How to Detect Stalkerware on Your Phone

Stalkerware is commercially sold spyware. Not hacking tool. Not gray-market malware from a dark web forum. Commercial software, sold with customer service, offered via credit card subscription, marketed on mainstream advertising networks until those networks started banning the ads.

In February 2021, FlexiSPY was found running advertisements on Google Search. In 2019, the FTC moved against Retina-X Studios — the maker of PhoneSheriff, MobileTracker Free, and TeenShield — for marketing products primarily used to covertly monitor intimate partners. The apps weren't seized from a hacker's laptop. They were downloaded from their official websites by people who paid monthly subscriptions.

The scale of the problem is documented. A 2022 report from Kaspersky's Global Research and Analysis Team found stalkerware on approximately 32,694 devices they monitored — and that's one security vendor, one year. Domestic violence surveys consistently find that 40-60% of survivors report technology-facilitated abuse. The Coalition Against Stalkerware, formed in 2019 with founding members including Kaspersky, Malwarebytes, and the National Network to End Domestic Violence, was created specifically because the security industry was classifying stalkerware as "potentially unwanted applications" (a minor warning) rather than malware — effectively legitimizing covert surveillance tools.

This guide tells you what these products are, how to find them, how to eliminate them, and how to navigate the personal danger that often accompanies the technical problem.

The Stalkerware Product Landscape

Understanding the specific products you might encounter helps in detection, because many of these apps use characteristic installation patterns, permission sets, and process names.

FlexiSPY

Price: $68/month (Premium) to $199/month (Extreme) Platform: Android, iOS (jailbreak required for full functionality) Capabilities: Call interception (including VoIP calls), ambient audio recording (activates microphone remotely), camera activation, GPS tracking, message exfiltration (including WhatsApp, Telegram, Snapchat), keystroke logging, screenshot capture

FlexiSPY is the most capable consumer stalkerware product. Its "Extreme" tier can intercept calls on apps like WhatsApp and Viber by recording audio at the system level before encryption is applied. The company is operated from Thailand and has operated continuously since 2006 despite multiple years of negative press coverage.

Detection signatures: FlexiSPY on Android installs as a background service with a generic name (varies by version, but historically "System Service," "Phone Monitor Service," and similar). It requests device administrator privileges and accessibility service access. On iOS, it requires a jailbreak — look for the Cydia jailbreak store or its successors.

mSpy

Price: $16.99/month (Basic) to $27.99/month (Premium) Platform: Android, iOS Capabilities: GPS tracking, message monitoring (SMS, iMessage, WhatsApp, Snapchat), social media monitoring, call log access, email monitoring, browser history, keylogger (Android), app blocking

mSpy is the highest-volume commercial stalkerware product — they claim millions of users. Their marketing prominently features "parental control" messaging while documenting use cases that are clearly intimate partner surveillance ("Is your partner cheating? Monitor their conversations."). The product has been covered in major investigations by Vice Motherboard, the New York Times, and the BBC.

In 2018, mSpy suffered a major data breach affecting millions of records — ironically exposing the data of the people being surveilled, including their messages and location history. This breach was reported by KrebsOnSecurity in May 2018.

Detection signatures: mSpy on Android appears as a background app with device admin access. On iOS without a jailbreak, it relies on iCloud credentials rather than a local install — it doesn't appear as an app at all but accesses iCloud backup data and synced information through Apple's own APIs.

Cocospy / Spyic / Spyier

These are related products (believed to share a common codebase) marketed under multiple brand names. In early 2020, a researcher discovered that Cocospy, Spyic, and Spyier collectively exposed the data of approximately 1 million users — including the email addresses of subscribers and phone data of targets. The researcher found the vulnerability by inspecting the JavaScript of the web dashboard and bypassing authentication.

Price: $39.99-$99.99/month depending on platform and features Capabilities: GPS tracking, message access, call logs, browser history, photo access, app monitoring

These products target less technically sophisticated abusers — the interface is simple enough that installation instructions on the sales website are a 10-step guide with screenshots. This ease of use contributes to widespread deployment.

