If you suspect that your device may be compromised by the stalkerware Celular 007 or any other surveillance software, do not attempt to change settings or remove the application on your own. Such actions may be ineffective and could alert the person responsible for installing the stalkerware, potentially putting you at greater risk.
We strongly recommend that you seek professional assistance from organizations specialized in digital security and support for victims of surveillance and abuse, such as InterSecLab or trusted helplines. These entities can provide safe and appropriate guidance tailored to your specific situation.
Introduction
The proliferation of surveillance technology in recent years has quietly transformed the landscape of personal privacy and security. Tools once reserved for law enforcement and intelligence agencies are now readily available to the general public, often marketed under the guise of child safety (parental control) or employee monitoring. Celular 007, also known as FoxSpy, is one such tool originating from Brazil, openly advertised to individuals seeking to monitor others without their consent.
Stalkerware like Celular 007 poses a significant threat by enabling invasive surveillance of intimate partners, employees, and even strangers. Its ease of access and relatively low cost have led to widespread use, normalizing a culture of intrusion and control. The lack of stringent regulations allows these tools to flourish, raising concerns about their potential misuse not only by individuals but also by state institutions and companies.
Recent investigations, such as the case of WebDetetive, have highlighted how Brazilian government email domains were used to register accounts on the stalkerware platform. This underscores the alarming possibility of state actors leveraging such unregulated tools for unauthorized surveillance.
This report delves into a comprehensive analysis of Celular 007, uncovering its invasive capabilities and the broader implications of its use. By examining how the stalkerware operates, we aim to shed light on the urgent need for collective strategies to protect individuals and communities from these threats. Our findings also emphasize the importance of regulatory action to prevent the normalization of surveillance technologies that undermine privacy and empower abusive practices.
Marla emphasized that digital surveillance is often intertwined with other forms of violence, necessitating a holistic approach to risk assessment. She highlighted the importance of collective defense and the challenges in detecting sophisticated stalkerware, which often evades traditional security measures.
This analysis builds upon insights from the workshop and a detailed examination of Celular 007, aiming to empower users and communities with knowledge and practical tools to protect themselves.
Executive Summary
Celular 007 is a sophisticated Android-based stalkerware application that allows perpetrators to monitor and control nearly every aspect of an infected device. Through extensive permissions and covert operations, it can record calls, track locations, capture photos and videos, read messages from various apps, and more—all without the victim’s awareness.
Key findings from our analysis include:
Advanced Surveillance Capabilities:
Utilizes technologies like WebRTCfor real-time audio and video streaming.
Abuses Accessibility Servicesto intercept user interactions.
Comprehensive Data Exfiltration:
Collects and transmits a wide range of personal data, including messages, call logs, and location information.
Persistence Mechanisms:
Employs techniques to remain active on the device, such as auto-start on boot and misuse of device administrator privileges.
Abuse of Legitimate Services:
Utilizes Firebase Cloud Messaging to establish command and control channels, disguising its communications as legitimate traffic.
Indicators of Compromise (IoCs):
Identified specific URLs, IP addresses, file hashes, and other artifacts associated with Celular 007.
Need for Collective Protection:
Highlights the importance of collective defense strategies and community awareness to combat such invasive tools.
We used jadx-gui, a graphical tool for decompiling and analyzing Android applications, to examine the APK. This allowed us to inspect the app’s source code, resources, and manifest file in detail.
APK Analysis Process
Step 1: Decompiling the APK with jadx-gui
Procedure:
Loaded soundy.apk into jadx-gui.
Decompiled the APK to access the Java source code and resource files.
Explored the application’s package structure, code, and resources:
Figure 1: Internal structure of the Celular 007 app visualized in jadx-gui.
The image shows the organization of packages, source code, and resources of the app, as explored during the technical analysis.)
Observations:
The code shows signs of some obfuscation.
Identified classes and methods associated with surveillance functionalities.
Noted hardcoded URLs, encrypted strings, and credentials to external services.
Step 2: Application Structure Overview
Key Directories and Files:
AndroidManifest.xml: Defines app permissions, components, and intent filters.
Source Code: Contains activities, services, and receivers that implement the app’s functionalities.
Resources (res folder): Holds UI elements and media files.
Libraries: Includes dependencies on Firebase, AWS, WebRTC, and other services.
Permissions and Capabilities
Figure 2: Permissions requested by Celular 007 in the AndroidManifest.xml file.
