ATLAS Shield ("the App," "we," "our") is an intelligent spyware detection application for Android. We are deeply committed to protecting your privacy - in fact, that is the entire purpose of our app. This Privacy Policy explains how we handle information when you use ATLAS Shield.
ATLAS Shield is built on a privacy-first architecture. All scanning, analysis, and threat detection happens entirely on your device. We do not collect, transmit, store, or sell any personal data. Period.
We collect no personal data. ATLAS Shield is designed to operate entirely on your device without any data leaving your phone. Specifically:
| Data Type | Collected? | Details |
|---|---|---|
| Personal Information | NO | No name, email, phone, or identity data |
| Network Traffic Content | NO | We inspect metadata (IPs/domains) only, never content |
| Browsing History | NO | No browsing data is stored or transmitted |
| Location Data | NO | No GPS or location tracking |
| Contacts / Messages | NO | No access to contacts, SMS, or call logs |
| Device Identifiers | NO | No IMEI, advertising ID, or hardware identifiers |
| Analytics / Telemetry | NO | No third-party analytics SDKs or trackers |
ATLAS Shield uses an 11-layer scan architecture to detect spyware, stalkerware, and other malicious threats on your device. Here is how each layer operates:
Matches installed app SHA256 hashes and package names against a local database of known malware and stalkerware families. Zero false positives.
Analyzes dangerous permission combinations (camera + microphone + SMS + contacts) that are characteristic of surveillance software. Flags apps with 4+ dangerous permissions.
Detects apps misusing accessibility services, apps installed from unknown or untrusted sources, and hidden apps without launcher icons — common characteristics of surveillance software.
Analyzes network connection patterns to detect beaconing (repeated check-ins to command servers), unusual frequency bursts (potential data exfiltration), connections to known threat infrastructure, and traffic tunneling through trusted services. Alert only — the user always decides whether to block or dismiss.
Score-based analysis that catches threats not in any database. Evaluates 10 risk indicators including hidden apps, template package names, brand impersonation, and suspicious installer sources. Catches repackaged malware and amateur spyware.
Monitors per-app upload patterns against a 7-day rolling baseline. Detects unusual upload spikes and unexpected night-time activity from apps with no prior night-time usage. Critical threats automatically restrict the app's network access to protect your data. Blocked attempts are logged locally so you can review them in the app. All analysis is on-device only.
Detects coordinated malicious behavior across multiple apps. Catches modular spyware where components work together — one receives commands, another collects data, a third exfiltrates. Detects cross-app destination correlation, chain behavior, synchronized night activity, and coordinated exfiltration patterns. Alert only — user decides. All correlation analysis runs entirely on-device.
Reads standard device health indicators (network throughput, CPU temperature, battery usage, memory) to detect if malware is operating below the app level and bypassing normal security controls. If a significant discrepancy is detected between expected and actual network activity, the app can temporarily restrict network access with your confirmation to prevent data loss — phone calls and SMS remain unaffected. All readings are processed entirely on-device.
Behavioral pattern analysis that detects suspicious data uploads. Monitors upload-to-download ratios, consistent payload sizes (characteristic of encrypted exfiltration), connections to known threat infrastructure, and repetitive single-destination patterns. Critical threats automatically block the destination. Legitimate apps that naturally use encryption (messaging, banking, VPN, backup) are excluded from analysis. All analysis runs on-device.
Detects signs of hardware-level surveillance by reading standard system performance indicators: interrupt activity, context switches, and CPU time distribution. Requires correlation of 3 or more anomalous signals before alerting, minimizing false positives. Alert only — no automatic action is taken, as these types of advanced threats require user awareness and professional remediation. All measurements are on-device.
