⚖️ Risk Mgmt

KidsProtect Stalkerware Abuses VS Code Tunnels and Discord Webhooks as Covert C2 Infrastructure

A commercially marketed Android application called KidsProtect, presented as a parental control tool, has been analysed and found to function as stalkerware — secretly recording device location, SMS messages, call logs, and browser history without consent. The tool evades conventional network monitoring by routing command-and-control traffic through legitimate VS Code Remote Tunnels and Discord webhook endpoints. Its developer explicitly markets it as an undetectable monitoring solution on underground forums.

4 min read
#stalkerware#android#mobile-security#privacy#vs-code-tunnel-abuse#discord-abuse#consent#domestic-surveillance

A mobile application named KidsProtect has been documented by ESET researchers functioning as commercially distributed stalkerware — surveillance software marketed under the cover of parental control functionality while providing covert, consent-free monitoring capabilities specifically designed to evade detection. Unlike stalkerware applications that communicate with dedicated attacker infrastructure, KidsProtect routes all command-and-control communications through Microsoft VS Code Remote Tunnels and Discord webhook endpoints — legitimate cloud services whose traffic is difficult or impossible to block without also disrupting legitimate use.

KidsProtect’s Technical Capabilities

Once installed on an Android device, KidsProtect operates with the following surveillance capabilities:

  • Location tracking: Continuous GPS location reporting at configurable intervals (minimum 1 minute), with historical track stored and queryable by the operator
  • SMS and messaging intercept: Reads SMS inbox and sent messages; accesses WhatsApp message content via Accessibility Services API (without requiring root)
  • Call log access: Full incoming and outgoing call log including duration and contact identity
  • Browser history: Chrome, Firefox, and Samsung Browser history extraction
  • Ambient recording: On-demand microphone activation initiated remotely by the operator
  • Application monitoring: Reports installed app list and active foreground application

KidsProtect requests an extensive permission set at install time but does so incrementally — a common technique to reduce user suspicion of the cumulative surveillance scope.

VS Code Tunnel Abuse for C2 Evasion

The most technically distinctive aspect of KidsProtect is its command-and-control architecture. Rather than operating its own server infrastructure — which would be identifiable and blockable — KidsProtect uses Microsoft’s VS Code Remote Tunnels feature.

VS Code Remote Tunnels (formerly GitHub Codespaces tunnel connectivity) are a legitimate developer tool that creates an authenticated, encrypted relay between a VS Code client and a remote host via Microsoft’s Azure relay infrastructure. Traffic flows over *.tunnels.api.visualstudio.com on port 443 — a domain and port combination that is broadly permitted in enterprise and consumer network environments because blocking it would disable a widely used developer tool.

KidsProtect registers the compromised Android device as a VS Code tunnel host, then exfiltrates collected data and receives operator commands through this relay. From a network monitoring perspective, the traffic is indistinguishable from a developer using VS Code Remote Access to connect to a development environment.

Secondary exfiltration uses Discord webhooks — posting collected data as formatted messages to operator-controlled Discord channels. Discord webhook traffic is similarly permitted in most environments and provides a low-friction command delivery mechanism.

KidsProtect is distributed through its own website (not the Google Play Store) and is marketed in two distinct contexts: a surface-level “parental control” framing targeting anxious parents, and an explicit covert monitoring capability marketed on underground forums to actors seeking undetectable surveillance of partners, employees, or other targets without consent.

This dual marketing is characteristic of commercial stalkerware. In most Western jurisdictions, installing surveillance software on an adult’s device without their knowledge and consent constitutes a criminal offence regardless of the purchaser’s relationship to the target. In the United Kingdom, this falls under the Computer Misuse Act 1990 and the Serious Crime Act 2015’s coercive control provisions. In the EU, it violates GDPR’s lawful basis requirements and in several member states constitutes a criminal surveillance offence.

Enterprise Implications

KidsProtect’s C2 infrastructure abuse technique has implications beyond domestic surveillance:

Developer tool traffic as a blind spot: VS Code Remote Tunnels, GitHub Codespaces, and similar developer relay services are routinely permitted without deep inspection. The same infrastructure abused by stalkerware can be — and has been — used by more sophisticated threat actors to exfiltrate data from compromised enterprise systems. Monitoring for anomalous VS Code tunnel traffic volumes or unexpected tunnel registrations from non-developer device types is a relevant detection gap to close.

BYOD device risk: If personal Android devices with stalkerware installed are used for business email or are enrolled in mobile device management, the device’s data — potentially including corporate contacts, emails, and authentication tokens — is within scope of the surveillance capability.

Indicators of compromise for KidsProtect are published in ESET’s full analysis. If you manage enterprise mobile device management and are concerned about stalkerware on BYOD devices, ESET Mobile Security and similar endpoint protection products now detect KidsProtect variants.

Share this article