Screenshot displaying the permissions the app requires, indicating access to sensitive data and system functionalities.)
Celular 007 requests a wide array of permissions, granting it access to sensitive user data and system functionalities. Below are the most critical permissions and their implications:
Permission
Description
ACCESS_FINE_LOCATION
Grants precise GPS location tracking, enabling continuous monitoring of the user’s whereabouts.
RECORD_AUDIO
Allows recording of ambient audio and phone calls without user consent.
CAMERA
Enables capturing photos and videos covertly.
READ_SMS, RECEIVE_SMS
Grants access to read incoming SMS messages.
READ_CALL_LOG, PROCESS_OUTGOING_CALLS
Accesses call history and monitors outgoing calls.
READ_CONTACTS
Retrieves the user’s contact list.
BIND_ACCESSIBILITY_SERVICE
Abuses Accessibility Services to monitor user interactions and extract data from other apps.
RECEIVE_BOOT_COMPLETED
Allows the app to start automatically after device reboot, ensuring persistence.
Reads contacts, call logs, SMS messages, and other personal information.
Monitors and logs GPS location data continuously.
Abuse of Legitimate Services for Malicious Activities
Use of Firebase Cloud Messaging (FCM):
Celular 007 utilizes FCMto establish a reliable command and control (C2) channel, masking its malicious communications as legitimate traffic.
Each infected device registers with FCM using a unique token, allowing the stalkerware to send remote commands and receive updates.
Implications and Mitigation Possibilities:
Detection and Notification by Google:
Since Google controls FCM, there is potential to identify infected devices through the registered tokens.
Google could potentially notify affected users about the presence of the stalkerware on their devices.
Disruption of Stalkerware Services:
Revoking the stalkerware’s access to Firebase services could significantly disrupt its ability to operate, limiting data exfiltration and remote control.
Challenges in Detection:
Traffic to FCM is generally considered safe and is used by numerous legitimate apps, making it difficult to identify malicious activities without in-depth analysis.
The encryption of communications between the infected device and FCM adds an additional layer of complexity.
Data Exfiltration Mechanisms
Command-and-Control Communication:
Communicates with C2 servers via hardcoded URLs and IP addresses.
Uses FCM to receive remote commands covertly.
Use of Legitimate Services:
Registers devices with the Firebase project firebase-foxspy.
Utilizes AWSservices for data storage and exfiltration, sending collected information to an S3 bucket.
Persistence and Evasion Techniques
Auto-Start and Service Persistence:
Registers receivers (ServiceCaller, ServiceGps) to auto-start on device boot (RECEIVE_BOOT_COMPLETED).
Runs persistent background services disguised with innocuous names (e.g., SegundoPlano with notification titled “Internet”).
Device Administrator Abuse:
Requests device administrator privileges through AtivarPermissao to prevent uninstallation.
Hides its presence by disguising app icons and names (e.g., “Internet” for MainActivity, “WiFi” for ActiveWifi).
Root Exploitation:
Attempts to gain root access to remount the /system partition and install itself as a system application.
Abuse of Accessibility Services
Intercepting User Interactions:
Uses Accessibility Services to monitor and interact with other apps.
Allows capturing keystrokes, reading messages, and controlling actions on the device without the user’s knowledge.
Assessment of Celular 007’s Capabilities
The technical analysis of Celular 007 reveals a highly sophisticated stalkerware application that employs a combination of advanced techniques for surveillance, data exfiltration, and persistence on the device:
Technological Sophistication:
The use of WebRTCfor real-time streaming and the abuse of Accessibility Services demonstrate a high level of complexity.
The ability to record calls, capture screens, and access personal data makes it an extremely invasive tool.
Abuse of Legitimate Services:
Utilizing Firebase Cloud Messaging as a command and control channel allows the stalkerware to masquerade under legitimate traffic, making detection more difficult.
This underscores the need for collaboration between service providers like Google and the security community to identify and mitigate such abuses.
Evasion and Persistence Techniques:
Disguising itself as system applications and requesting device administrator privileges prevent less tech-savvy users from easily detecting or removing the app.
Auto-start on boot and persistent background services ensure the stalkerware remains active continuously.
Implications for User Security:
The extent of Celular 007‘s capabilities poses a serious threat to the privacy and security of affected individuals.
