies info reporting in build.gradle.
The README then publishes the exact build setting developers need to hide the library from Play’s automated review. LSDroid applied the setting. The library is now in three of the five Cerberus apps live on Google Play, and verifying its presence is one shell command per APK:
unzip -l com.ssurebrec.apk | grep org/lsposed/hiddenapibypass
unzip -l com.lsdroid.lsp.apk | grep org/lsposed/hiddenapibypass
unzip -l com.lsdroid.cerberus.kids.apk | grep org/lsposed/hiddenapibypass
Google has three enforcement surfaces
Google Play distributes the apps. Five Cerberus apps are live on the Play Store under the LSDroid developer account. Three of them ship the HiddenApiBypass library, each a separate violation of the Malicious Behavior Policy. The capability set documented above — silent camera capture, microphone recording, GPS streaming, SMS reading, lock-screen lure, fake shutdown — meets every clause of Google’s Stalkerware Policy.
Google AdMob pays LSDroid for ads served inside Cerberus. The Play Store APK contains a RewardedInterstitialAd with publisher ID pub-9848961826628138. Google’s own public compliance file at realtimebidding.google.com/sellers.json lists that publisher:
{
"seller_id": "pub-9848961826628138",
"seller_type": "PUBLISHER",
"name": "LSDroid SRL",
"domain": "cerberusapp.com"
}
Google Payments has LSDroid SRL’s legal registration and billing address on file because Google wires them money. Google AdMob and Google Play both serve the same legal entity. The evidence is entirely in Google’s own public compliance data. AdMob is also the dominant ad channel for stalkerware as a category: 99% of ad-monetized stalkerware apps in a 6,432-app academic study (Gibson et al., PoPETs 2022) use Google AdMob.
Google Firebase hosts the command-and-control (C2) backend. Five Firebase projects, all under the same developer account, host the Firebase Cloud Messaging (FCM) command channels — the mechanism by which an abuser sends a command like “take a photo” or “wipe the device” to an installed Cerberus — and the operator-state Realtime Database that synchronizes operator dashboards with installed devices. Suspending those projects under the Firebase Terms of Service would disable the remote-command channel on every active Play install simultaneously.
All three actions are available to Google unilaterally on the basis of public evidence. None have been used. Google was notified ahead of publication. The indicators of compromise from this research were submitted upstream to the stalkerware-indicators IOC database used by MVT, Quad9, AdGuard, TinyCheck, and MISP, so end-user detection works on every consumer of that feed regardless of platform-side enforcement.
The companion apps: Kids and “Women safe”
Cerberus is not one app. The same Google Play developer account ships Kids (com.lsdroid.cerberus.kids), a “child safety” companion. Kids declares its own Android accessibility service. The system permission dialog the user must accept to grant that service states: “No data is collected or sent.” The Play Store listing closes its description with the same line. The data safety section on the same page lists four data types collected. The same app schedules a StatisticsWorker that uploads the child’s app-usage history, location, and activity to LSDroid’s backend every 30 minutes.
The Kids APK is signed with a 2009 self-issued RSA-1024 certificate in the name Luca Sagaria, minted four years before LSDroid SRL was incorporated — the only Cerberus app on Play still signed under a personal name with no corporate linkage.
The same account also ships Persona2 (com.lsdroid.cerberus.persona2), titled on the Play Store listing as “Personal security — Women safe.” Persona2 reads its device identity from the main stalkerware via the same unauthenticated ContentProvider that the Kids app uses. Persona2 refuses to register with the C2 if the main stalkerware isn’t installed. Both feed the same backend with the same device ID. The same developer account sells the “women safe” product, the children’s monitoring product, and the covert stalkerware. Same C2 domain.