Hoverwatch

Price: $24.95/month Platform: Android, Windows, macOS Capabilities: Call recording, SMS monitoring, GPS tracking, front camera snapshot (automatically captures a photo when the user unlocks the phone), keystroke logging, browser history

Hoverwatch's front camera snapshot feature is particularly invasive — the target's device silently captures photos of their face every time they unlock the phone, building a timestamped visual record of who is in physical possession of the device.

Detection signatures: Hoverwatch on Android runs as a persistent service with accessibility access. The "silent screenshot" feature creates image files that may appear in device storage if the app fails to upload them immediately.

Eyezy, uMobix, Moniterro

Newer entrants in the market that launched after some competitors faced regulatory and app store pressure. They offer similar capabilities to mSpy and Cocospy. Their newness means that automated detection tools may have lower detection rates until signatures are updated.

iKeyMonitor

Price: $19.99/month per device Platform: iOS (no jailbreak via iCloud), Android Capabilities: Keylogger (captures everything typed), screenshots, GPS, message monitoring, website blocking, time limits

iKeyMonitor's keylogger capability is among the most comprehensive available without a jailbreak — on iOS via iCloud sync, it captures text from many apps through iCloud backup interception.

The "No-Jailbreak iOS" Products

Many of the above products advertise an iOS option that requires "no jailbreak." What this means in practice: they access data from iCloud backups and synced data using the target's Apple ID credentials. The surveillance is done at the cloud level, not on the device. This means:

• The app does not appear on the target's device at all
• Battery drain and data usage are not affected (the data is pulled from Apple's servers, not the device)
• Standard device-level detection methods will find nothing
• The only detection method is reviewing signed-in devices and account access on appleid.apple.com

Behavioral Signs of Compromise

Battery and Performance Anomalies

Stalkerware runs as a persistent background service that continuously tracks location and periodically uploads data packages (messages, audio, screenshots) to remote servers. This creates measurable resource consumption.

Battery drain pattern to recognize: Not uniform drain throughout the day, but drain that accelerates when you haven't been actively using the phone. The difference between standby drain with nothing running (typically 1-2% per hour on a healthy battery) versus drain with stalkerware active (can be 5-10% per hour) is detectable if you pay attention.

Heat pattern: A phone warm to the touch after sitting face-down on a desk for 30 minutes while idle is running background processes. The cellular radio and CPU required for continuous GPS and data upload generate heat.

Data Usage Anomalies

Stalkerware uploads data — call recordings, GPS coordinates, message content, keystrokes, photos. That data transfer appears in your mobile data usage statistics.

The specific anomaly to look for: an app (possibly disguised as a system service) showing significant background data transfer that you can't attribute to any known app behavior. A stalkerware app transmitting GPS and messages might consume 500MB-2GB per month in background data. Most legitimate background processes consume far less.

Account Activity Anomalies

Unexpected login notifications, password reset requests you didn't initiate, verification emails for account changes you didn't make — these are signs someone is actively working to access or has already accessed your accounts.

Specific pattern: you receive a two-factor authentication code via SMS that you didn't request. Someone knows your password and is attempting to log in. The fact that they can't complete the login (because 2FA is blocking them) is good — but it tells you your password is compromised.

Behavioral Intelligence Leaks

Your partner or the person you suspect is monitoring you demonstrates knowledge of private information:

• The content of a text conversation they were not part of
• Your location at a time you hadn't disclosed
• The content of an email they shouldn't have seen
• Awareness of a call you had that you kept private

This is the most significant behavioral indicator because it is direct evidence of surveillance, not a technical anomaly that could have other explanations.

Complete Android Detection Procedure

Execute these checks in order. Each check takes approximately 3-7 minutes.

Check 1: Full App Inventory

Settings → Apps → (tap filter/three-dot menu) → Show system apps → All apps

Work through the complete alphabetical list. You are looking for:

• Apps you don't remember installing
• Apps with generic system-sounding names (the following names have been used by actual stalkerware products):
  • "System Service"
  • "Device Health Service"
  • "Phone Monitor"
  • "Sync Manager"
  • "Update Service"
  • "Support Services"
  • "App Manager"
  • "Device Manager"
  • "GSM Services"
  • "System Information"
  • Any variation on these themes
• Apps that show significant battery or data usage but don't appear in your app drawer

If you find a suspicious entry, don't uninstall it yet — note the package name and continue the checklist.