The possibility for major service providers to identify and notify infected users presents an opportunity to mitigate the impact of this and other stalkerware.
This assessment emphasizes the severity of the threats posed by applications like Celular 007 and the importance of collective strategies, both technical and community-based, to combat illegal surveillance and protect user privacy.
Analysis of the Leaked Data
Data Breach
In June 2024, the Brazilian stalkerware known as FoxSpy, or Celular 007, was involved in a significant data breach. The non-profit organization Distributed Denial of Secrets (DDoSecrets) shared the compromised data with us, enabling an in-depth analysis of the stalkerware’s operations and revealing the exposure of information about its victims.
The breach included a copy of the database from the stalkerware’s customer panel, along with a copy of the command and control (C2) server. Notably, the C2 server was implemented in an unconventional manner, utilizing PHP code snippets embedded within WordPress posts.
Key Findings from the Breach
Infected Devices:
The stalkerware had 61,408 Firebase tokens registered with its C2 server. This number serves as an estimate of the total number of infected devices.
Registered Users:
There were 116,079 customers registered, with the database containing their registration emails, passwords, and, in some cases, phone numbers.
92 customers used a gov.br email account for registration, suggesting that government employees are users of the stalkerware.
Among these 92, there are occurrences of domains from educational institutions, Education Secretariats, city halls, a basic sanitation institution, the Court of Justice, and two emails from the domains of the military and civil police, respectively.
Emails from companies of various sizes are also present, including those from the agriculture and mining sectors, as well as law firms.
Sensitive Data Exposed:
Personal Data: Calendar schedules, call logs, contact lists, and GPS locations.
Communications: Messages from Facebook, Instagram, WhatsApp, and SMS.
Media Files: Photos taken by the victims and those captured secretly by the malware.
Keystroke Logs: Records of keyboard inputs.
Additionally, the database listed the filenames of files uploaded by the malware to the celular007Amazon S3 bucket, enabling anyone with access to this database to retrieve those files.
Heatmap:
By analyzing the GPS coordinates of the victims, we created a heatmap representing the geographical distribution of the victims’ locations:
Figure 3: Heatmap showing the geographical distribution of Celular 007 victims.
The map illustrates the regions of the world where infected devices are located, highlighting the global reach of the stalkerware.
Implications of the Breach
This incident is part of a troubling trend related to the widespread use of stalkerware and the risks these tools pose to people’s privacy and security. Data breaches originating from stalkerware companies further expose the inherent dangers of these technologies:
Massive Exposure of Personal Data:
The leak of sensitive information collected by Celular 007 reveals the extent of the privacy invasion suffered by the victims.
Data such as personal messages, call logs, GPS location, and media files are exposed, increasing the potential for emotional, psychological, and physical harm.
Risks to Victims and Perpetrators:
Victims suffer a double violation: being monitored without consent and having their personal data publicly exposed due to insecure storage by the stalkerware developers.
Perpetrators may also be identified through the leaks, facing potential legal and social consequences.
Involvement of Government Institutions and Companies:
The presence of accounts registered with government and corporate email domains indicates that public officials and private organizations may be involved in illegal surveillance practices.1
This raises serious ethical and legal concerns, undermining public trust in these institutions.
Security Failures in Stalkerware Companies:
Stalkerware developers often fail to implement adequate security measures, resulting in breaches that affect thousands of people.
This demonstrates the irresponsibility of these companies in protecting the data they illegally collect.
Normalization of Illegal Surveillance:
The widespread use of stalkerware contributes to the normalization of invasive practices, perpetuating cycles of abuse and control.
Combating the social acceptance of these tools and promoting awareness of their harmful impacts is essential.
Need for Regulatory Action:
The breaches highlight the urgency of stricter regulations to prohibit the commercialization and use of stalkerware.
Authorities should hold both the developers and users of these tools legally accountable.
In summary, the data breach involving Celular 007 is not an isolated incident but a symptom of a larger problem related to the existence and use of stalkerware. These events underscore the need for coordinated actions to protect individual privacy, reinforce digital security, and hold those who facilitate and participate in illegal surveillance practices accountable.
Acknowledgment of DDoSecrets’ Contribution
We extend our gratitude to Distributed Denial of Secrets (DDoSecrets) for providing access to the leaked data, which was essential for this analysis. DDoSecrets is a non-profit organization specializing in publishing and archiving leaked or hacked datasets in the public interest, with a mission to protect sources. Their work supports investigative journalism and analysis efforts aimed at promoting transparency and accountability.