Regulatory exposure
Stalkerware enforcement has prior FTC precedent. Google distributes, hosts, and monetizes a product fitting the same pattern.
| Vendor | Regulator action | Outcome |
|---|---|---|
| Retina-X Studios (MobileSpy / PhoneSheriff / TeenShield) | 2019 FTC settlement — first stalkerware-vendor enforcement | Required to demonstrate purchaser-consent verification before resuming sales; voluntarily shut down after 2018 data breach |
| SpyFone (Support King) | 2021 FTC settlement | Banned from the surveillance industry; first FTC ban of a stalkerware vendor; followed 2018 data breach |
The FTC has acted on commercial stalkerware developers twice — Retina-X (2019, consent-verification requirement) and SpyFone (2021, industry ban). Cerberus has been on Google Play continuously since October 4, 2023 — distributed, hosted, and monetized by Google — despite fitting both FTC settlements’ fact patterns: hidden launcher icon, no purchaser consent verification, fake shutdown, and capability set targeted at intimate-partner surveillance. Despite EFF urging the FTC to investigate similar networks like TheTruthSpy in 2022, no public FTC action followed; the network went offline in May 2025 only after a data breach forced it.
In Europe, Google Play is a designated Very Large Online Platform under the Digital Services Act; enforcement authority sits with the European Commission directly, with defined timelines once an EU citizen files a notice. Stalking statutes specifically covering tech-enabled surveillance exist across the globe — South Korea’s 2021 Stalking Punishment Act (expanded in 2023 to cyberstalking), India’s Section 354D (which explicitly covers monitoring of electronic communication), and Brazil’s 2021 stalking statute (Article 147-A of the Penal Code) among them. Google Play distributes globally; an abuser’s criminal exposure depends on where the abuse occurs.
This is the short version of a much deeper reverse engineering of the Cerberus stalkerware ecosystem.
How victims discover it
When the abuser’s €5/month subscription lapses, Cerberus reads the timestamp on the next boot, finds it expired, and reverses its concealment. It cancels its hidden-mode notifications, builds a notification with a “Buy” button, re-enables the launcher icon, stops its background service, and relinquishes its device-admin claim — allowing the victim to uninstall normally. An unfamiliar app called Cerberus suddenly appears in the launcher with a persistent notification asking the user to renew a subscription they never bought.
If you are reading this because something like that just happened on a phone you use, the next section is for you.
What a victim can do
If you are in an abusive situation: contact the National Domestic Violence Hotline (1-800-799-7233 in the US) or the Coalition Against Stalkerware before doing anything on the device — even checking can alert the abuser. Cerberus and the Kids app report permission changes to the operator in real time. Removal can also destroy forensic evidence useful for a protection order or criminal complaint. Consider contacting from a different device or a trusted person’s device; the compromised phone is itself a risk surface — it intercepts SMS, reads notifications, and (with Lock Screen Protector installed) sees every screen. Cornell Tech’s Clinic to End Tech Abuse (CETA), the NNEDV Safety Net Project, Operation Safe Escape, and WESNET (Australia) are DV-aware technologists who can plan a removal with the survivor. Outside the US: regional helplines. Safety planning first.
Once you have support in place, the two package names a DV-aware technologist would look for in Settings → Apps (with “Show system apps” enabled) are:
com.ssurebrec— the current Play Store version. May appear as “Cerberus Anti-theft” or, in the disguised variant, as “System Framework” with a generic Android icon.com.lsdroid.lsp— the Lock Screen Protector companion. Appears as “Lock Screen Protector.”
If either is present on a phone, the technologist will also check Settings → Accessibility for services from those packages and Settings → Security → Device admin apps for Cerberus. These checks are not a step a survivor should take alone on a compromised device — Lock Screen Protector reads every screen and reports permission changes to the operator in real time.
The full reverse engineering covers adb shell detection commands, the complete package-name list including companion apps (Kids, Persona2, Enterprise), network indicators, filesystem artifacts, and the SharedPreferences keys that mark active surveillance. If you are a reporter, an enforcement engineer, a detection-tool maintainer, or a technical contact for a DV support organization, that is the version you want.
A pixel-perfect Android shutdown screen runs while the camera does. The same LSDroid developer account ships the APK on Google Play, takes payment from Google AdMob, and runs its command channel on Google Firebase — three Google products, one corporate identity, all visible in Google’s own public records. Cornell Tech and NYU named the app as intimate-partner-violence stalkerware in 2018; Google removed it under an unrelated policy. Google’s Stalkerware Policy took effect October 1, 2020. Cerberus came back to Play October 4, 2023.