Check 2: Device Administrator Access

Settings → Security → Device Admin Apps
(Samsung: Settings → Biometrics and Security → Device Admin Apps)
(Pixel: Settings → Security → Advanced → Device admin apps)

Every entry here should be something you recognize. Legitimate holders of device admin status:

• Microsoft Outlook (for Exchange ActiveSync)
• Your employer's MDM app (if a work device)
• Find My Device (Google's anti-theft service)
• Specific security apps you intentionally set up

If you see an app in this list that you don't recognize, it's a significant red flag. Stalkerware requests this privilege specifically to prevent uninstallation.

Check 3: Accessibility Services

Settings → Accessibility → Installed Services
(or: Settings → Accessibility → Downloaded Apps)

Every entry should be something you deliberately granted accessibility access to. Legitimate uses:

• TalkBack (Google's screen reader)
• Switch Access (for motor-impaired users)
• Password managers (some request accessibility to autofill)
• Braille display apps

Any unfamiliar entry here has the ability to read everything on your screen and record all your input. This is perhaps the most dangerous permission stalkerware can hold.

Check 4: Sideloading and File Access Permissions

Settings → Apps → Special App Access → Install Unknown Apps

Apps with "Allowed" have installed something outside the Play Store. This is how most stalkerware arrived.

Settings → Apps → Special App Access → All Files Access

Apps listed here can read every file on your device. No app should have this unless it's a file manager you intentionally installed.

Check 5: Running Services

# Connect phone via USB with USB debugging enabled
# On the phone: Settings → Developer Options → USB Debugging → Enable
 
# List running services (look for suspicious persistent services)
adb shell dumpsys activity services | grep "ServiceRecord"
 
# List all installed packages with file paths
adb shell pm list packages -f -3
 
# Check which packages have dangerous permissions
adb shell pm list permissions -d -g
 
# Show packages installed in the past 30 days (approximate)
adb shell pm list packages --show-versioncode | head -50
 
# Check for suspicious APK files in download directories
adb shell find /sdcard/ -name "*.apk" 2>/dev/null
 
# View battery consumption by app
adb shell dumpsys batterystats | grep "Uid u0a"

The -3 flag in pm list packages -f -3 lists only third-party apps (not system apps) with their APK file paths. Legitimate apps should have recognizable package names — com.google.android.gms for Google Services, com.spotify.music for Spotify. Research any package you can't identify.

Check 6: Network Behavior

# View active network connections (requires USB debugging)
adb shell netstat -tp 2>/dev/null | grep ESTABLISHED
 
# Check data usage per app
adb shell dumpsys netstats | grep -A5 "iface=rmnet"

Active connections to unfamiliar IP addresses from unknown apps warrant investigation. You can look up IP ownership at ipinfo.io.

On-device check (no ADB required):

Settings → Network & Internet → Data Usage → App Data Usage
→ (tap each app for background data breakdown)

Sort by background data and investigate any app with significant background upload that you can't attribute.

Check 7: Automated Scanning Tools

Install these from the Google Play Store:

Malwarebytes for Android (free): Scan for known stalkerware. It classifies commercial stalkerware as "monitoring tools" — these are listed separately from malware but flagged. A scan takes 1-2 minutes.

Certo Mobile Security (free): Purpose-built for stalkerware detection. Checks app signatures, device admin settings, accessibility services, and unknown source permissions simultaneously and presents a summary report.

ESET Mobile Security (free tier with full scan): Part of the Coalition Against Stalkerware initiative — their product is specifically tuned to detect surveillance software with higher accuracy than generic AV tools.

