Signs Your Partner Is Spying on Your Phone

Phone surveillance in intimate relationships is not rare, and it is not a fringe behavior. A 2020 study by the Coalition Against Stalkerware found that approximately 1 in 4 survivors of intimate partner violence reported that their abuser had used some form of technology to monitor them. Consumer stalkerware apps — products like mSpy, FlexiSPY, and Spyzie — are marketed openly, cost as little as $30/month, require only 5-15 minutes of physical access to install, and provide a real-time feed of everything on your device: messages, calls, location, photos, browser history.

The disturbing part is not just the technical capability — it is how invisible it is designed to be. FlexiSPY's marketing explicitly promises "100% invisible operation." mSpy advertises that the target will "never know." These products are not gray-market tools sold in dark web forums. They are commercial software with customer support teams and subscription billing.

Understanding whether your device has been compromised — and what to do about it with your safety intact — requires working through a systematic checklist. That is what this guide does.

Understanding the Threat Landscape

Before checking your device, understand what you are looking for and how these tools work:

Commercial stalkerware (mSpy, FlexiSPY, Hoverwatch, Cocospy, uMobix, Eyezy, Moniterro): These are standalone apps installed directly on the target device. On Android, they run as background services with device administrator privileges. On iOS, they either require a jailbreak or rely on iCloud credentials. They upload location, messages, call logs, and often audio recordings to a remote server accessible by the stalker through a web dashboard.

Cloud-based surveillance through account sharing: This is often the simplest and most underappreciated attack vector. If someone has access to your Apple ID or Google account — particularly if a device was ever set up using those credentials — they may have a continuous feed of your location, messages, and photos without having touched your current phone. This requires zero technical skill and leaves minimal traces on the device itself.

Carrier-level access: If you share a phone plan with someone, that account holder may be able to request call logs, account details, and in some cases location data from the carrier. This is distinct from device-level surveillance but can provide significant behavioral intelligence.

AirTags and passive trackers: Physical tracking devices placed in bags, vehicles, or clothing. Not phone surveillance per se, but often used in conjunction with phone monitoring to build a comprehensive picture of the victim's movements and contacts.

Network-level monitoring: If you share a home router, the router's admin can see DNS queries — effectively a log of every website you visit and many apps you use. Sophisticated controllers may run packet inspection tools on the home network.

The key insight: these attack vectors often operate simultaneously. Someone monitoring a partner typically doesn't pick one method — they use whichever access they have. A thorough check requires covering all of them.

Behavioral Signs That Demand Investigation

These are not conclusive on their own, but multiple signals appearing together indicate something worth investigating further.

They Know Things They Shouldn't

The clearest behavioral indicator is when your partner demonstrates knowledge of information they could not have obtained through normal communication. Specific examples:

• Referencing a conversation you had privately with a friend — not in person or on a call they were present for
• Knowing your location at a specific time you didn't share with them
• Awareness of plans you made by text or email without telling them
• Referencing the content of a message before you mentioned it
• Knowing who called or texted you without seeing your phone

This is distinct from the coincidences that occur in close relationships. The pattern is knowledge of specific, recent, private information — particularly information they would have no way of knowing unless they had direct access to your device or accounts.

Your Phone Disappeared for a Suspicious Window

Stalkerware installation on Android typically takes 5-15 minutes. The process involves navigating to settings to enable installation from unknown sources, downloading the APK, installing it, configuring it with the stalker's account credentials, and enabling device administrator access. On iOS via jailbreak, slightly longer. Via iCloud credentials, it requires only a web browser anywhere.

If your phone went missing for a period — left on a nightstand while you showered, left in a car or bag, handed to someone briefly — that window is sufficient. The question is whether you noticed a change in behavior afterward.

Unexpected Password Reset Emails or SMS

A password reset request you did not initiate is someone attempting to access your account. A single reset email could be a forgotten password attempt by a frustrated stalker; multiple resets across different services in a short period indicates a coordinated attempt to gain access to your digital life.

Check your email's sent folder: some reset flows send confirmation emails you may have missed. Check login history on your email provider.