For more information about DDoSecrets and their work, please visit their website and consider supporting:https://ddosecrets.com/
Collective Strategies for Protection
Recognizing the Signs of Stalkerware
Practical Steps for Detection
Check Installed Apps:
Look for Unfamiliar or Suspicious Apps:
Review the list of installed apps on your device.
Be attentive to apps you do not recall installing or do not recognize.
Disguised Names:
Stalkerware often uses generic names or disguises itself as legitimate or system apps.
In the case of Celular 007:
The app may appear under the name “Internet” or “WiFi” to deceive the user.
Other common examples:
Apps with names like “Settings“, “Updates“, “System” or random combinations of letters.
Review App Permissions:
Examine Granted Permissions:
Go to Settings > Apps and review the permissions for each app.
Be wary of apps requesting access to sensitive data (like location, microphone, camera, messages) without a clear reason.
Inspect Device Administrator Settings:
Check Apps with Administrator Privileges:
In Settings > Security > Device Administrators, check which apps have administrator privileges.
Monitor Battery and Data Usage:
Unusual Consumption:
Observe if there is higher than normal battery drain or mobile data usage.
Stalkerware running in the background can cause rapid battery depletion and high data usage.
Check Accessibility Services:
Accessibility Permissions:
In Settings > Accessibility, check which apps have access to these services.
Identify Indicators of Compromise (IoCs):
Be Alert to Specific Signs:
Familiarize yourself with domains, IP addresses, and file hashes associated with known stalkerware (see Appendix).
Use reputable security tools to scan your device for these indicators.
Signs of Compromise
Unexpected Behaviors:
Apps opening or closing on their own.
The device restarting without apparent reason.
Altered Performance:
Sudden device sluggishness.
Excessive heating without intensive use.
Strange Notifications or Messages:
Messages you do not recognize.
Notifications from unknown services.
Unexplained Knowledge of Your Activities:
Someone seems to know private information you have not shared.
Preventive Measures
Digital Hygiene
Secure Communication:
Use encrypted messaging apps like Signal.
Regular Updates:
Keep your device and apps updated.
Strong Authentication:
Use strong passwords and enable multi-factor authentication.
Physical Security
Limit Physical Access:
Protect devices with passwords or biometrics.
Caution When Sharing Devices:
Be careful when lending your device to others.
Community Engagement
Education and Awareness:
Participate in workshops and share knowledge.
Collective Defense:
Build support networks and care for one another.
What to Do If You Suspect Stalkerware
Do Not Rush to Remove It:
Sudden removal may alert the perpetrator.
Seek Professional Help:
Contact organizations like InterSecLabfor guidance.
Document Evidence:
Safely record details about the suspicious app.
Use a Safe Device:
Communicate from a secure device to change passwords.
Develop a Safety Plan:
Prioritize your physical and digital safety.
Collective Strategies for Digital Resistance
Community Defense
Share Knowledge and Resources:
Organize educational events and distribute materials.
Support Networks:
Collaborate with organizations and encourage open dialogue.
Advocacy and Legal Action
Policy Change:
Advocate for stronger laws against stalkerware.
Corporate Responsibility:
Demand stricter app review processes and transparency in data handling.
Calls to Action
Regularly Review Your Devices.
Strengthen Digital Security Practices.
Educate and Engage Your Community.
Seek Expert Assistance When Needed.
Advocate for Policy and Corporate Changes.
Utilize Detection Tools Responsibly.
Build and Participate in Collective Resistance Efforts.
How InterSecLab Can Help
InterSecLab offers specialized services to strengthen digital protection for civil society, focusing on a transfeminist approach.
Services Provided
Forensic Analysis:
Investigate devices for signs of compromise.
Provide detailed reports on findings.
Malware Analysis:
Analyze malicious software to understand its capabilities and develop countermeasures.
Incident Response:
Assist organizations and individuals in responding to digital security incidents.
Unauthorized surveillance violates individual rights and may be illegal.
Data Protection Laws:
Collecting and exposing personal data without consent breaches regulations.
Supporting Victims:
Prioritize safety and consent when assisting individuals.
Collaborate with legal and support organizations.