Complete iOS Detection Procedure

Check 1: Configuration Profiles

Settings → General → VPN & Device Management

If no profiles are listed here, this attack vector is not present. If a profile appears that you did not install:

1. Tap the profile to see its full permission set
2. Look specifically for: VPN configuration (can intercept all traffic), certificate installations (can enable HTTPS interception), app management (can install apps silently), and Mail/Calendar/Contacts configuration (gives access to those data sources)
3. A profile from an organization you don't recognize, or any profile with network proxying enabled, is a serious red flag

Supervised Mode: If the phone was set up as a "supervised" device using Apple Configurator, profiles may be protected from removal. You'll see "This iPhone is supervised and managed by [organization name]" at the top of the Settings app. If that message is present on a personal device you didn't enroll in MDM, your device was set up with supervision enabled — which gives the enrolling party extensive control, including silent app installation and the inability to remove the supervision without a factory restore.

Check 2: Signed-In Devices on Apple ID

Settings → [Your Name at the top] → scroll down to see all devices

Every entry is a device with access to your iMessage, Find My, iCloud backup, and iCloud Drive. Tap each entry you don't recognize and select "Remove from Account." Do this even if you're not certain it's suspicious — you can always re-add your own devices.

Also review at the source: Visit appleid.apple.com from a trusted device (or browser on a computer). Under "Devices," you see the same list but with additional details: serial number, iOS version, whether FIDO hardware keys are trusted on that device.

Under "Sign-In and Security" on appleid.apple.com, check "Recent activity" for any events you don't recognize: logins from unfamiliar devices or locations, changes to recovery options, password changes you didn't make.

Check 3: Two-Factor Authentication Status

Settings → [Your Name] → Password & Security → Two-Factor Authentication

If 2FA is not enabled, enable it immediately. Without 2FA, anyone with your Apple ID password has full access to your iCloud data — messages, photos, location, backups, everything. This is the "no-jailbreak iOS surveillance" vector.

When you enable 2FA, review the trusted phone numbers listed. Every number shown is a phone that can receive 2FA codes and thus authenticate as you. Remove any number you don't recognize or no longer control.

Check 4: Jailbreak Indicators

A jailbroken iPhone can run stalkerware that is invisible to standard iOS protections. Check:

Cydia, Sileo, Zebra, Installer: These are jailbreak package managers. Their presence in the app list confirms a jailbreak.

Springtomize, Activator, iFile, Filza, Flex: Common jailbreak tweaks. If present, the device is jailbroken.

Settings anomalies: Some jailbreaks inject additional entries into the Settings app — options that don't exist in standard iOS, like "iCleaner," "Cydia Substrate," or similar.

Apple diagnostics: Settings → Privacy & Security → Analytics & Improvements → Analytics Data. In a non-jailbroken device, you'll see standard Apple crash logs. A jailbroken device sometimes has anomalous entries. This check is not definitive but can add to a pattern of evidence.

# If you have SSH access to a potentially jailbroken device:
# Check for stalkerware launch daemons
ls -la /Library/LaunchDaemons/ | grep -v com.apple
 
# Check for suspicious mobile substrate extensions
ls -la /Library/MobileSubstrate/DynamicLibraries/ | grep -v "(Apple)"
 
# Check for unusual processes
ps aux | grep -v "[apple\|com.apple]"

iVerify ($2.99): The most comprehensive iOS integrity check available outside of enterprise forensics tools. It checks for:

• Jailbreak artifacts across multiple system directories
• Anomalous process behavior
• Known stalkerware signatures
• Configuration anomalies suggesting compromise
• Failed code signature checks

For any serious suspicion of iOS compromise, this is worth the $2.99.

Check 5: Privacy Permissions Audit

Settings → Privacy & Security → Location Services

Every app with "Always" access can continuously track your location in the background. Unless you have a specific navigational or fitness tracking reason for this, no app should have "Always" access. Change all non-essential apps to "While Using" or "Never."

Settings → Privacy & Security → Microphone
Settings → Privacy & Security → Camera

Any app with microphone or camera access that you don't actively use for audio/video should have access revoked. Social media apps, productivity tools, and most utilities have no legitimate need for persistent microphone or camera access.