Device Behaving Abnormally

Stalkerware runs as a persistent background service that uploads data — often in real time — to remote servers. This activity creates measurable physical effects:

• Battery drain significantly worse than before without any change in your usage patterns
• Device running warm when the screen is off and nothing is ostensibly downloading
• Mobile data spikes to amounts you can't attribute to normal use
• Screen activating briefly when idle — some stalkerware activates the microphone or camera remotely, which can briefly light indicator LEDs or activate the screen
• Slow performance or unexpected reboots — background processes compete with foreground apps for CPU and RAM

None of these is conclusive individually — updates, large caches, and hardware aging produce similar symptoms. The combination of multiple anomalies appearing around the same time, particularly after a window where the phone was out of your control, warrants a systematic check.

Controlling Behavior Escalation

Surveillance is almost always a symptom of a broader pattern of controlling behavior. If your partner has become increasingly controlling about your time, whereabouts, and communications — and especially if you notice that their knowledge of your activities seems to exceed what you've shared — the combination is significant.

Research on intimate partner technology abuse consistently shows that surveillance is used to maintain control rather than as a response to genuine concern. It typically escalates over time. The surveillance starts as location tracking; it expands to message monitoring; it expands further to listening to calls or activating the microphone. Recognize the pattern early.

Technical Indicators: Checking Your Accounts First

Account-based surveillance often provides more intelligence to a stalker than a locally installed app — and it requires checking your accounts before you check your device.

Apple ID: Check Active Devices

Navigate to Settings → tap your name at the top → scroll down past your Apple ID details.

Every device signed into your Apple ID is listed here: iPhones, iPads, Macs, Apple Watches, Apple TVs. Each entry shows the device model, iOS version, and a description. Tap any device to see its serial number and the option to remove it.

What to look for:

• Any device you don't recognize
• A device you used to own that is still signed in (should have been removed when you stopped using it)
• A device with a generic name ("iPhone" or "iPad") that you can't attribute to yourself

If a partner has added their device to your Apple ID — or if they know your Apple ID credentials and have signed in from their own device — they have access to iMessage (your messages sync across all signed-in devices), Find My (your location), Photos (if iCloud Photo Library is on), and every iCloud backup of your device.

Also check: Settings → [Your Name] → iCloud → iCloud Drive → Show All — any app with iCloud sync enabled shares data across all signed-in devices.

Google Account: Check Active Sessions and Devices

Visit myaccount.google.com from a browser (not from the same device you're checking, if possible). Navigate to Security → Your devices.

You'll see every device that has accessed your Google account, when it last accessed the account, and the approximate location of that access. Devices are identified by model name.

Also check: Security → Recent security activity. This shows significant account events: new device sign-ins, password changes, account recovery options being changed. A new sign-in from an unfamiliar device or location is an immediate red flag.

Third-party app access: Security → Third-party apps with account access. Any app you don't recognize with access to your Google data — including location history, contacts, or calendar — should be revoked.

iCloud on the Web: Find My

Access icloud.com from a browser and look at Find My. If someone has access to your account, they can see your location through Find My. If your iCloud account is shared — even on an old device that a partner still has — they can see exactly where your iPhone is in real time.

The Find My section also shows your AirPods, MacBooks, and any other Apple devices enrolled. If there's a device showing a location that seems to be following you around independently, that's a tracking device enrolled under your account.

Location History: Google Maps and iPhone

Google Maps Timeline: In the Google Maps app, tap your profile photo → Your Timeline. This shows a day-by-day record of everywhere you've been. If location history is enabled on your account and someone else has your account credentials, they have access to this complete historical record.

Check whether Timeline is enabled: Your Timeline → the three-dot menu → Settings & privacy → Location History. If it's on and you didn't enable it, consider who else might have access to your account.

iPhone Significant Locations: Settings → Privacy & Security → Location Services → System Services → Significant Locations. This is a local-only record that requires your device passcode to access — but if someone has your passcode, it provides a detailed movement history.

Email Account: Access Logs and Rules

Your email is the master key to your digital life — it's how every other account resets its password. Check it carefully.

Gmail: Settings (gear icon) → See all settings → Accounts and Import → Check if there are alternate addresses or forwarding rules. Then navigate back to the main Gmail interface and scroll to the bottom right corner — you'll see "Last account activity." Click "Details" for a full log of recent access, IP addresses, and devices.

Outlook/Microsoft 365: myaccount.microsoft.com → Security → Sign-in activity. This shows every login with device type, location, and IP address.