Opt-in intelligence sharing that allows users to anonymously contribute detected threat indicators (IPs, domains, hashes, package names) to the security community via AlienVault OTX. Default OFF — users must explicitly enable this feature. All submissions are anonymized: phone numbers, email addresses, file paths, and any identifying information are automatically stripped before sharing. User identity, contacts, app content, and precise location are NEVER included. Users can review exactly what will be shared before confirming. See Section 07 for full details.
Users can whitelist legitimate apps that trigger false positives. Trusted apps are skipped in all scan layers. Users can remove apps from the whitelist at any time to re-enable scanning. Trust decisions are stored locally on-device only.
Audits the permissions granted to installed apps across 9 categories (Camera, Microphone, Location, Contacts, Storage, SMS, Phone, Overlay, Accessibility). Calculates a privacy score (0-100) based on permission exposure and highlights apps with sensitive access. All analysis is entirely on-device — no permission data is transmitted externally. Users can open Android's built-in permission settings or standard uninstall dialog for any app directly from the Privacy tab.
All layers operate entirely on your device. No scan results, threat data, or analysis outputs are transmitted to any external server.
ATLAS Shield uses Android's VpnService API to create a local-only VPN tunnel on your device. This is essential for real-time network traffic monitoring and per-app network control.
Unlike commercial VPN services, ATLAS Shield does NOT route your traffic through any external server. The VPN runs entirely on your device as a local traffic monitor. Your internet traffic goes directly to its intended destination — we simply inspect metadata (IP addresses and domain names) to check against our threat intelligence database. Your internet speed is not affected.
All apps (except VoIP services and ATLAS Shield itself) route through the local VPN tunnel. Traffic is inspected on-device only — nothing is forwarded to any external server. Packets are dropped locally if (a) the source app is on your blocked list, (b) the destination IP is on a threat or user-blocked list, or (c) the queried domain is a known tracker, threat domain, or user-blocked domain. Non-blocked traffic passes through transparently with no inspection beyond metadata (IP, domain).
Users have full control over network blocking. From Settings, you can manually block any installed app's internet access, block specific IP addresses, or block specific domains. You can also unblock any previously blocked item at any time. All blocking decisions are stored locally on-device only.
ATLAS Shield can optionally block known advertising and tracker domains at the DNS layer. The block list (sourced from publicly maintained lists such as StevenBlack, AdGuard, EasyList, and similar) is downloaded once and stored locally — DNS queries to listed domains are dropped on-device before they leave your phone. No browsing history or query data is ever transmitted to ATLAS Shield or any third party. Users can trust individual trackers per-domain, unblock once for a session, or disable the feature entirely from Settings.
| VPN Aspect | ATLAS Shield | Traditional VPN |
|---|---|---|
| Traffic Routing | Local device only | External servers |
| External Servers | NONE | Required |
| Data Transmitted | ZERO | All traffic |
| Speed Impact | Minimal | Varies (usually slower) |
| Purpose | Threat detection + app blocking | IP masking / privacy |
| Content Inspection | Metadata only (IP/Domain) | Varies by provider |
ATLAS Shield maintains a local database of 2,900,000+ Indicators of Compromise (IOCs) sourced from 426 open-source threat intelligence feeds, including:
| Source Category | Type | Description |
|---|---|---|
| Citizen Lab / Amnesty MVT | Research | Indicators for advanced mobile threats from academic research labs |
| CISA KEV | Government | U.S. Cybersecurity and Infrastructure Security Agency Known Exploited Vulnerabilities catalog |
| AlienVault OTX | Community | Open Threat Exchange community-driven threat intelligence (IPs, domains, hashes) |