Settings → Privacy & Security → Screen Time → Content & Privacy Restrictions

If restrictions are enabled and locked with a passcode you didn't set — particularly if they restrict the ability to install apps, change accounts, or modify privacy settings — your device may be under MDM control without your knowledge.

Safe Removal Procedure

Android Removal (Standard Apps)

The removal order matters. If you attempt to uninstall before revoking device admin status, you'll get an error:

1. Settings → Security → Device Admin Apps
   → Identify the stalkerware app
   → Tap it → "Deactivate this device admin app" → Deactivate

2. Settings → Accessibility → Installed Services
   → Find the stalkerware entry
   → Disable or revoke

3. Settings → Apps → [Stalkerware App Name]
   → Force Stop
   → Uninstall

4. Settings → Apps → Special App Access → All Files Access
   → Revoke for the app if still listed

5. Restart the device and verify the app is gone
   (Settings → Apps → All apps — search for the app name)

After removal, change your Google account password from a clean device and sign out all sessions.

Android Removal (Rooted Devices)

If your device has been rooted (which can be granted to stalkerware to allow deeper access and persistence), standard uninstallation may leave residual components. A factory reset is the reliable solution.

# Identify stalkerware running as root
adb shell su -c "ps -A" | grep -v "[kworker\|android\|zygote\|system]"
 
# List files modified by the stalkerware (approximate)
adb shell su -c "find /system/ -newer /proc/1 -not -path '/proc/*'"

If the device is rooted and you find stalkerware with system-level access, factory reset is the appropriate remediation. Back up only what you need (contacts, photos) to an account the stalker doesn't have access to.

iOS Removal

Profile removal:

Settings → General → VPN & Device Management
→ Tap the suspicious profile → Remove Profile → Enter device passcode

If the profile is locked and can't be removed, and your device is in supervised mode:

1. Connect to a Mac or PC with Finder/iTunes
2. Select "Restore iPhone" to factory restore
3. Set up as new — do NOT restore from backup
4. After restoring, set up with a new Apple ID the stalker has never had access to

Apple ID credential change (essential after profile removal):

Settings → [Your Name] → Password & Security → Change Password

Do this from a trusted device if possible, or at minimum immediately after removing the profile. A new password invalidates any active sessions that used the old credentials.

Post-removal device audit:

Settings → [Your Name] → scroll down → verify all listed devices are yours
Settings → Privacy & Security → Location Services → review all permissions
Settings → Privacy & Security → Microphone → review all permissions

Nuclear Option: Factory Reset

When to do a factory reset rather than targeted removal:

• You found evidence of a jailbreak (iOS)
• You found evidence of root access (Android)
• You're uncertain whether your removal was complete
• You want absolute certainty rather than best-effort manual removal

Before resetting:

1. Export contacts to a VCF file (Contacts → export on iOS, Google Contacts → export on Android)
2. Save photos you need to external storage or a new, clean cloud account
3. Note which apps you need to reinstall
4. Do not use iCloud or Google backup for restoration — back up manually

After resetting:

1. Set up the device as new — not from backup
2. Create a new Apple ID or Google account with a fresh email address
3. Use a strong unique password and enable 2FA immediately
4. Reinstall apps manually from the App Store or Play Store
5. Do not sign back into any shared accounts

After Technical Remediation: The Overlooked Steps

Removing stalkerware from your device is step one. The surveillance infrastructure often extends further.

Audit All Your Accounts

Assume any password you used while the device was compromised may be known. Stalkerware with keylogging capability captured every password you typed. Systematically change passwords for:

1. Email (most critical — master key to everything else)
2. Banking and financial accounts
3. Social media
4. Cloud storage
5. Work accounts
6. Any account that has sensitive information

Change passwords from a clean device, not from the device that was compromised.

Home Network Assessment

If you share a home router — or recently did — the router's administrator can see your DNS queries: every website you visit, every app that phones home, timestamps of your activity. This provides behavioral surveillance even after the device is clean.