What to look for:

• Email forwarding rules you did not create (all incoming mail being forwarded to another address is a common surveillance technique)
• Filters that mark emails as read without delivering them to your inbox
• Unusual login times (access at 3am when you were asleep)
• Logins from IP addresses in locations you don't recognize

Password Reset History

Check the email address associated with your important accounts for password reset confirmation emails. These indicate that someone has been attempting to access — or has successfully accessed — your accounts. Even if they failed to complete the reset, the attempt is logged in your email.

Checking Your Device: Android

Android is the primary target platform for stalkerware because its architecture allows third-party app installation (sideloading) and because stalkerware can be installed without significant technical sophistication.

Step 1: Check Installed Apps Systematically

Navigate to Settings → Apps (some manufacturers label this "Application Manager" or "Applications"). Tap the filter or sort options and select "All apps" or "All" — this shows every installed package including system apps and disabled apps.

Work through the list looking for:

• Apps you don't remember installing
• Apps with generic system-sounding names: "System Service," "Device Health," "Phone Monitor," "Sync Manager," "App Manager," "Device Manager"
• Apps with no icon in the app drawer but visible in this list
• Apps that consume battery or data but serve no obvious purpose

Stalkerware developers routinely name their products to blend in with Android system processes. The names that appear in the full app list are the package display names, which can be anything the developer chose.

Step 2: Check Device Administrator Apps

Settings → Security → Device Admin Apps (the exact path varies: on Samsung it may be under Biometrics and Security → Device Admin Apps; on stock Android it's often under Settings → Security → Advanced → Device admin apps).

Device administrator privileges allow an app to prevent its own uninstallation, remotely lock or wipe the device, and enforce security policies. Legitimate apps that hold device admin status: your employer's MDM solution (if this is a work phone), your anti-theft app, Microsoft Outlook (for Exchange ActiveSync), and similar business tools. Any app you don't recognize holding device admin status is serious.

Stalkerware requires device admin status specifically to prevent easy removal — if you uninstall before revoking admin rights, the system will block the uninstall with an error.

Step 3: Check Accessibility Services

Accessibility services have some of the deepest system access available to third-party apps. They were designed for screen readers and motor-impaired users, but they can read screen content, inject input, and monitor activity across all apps. Stalkerware routinely abuses this access.

Settings → Accessibility → Downloaded Apps (or Installed Services, depending on Android version). Every entry in this list should correspond to an app you know and intentionally granted this access to: password managers (sometimes), screen readers, switch access tools. Any unfamiliar entry is a serious red flag.

# If you have USB debugging enabled, you can enumerate accessibility services:
adb shell settings get secure enabled_accessibility_services

The output lists packages using accessibility services. Research any you don't recognize.

Step 4: Check for APKs and Unknown Sources Permissions

Settings → Apps → Special App Access → Install Unknown Apps

Any app listed here with "Allowed" has been granted permission to install applications from sources outside the Play Store. Legitimate uses: Amazon Shopping (installs the Appstore), some development tools. If a browser app has this permission, it was used to download and install an APK.

Settings → Apps → Special App Access → All Files Access (Android 11+)

Apps with "All Files Access" can read every file on your device. No legitimate app should need this unless it's a file manager. Stalkerware uses this permission to access photos, documents, and downloaded files.

Step 5: ADB Deep Scan

If you're comfortable with Android Debug Bridge, connect your phone to a computer with USB debugging enabled (Settings → Developer Options → USB Debugging):

# List all installed packages with their APK file paths
adb shell pm list packages -f
 
# List only third-party packages (non-system apps)
adb shell pm list packages -3 -f
 
# Check which apps have dangerous permissions
adb shell pm list packages | xargs -I{} adb shell dumpsys package {} | grep -A5 "uses-permission"
 
# Check running services (stalkerware runs as a persistent service)
adb shell dumpsys activity services | grep -i "Service"
 
# Check for suspicious APK files
adb shell find /sdcard/Download -name "*.apk"

The third-party package list (-3 flag) shows everything installed outside the factory default. Research anything unfamiliar on VirusTotal (virustotal.com) by searching the package name.