| abuse.ch (Feodo, URLhaus, ThreatFox, SSL BL, MalwareBazaar) | Free Feed | Botnet C2 IPs, malware domains, SHA256 hashes, SSL certificate blocklists |
| Maltrail (216 feeds) | Free Feed | Malware family IOCs — 153 malware families + 43 APT groups + 20 suspicious categories |
| FireHOL (55 feeds) | Free Feed | Curated IP blocklists — botnets, proxies, TOR exits, spam, cybercrime |
| C2-Tracker (19 feeds) | Free Feed | Active C2 framework servers — CobaltStrike, Sliver, Havoc, Mythic, Metasploit |
| IPsum (8 levels) | Free Feed | Multi-blacklist corroboration — IPs flagged by 1-8+ independent threat feeds |
| Hagezi (9 feeds) | Free Feed | DGA domains, newly registered domains, threat intelligence feeds |
| Block List Project (11 feeds) | Free Feed | Malware, phishing, ransomware, scam, fraud domain blocklists |
| DataPlane (11 feeds) | Free Feed | SSH, DNS, VNC, SIP, SMTP scanner and attacker IPs |
| Blocklist.de, GreenSnow, CINSscore, SNORT, Ellio, DShield, EmergingThreats | Free Feed | Attacker IPs from honeypots, IDS systems, and network monitoring |
| Phishing Army, Cert.PL, OpenPhish, Phishing.Database | Free Feed | Verified phishing domain blocklists |
| UT1-Blacklists, malware-filter, Firebog, ShadowWhisperer, NoCoin | Free Feed | Malware, cryptojacking, tracking, and scam domain feeds |
| Stalkerware Indicators | Community | Coalition Against Stalkerware — surveillance app package names |
| Android Malware DB, Maldroid | Community | Confirmed Android malware APK SHA256 hashes |
These IOC databases are auto-synced every 12 hours from 426 open-source feeds. Only IOC data (malicious IPs, domains, hashes, and app package names) is downloaded — no user data is uploaded during the sync process. The sync is a one-way download over HTTPS.
If you opt in to IOC Contribution (Layer 11), detected threat indicators may be shared back to AlienVault OTX. See Section 07 for full details on what is and is not shared.
ATLAS Shield requests only the permissions strictly necessary for its security functions:
All data generated by ATLAS Shield is stored locally on your device using SQLite and remains under your control:
| Data | Storage | Purpose |
|---|---|---|
| IOC Database | Local SQLite | Threat intelligence for IOC matching (2,900,000+ indicators from 426 sources) |
| Scan Results | Local SQLite | Historical scan logs for your reference |
| Connection Logs | Local SQLite | Network connection history for threat analysis (safe connections auto-deleted after 7 days) |
| Blocked IPs | Local SQLite | IPs you have blocked or that were auto-blocked by threat detection |
| Trusted Apps | Local SQLite | Apps you have whitelisted to skip in future scans |
| Blocked Apps | Local SQLite | Apps whose network access has been blocked by Layer 6/7 detection |
| Forensic Logs | Local SQLite | Evidence of blocked retry attempts from auto-blocked apps (Layer 6) |
| App Traffic Baselines | Local SQLite | 7-day rolling per-app traffic statistics for exfiltration detection |
| Privacy Audit Results | Secure Storage | Permission audit snapshots for privacy score history (8-week rolling, on-device only) |
| IOC Contribution Settings | Secure Storage | Opt-in preference, custom API key (if provided), auto-share toggle |
| IOC Contribution Stats | Secure Storage | Count of shared indicators, last share date (on-device tracking only) |
| Language Preference | Secure Storage | Your selected app language (English or Arabic) |
| App Settings | Secure Storage | Your preferences and configuration (stored via Android Keystore) |
Uninstalling ATLAS Shield will permanently delete all locally stored data from your device.
ATLAS Shield does not integrate any third-party analytics, advertising, or tracking services. We do not use:
Google Analytics or Firebase Analytics, Facebook SDK or any social media trackers, advertising networks or ad SDKs, crash reporting services that transmit data externally, or any other third-party data collection tools.
The only external communication is the periodic IOC database sync (one-way download from the 426 sources listed in Section 04) and, if you opt in, the IOC Contribution feature (Layer 11).