Steps:

• Change the Wi-Fi password: every device will need to reconnect, so coordinate with anyone who legitimately needs access
• Change the router admin credentials (Settings page is usually at 192.168.1.1 or 192.168.0.1 — default credentials are often "admin/admin" or "admin/password")
• Check whether remote management is enabled (Settings → Administration → Remote Management) — disable if not needed
• Review connected devices and any port forwarding rules

If you're in a shared living situation where changing the router isn't feasible, use cellular data (not Wi-Fi) for sensitive communications while you plan your exit.

Secure a Secondary Communication Device

For the period immediately following discovery of surveillance, obtain a second phone — a cheap prepaid device — and use it for sensitive communications while you plan. Set up a new email address on it that the stalker has never seen. This device is for communications you know are private.

This is also the device you use to call the DV hotline, contact an attorney, and make logistical plans.

Legal Documentation and Reporting

The legal framework for prosecution is strong. In the US, stalkerware installation without consent violates:

• 18 U.S.C. § 2511 (Wiretap Act) — up to 5 years federal prison + $10,000/violation civil damages
• 18 U.S.C. § 2701 (Stored Communications Act) — up to 5 years federal prison
• 18 U.S.C. § 1030 (Computer Fraud and Abuse Act) — up to 10 years federal prison
• 18 U.S.C. § 2261A (Interstate Stalking / Cyberstalking) — up to 5 years federal prison
• Applicable state statutes (stalking, harassment, computer crimes) — penalties vary by state

Document before you delete:

• Screenshots of the stalkerware app in your app list
• Screenshots of device admin entries
• Screenshots of battery usage showing the app
• Screenshots of data usage showing background uploads
• Screenshots of any dashboard or web interface if you can safely access it
• Note the date of discovery, the device, the app name, and any visible stalker account information

File a police report. Bring your documentation. Request a detective with computer crimes experience. Request a report number for your records even if the investigation does not immediately proceed.

The Coalition Against Stalkerware (stopstalkerware.org) maintains a list of legal resources and can connect you with organizations that specialize in technology-facilitated domestic abuse cases.

Detection Summary Table

| Check | Platform | Path | What It Catches | |-------|----------|------|-----------------| | MDM Profiles | iOS | Settings → General → VPN & Device Management | Network proxying, silent app install, management profiles | | Signed-in Devices | iOS | Settings → [Your Name] | iCloud credential sharing | | Jailbreak Signs | iOS | App drawer / iVerify | Jailbreak-based deep stalkerware | | Privacy Permissions | iOS | Settings → Privacy & Security | App-level location/mic/camera abuse | | All Apps | Android | Settings → Apps → All | Sideloaded stalkerware | | Device Admin | Android | Settings → Security → Device Admin Apps | Persistent stalkerware protection | | Accessibility | Android | Settings → Accessibility | Screen-reading spyware | | Sideload Permissions | Android | Settings → Apps → Special App Access | Install vector identification | | ADB Package List | Android | adb shell pm list packages -f -3 | All third-party packages | | Automated Scan | Both | Malwarebytes / Certo / iVerify | Known stalkerware signatures | | Account Access | Both | Apple ID / Google account settings | Cloud-based surveillance | | Physical Trackers | Both | Physical search / AirGuard app | AirTags and Bluetooth trackers |

The Harder Problem

Technical detection covers the device. The harder problem is the situation that created the surveillance.

Removing stalkerware from a phone does not remove the stalker. It does not remove the controlling dynamic. It does not guarantee physical safety. In documented cases, abusers have responded to surveillance discovery with violence.

The technology is the manifestation of a control pattern, not the whole of it. The organizations equipped to help with the whole of it are:

• National Domestic Violence Hotline: 1-800-799-7233 (US), thehotline.org
• Coalition Against Stalkerware: stopstalkerware.org — technology-specific DV resources
• Safety Net at NNEDV: nnedv.org — tech safety resources for DV survivors
• Clinic to End Tech Abuse (CETA): ceta.tech.cornell.edu — combines legal and technical assistance
• Electronic Frontier Foundation's Surveillance Self-Defense: ssd.eff.org — technical guides for various threat models

Technical steps matter. Safety planning matters more. Do both, in the order that keeps you safe.