Stalkerware: How Surveillance Apps Hide on Your Device

Unlike sophisticated state-level spyware (NSO Group's Pegasus, for instance), stalkerware doesn't require zero-click exploits or nation-state resources. It requires only brief physical access to an unlocked device — a few minutes while a partner is in the shower, or a device handed over to a controlling family member for "setup help." The installation is manual, the technical bar is low, and the damage is real.

The Coalition Against Stalkerware, a consortium of domestic violence organizations and cybersecurity companies, has documented the pattern: stalkerware is found disproportionately on devices belonging to people who are experiencing abuse. The software and the violence are connected — the monitoring enables control, and the knowledge of surveillance creates fear.

What Stalkerware Is (and Isn't)

Stalkerware refers to commercial applications specifically designed to hide their presence from the device owner while transmitting data to a third party. Products in this category (FlexiSpy, mSpy, Hoverwatch, and similar) market themselves as tools for parents monitoring children or employers tracking company-owned devices. In practice, researchers at Kaspersky Lab, Malwarebytes, and others have documented their use patterns — they are predominantly found on adult devices without the knowledge of the device owner.

Legitimate parental control software works differently: it's disclosed to the person being monitored (often required for minors in educational contexts), it's visible in the device's app list, and it operates with the knowledge of the account holder. The key distinction is transparency to the monitored party. Stalkerware is designed specifically to defeat that transparency.

State-level spyware like Pegasus operates differently — it uses software vulnerabilities to install without user interaction and is typically deployed by governments against journalists, dissidents, and activists. That threat model requires different countermeasures. This post focuses on the commercially available consumer stalkerware that ordinary people encounter in abusive relationships.

How Stalkerware Gets Installed

On Android, installation is straightforward: enable "Install from unknown sources" in settings, download an APK from the stalkerware vendor's website, install it, configure it with a destination account or phone number, and optionally use the app's own hiding feature to remove its icon from the launcher. The entire process takes under five minutes.

On iOS, the process is more constrained. Apple's sandboxing and App Store review processes mean that full-featured stalkerware cannot be installed as a regular app. Workarounds include: abusing MDM (Mobile Device Management) profiles, which allow remote monitoring of managed devices; using iCloud access if the abuser has or obtains the victim's Apple ID and password; or jailbreaking the device (which leaves traces but enables traditional stalkerware). The iOS vector is narrower, but iCloud-based monitoring — which doesn't require device access at all if credentials are known — is documented and effective.

The data is typically exfiltrated over the device's data connection to the stalkerware vendor's server, which the installing party can access via a web dashboard or companion app. Some products allow the installer to configure SMS-based commands that trigger specific data dumps.

Signs Your Device May Be Compromised

No behavioral indicator is definitive — all of the following have innocent explanations — but together they can raise suspicion:

• Unexpected battery drain — surveillance apps run continuously in the background, consuming battery at higher rates than typical use
• Higher-than-expected mobile data usage — continuous GPS, photo, and message exfiltration generates data traffic; check your carrier's data breakdown by app
• Device warmer than usual during idle periods — background processing and radio use generate heat
• A controlling partner who knows things they shouldn't — knows details of conversations you had on your phone, locations you visited without telling them, messages you received
• On Android: unfamiliar apps in the installed app list, or apps with generic names like "System Service" or "Phone Monitor"
• On Android: unfamiliar accessibility services enabled — Settings → Accessibility → Installed Services will show any app using accessibility permissions, which is a common stalkerware vector
• On iOS: unfamiliar MDM profile in Settings → General → VPN & Device Management

Android is significantly more vulnerable than iOS due to its open sideloading model. A fully updated iPhone with iCloud account security in order is harder to compromise via commercial stalkerware than an Android device.

Detection Tools

Several legitimate security companies have added stalkerware detection to their mobile products, partly in response to the Coalition Against Stalkerware's advocacy. Malwarebytes for Android detects known stalkerware signatures. Kaspersky's TinyCheck is an open-source network monitoring tool designed to detect stalkerware's outbound data exfiltration at the router level — useful in cases where device-level scanning isn't safe.

The National Domestic Violence Hotline's Safety Net project and the Electronic Frontier Foundation's Surveillance Self-Defense guide both provide current, verified guidance that is regularly updated as stalkerware techniques evolve. These are more reliable resources than general-purpose cybersecurity blogs, because they're maintained by organizations tracking the specific threat.

Why Removal Requires a Safety Plan First

The instinct when you discover you're being surveilled is to remove the surveillance immediately. This instinct is understandable and sometimes wrong. An abuser who has been monitoring their partner continuously and suddenly loses that feed knows something changed. That realization can trigger confrontation.

The Coalition Against Stalkerware explicitly advises against removal as a first step. The recommended sequence is: document what you've found (screenshots, app names, permission lists), reach out to a domestic violence organization or digital security resource who understands the context, develop a safety plan that includes where you'll go and who knows, and then — as part of a coordinated exit or protective action — address the device.

Sometimes the correct answer is a factory reset on a safe device, a new phone with a new carrier SIM, and a new Apple ID or Google account with a strong new password from a device the abuser never had access to. Removing the app from the compromised device leaves open the question of what else was installed and what credentials were captured.

How to Remove It Safely

Once a safety plan is in place, the cleanest removal path for Android is a factory reset. This guarantees that no persistent components remain. Before resetting: back up only data you need (contacts, photos) to a secure location — ideally not the cloud account the abuser may have credentials for. On iOS, remove any MDM profiles, change your Apple ID password and enable two-factor authentication from a trusted device, and revoke access from any devices listed under your Apple ID that you don't recognize.

After removal, the device isn't automatically safe if the abuser still has physical access to it. Consider treating the device as a disposable asset and replacing it — the cost of a new device is much lower than the cost of ongoing surveillance.

Resources

• National Domestic Violence Hotline: 1-800-799-7233 (TTY: 1-800-787-3224) — can connect to local resources including digital safety specialists
• Coalition Against Stalkerware: coalitionagainststalkerware.org — lists vetted tools and domestic violence organizations with tech expertise
• EFF Surveillance Self-Defense: ssd.eff.org — digital security guides specifically for people in high-risk situations

For related reading on mobile app permissions and how to audit what access apps have claimed on your device, see our earlier post on that topic.