If you enable IOC Contribution in Settings, ATLAS Shield can share detected threat indicators with the security community via AlienVault OTX. This feature is OFF by default and requires explicit opt-in.
| What IS Shared (if opted in) | What is NEVER Shared |
|---|---|
| Malicious IP addresses detected by the app | Your identity, name, or account information |
| Malicious domain names | Phone number or device identifiers |
| SHA256 file hashes of malware | Contacts, messages, or call logs |
| Suspicious package names | App content or browsing data |
| Detection layer and severity level | Location (GPS, cell tower, or IP-based) |
| Anonymized alert description (redacted) | Email addresses or file paths |
All shared data is anonymized before submission. Phone numbers, email addresses, and file paths found in alert text are automatically redacted. You can review exactly what will be shared before confirming (manual share), or enable auto-share which runs once per 24 hours after scans and sends a notification confirming what was shared.
ATLAS Shield supports multiple languages (English and Arabic). Language preferences are stored locally on your device and are never transmitted externally.
ATLAS Shield offers premium features through Google Play subscription billing. All payment processing is handled entirely by Google Play. We do not collect, process, or store any payment information including credit card numbers, billing addresses, or financial data.
Subscription management (purchase, renewal, cancellation) is handled through your Google Play account settings.
ATLAS Shield is not directed at children under the age of 13. We do not knowingly collect any personal information from children. Since our app collects no personal data from any user, this applies universally.
Since all data is stored locally on your device, you have full control over it at all times:
| Data | Retention | How to Delete |
|---|---|---|
| Connection logs (safe) | Auto-deleted after 7 days | Automatic — no action needed |
| Threat alerts & scan results | Kept until you dismiss or uninstall | Dismiss individual alerts or uninstall the app |
| IOC threat database | Updated every 12 hours | Uninstall the app |
| Blocked IPs & blocked apps | Kept until you unblock them | Unblock in Settings or uninstall the app |
| Trusted/whitelisted apps | Kept until you remove trust | Remove in Settings or uninstall the app |
| Traffic baselines (Layer 6) | 7-day rolling window | Automatic — old data rolls off |
| Privacy audit snapshots | 8-week rolling window | Automatic — old snapshots roll off |
| IOC contribution log | Kept for your reference | Uninstall the app |
| App settings & preferences | Kept until changed or uninstall | Uninstall the app |
To delete ALL data stored by ATLAS Shield, simply uninstall the app from your device. Since no data is stored on external servers, uninstalling permanently and irreversibly removes all app data. You can also clear the app's data from Android Settings > Apps > ATLAS Shield > Storage > Clear Data.
Regardless of your location, ATLAS Shield respects the following data rights by design:
All your data is already visible to you within the app — scan results, alerts, connection logs, blocked IPs, trusted apps, and privacy audits are all accessible from the app interface.
You can delete all data at any time by uninstalling the app or clearing app data from Android Settings. No data persists on any external server.
All data is stored in standard SQLite format on your device and remains under your control.
The only feature that transmits any data externally (IOC Contribution, Layer 11) is off by default and requires explicit opt-in. You can disable it at any time from Settings.
This Privacy Policy fully discloses every type of data processed, every permission used, and the purpose of each. No hidden data collection exists.
If you are located in the European Economic Area (EEA), United Kingdom, California (USA), or any jurisdiction with data protection laws (GDPR, CCPA, PDPA, etc.), these rights apply to you. Since ATLAS Shield collects no personal data and stores everything locally, compliance is built into the architecture — not bolted on as an afterthought.
We may update this Privacy Policy from time to time. Any changes will be reflected on this page with an updated effective date. We encourage you to review this policy periodically. Continued use of ATLAS Shield after changes constitutes acceptance of the updated policy.
If you have any questions, concerns, or requests regarding this Privacy Policy or ATLAS Shield's data practices, please contact us at:
Email:
Developer: Abdullah Abu Shamah
Application: ATLAS Shield - Intelligent Spyware Protection