Conclusion
Celular 007 exemplifies the severe threat that stalkerware poses to individual privacy and security. Combating such threats requires a multifaceted approach:
Technical Vigilance:
Recognize signs of compromise and maintain good digital hygiene.
Collective Defense:
Build awareness, share knowledge, and support each other.
Policy Advocacy:
Push for stronger legal frameworks and corporate accountability.
Empowerment through Education:
Provide accessible resources and training.
By combining technical expertise with community action, we can strive for a safer digital environment where privacy and autonomy are upheld.
Acknowledgments
We extend our gratitude to:
Distributed Denial of Secrets (DDoSecrets) for providing access to critical data.
Association for Progressive Communications (APC) for organizing the Feminist Learning Circle.
Participants of the Feminist Learning Circle for sharing experiences and building collective knowledge.
Maria d’Ajuda:A digital security helpline created by Brazilian feminists, focused on women, non-binary people, LGBTQIA+, and organizations in Latin America. It offers emergency assistance in digital security and digital care, using a feminist methodology of welcoming and problem-solving that includes active listening and encourages autonomy.https://marialab.org/mariadajuda/
Coalition Against Stalkerware:A global initiative uniting organizations to combat the use of stalkerware, providing resources for victims and security professionals. https://stopstalkerware.org/
Association de lutte contre les cyberviolences sexistes (Echap):A French organization mapping stalkerware worldwide, including Brazilian versions in their GitHub repository. Echap works to combat sexist cyberviolence and offers resources for victims and professionals.https://echap.eu.org/
APC Women’s Rights Programme:Initiative promoting women’s rights in the digital age, providing research, capacity building, and advocacy on topics like online violence and technology access.https://www.apc.org/en/wrp
National Network to End Domestic Violence (NNEDV):U.S.-based organization working to end domestic violence, providing resources and support for survivors, including information on technology safety. https://www.nnedv.org/
Appendix: Indicators of Compromise (IoCs)
Introduction to the Appendix
This appendix provides a list of Indicators of Compromise (IoCs) associated with Celular 007. IoCs are observable artifacts on systems or networks that can be used to identify malicious activity. Security professionals and advanced users can utilize this information to detect and remediate possible infections by the stalkerware on Android devices.
URLs and Domains
https://foxspy.com[.]br/aovivo/comandos.php
http://remoto.foxspy.com[.]br
http://pc.foxspy.com[.]br
http://52.0.165[.]204/filewav.php?arquivo=
https://s3.amazonaws.com/aplicativo/
Files
“JB7”– SQLite database used to synchronize data with the C2 server.
“erro.txt” – Used to log errors and uncaught exceptions.
APK (Android Package Kit): File format used to distribute and install applications on Android devices.
AWS (Amazon Web Services): Amazon’s cloud computing services platform.
Firebase Cloud Messaging (FCM): Google’s service for sending push notifications to mobile devices.
IoCs (Indicators of Compromise): Evidence that a system may have been compromised by malicious activity.
Accessibility Services: Operating system features that assist users with disabilities but can be abused by malicious apps to gain additional control.
Stalkerware: Software that allows someone to secretly monitor another person’s activities on their device.
WebRTC (Web Real-Time Communication): Technology enabling real-time audio and video communication over the web.
Disclaimer
This report aims to inform and raise awareness about the dangers of stalkerware. It seeks to promote cybersecurity best practices and support efforts to protect individuals from digital surveillance and abuse. Unauthorized use or dissemination of malicious software is illegal and unethical.
Contact Information
For more information or to report concerns related to stalkerware, please contact us:
This report is a collaborative effort to raise awareness about stalkerware and promote collective strategies for protection. Reproduction and distribution for non-commercial purposes are permitted with proper attribution.
Note: The inclusion of specific tools, methods, or Indicators of Compromise (IoCs) is for informational purposes only and does not constitute an endorsement. Always exercise caution and consult professionals when dealing with potential security threats.
Note on email authenticity:
It is important to note that we do not verify the authenticity of these emails, nor do we confirm whether these accounts were actually used for spying or illegal surveillance purposes. The presence of an email in a database does not necessarily imply misuse or illegal activities. It is possible that such accounts were created for legitimate purposes, such as investigations or security testing by law enforcement authorities.
However, the mere presence of these accounts in a stalkerware database raises significant concerns about the potential for misuse of these tools by institutions that are supposed to protect people’s privacy and security. This raises serious ethical and legal questions and undermines public trust in these institutions.