Step 6: Use a Dedicated Detection Tool

Manual inspection catches many stalkerware apps but not all — some use obfuscated package names and delete their APK after installation to reduce traces. Use at least one automated tool:

Malwarebytes for Android (free): Scans for known stalkerware signatures classified as "monitoring tools" and "riskware." Detects commercial stalkerware products including FlexiSPY, mSpy, and Hoverwatch variants.

Certo Mobile Security (free): Specifically designed to detect stalkerware. Scans app signatures, checks device admin settings, and flags suspicious configurations.

ESET Mobile Security (free tier): Part of the Coalition Against Stalkerware initiative — their mobile product is specifically tuned to detect surveillance software that other AV products might classify as legitimate.

Checking Your Device: iOS

iOS is architecturally more restrictive than Android, which limits what stalkerware can do without a jailbreak. That doesn't mean iPhone users are immune — it means the attack vectors are different.

iOS Attack Vector 1: MDM Configuration Profiles

Mobile Device Management profiles are the most powerful surveillance mechanism available on iOS without a jailbreak. A profile can:

• Install apps silently without App Store authorization
• Intercept network traffic (through a VPN or proxy configuration)
• Enforce policies that restrict settings
• Access email, calendar, and contacts remotely
• Remotely lock or wipe the device

Check for profiles: Settings → General → VPN & Device Management

If you see a configuration profile that you did not intentionally install — and particularly any profile not from your employer's known MDM solution — tap it to review its permissions. A profile with network proxying enabled can intercept all your traffic, including HTTPS, by installing its own certificate authority.

How a profile gets installed: Either through a link sent via email or message that you tapped and approved, through a computer you connected to with iTunes/Finder, or through physical access to your unlocked phone. If you see an unfamiliar profile and have no idea how it got there, the answer is likely physical access during a window when the phone was unattended.

iOS Attack Vector 2: Jailbreak-Based Apps

A jailbroken iPhone can run apps that operate outside Apple's sandboxing model, including stalkerware with full system access. FlexiSPY, for example, explicitly requires a jailbreak to access call content and encrypted messaging apps.

Signs your phone has been jailbroken:

• The presence of Cydia, Sileo, Zebra, or Installer apps
• An app called "Filza" (jailbreak file manager) or "iFile"
• Settings menus or options that don't appear on standard iOS (some jailbreaks inject new Settings entries)
• Unusual battery drain and background data consistent with stalkerware

Automated check: iVerify ($2.99 one-time purchase) performs a comprehensive compromise check on iOS devices, detecting jailbreak indicators, anomalous system behaviors, and known surveillance tooling signatures. For serious suspicion of iOS compromise, this is worth the cost.

Certo AntiSpy (Windows/Mac tool, paid): Connects to your iPhone via USB and performs a deeper scan than is possible from within iOS itself. Useful when you have serious suspicion of a jailbreak-based installation.

# If you have SSH access (jailbroken device), check for stalkerware:
find /var/mobile/Library/Application\ Support/ -name "*.plist" | xargs grep -l "flexispy\|mspy\|hoverwatch"
 
# Check for suspicious launch daemons (persistent background processes):
ls /Library/LaunchDaemons/ | grep -v "com.apple"

iOS Attack Vector 3: iCloud-Based Surveillance

This requires no physical access to your current device and leaves no trace on the device itself. If someone knows your Apple ID and password, they can:

• Access iMessages through an additional device signed into your Apple ID
• See your location in real time through Find My
• View your Photos through iCloud
• Access iCloud Drive documents
• Download your device backups (which contain nearly everything on your phone)
• Access FaceTime call history

This is the most common iOS surveillance vector precisely because it requires only credentials, not physical access.

How to detect it:

1. Settings → [Your Name] → scroll down to see all devices. Remove any you don't recognize.
2. appleid.apple.com → Sign-In and Security → Edit → Review sign-in history and recent activity.
3. Settings → [Your Name] → Password & Security → check whether Two-Factor Authentication is enabled. If not, enable it now — it prevents someone else from logging into your Apple ID even if they have your password.

iOS Attack Vector 4: Third-Party App Permission Abuse

A final, lower-capability but real vector: legitimate apps with excessive permissions that a partner has installed, or permissions granted on apps they configured. This provides limited surveillance but is worth auditing.

Settings → Privacy & Security → Location Services: Review every app with "Always" access. This is the highest privilege — the app can query your location continuously in the background. A handful of legitimate apps need this: Maps navigation apps, Find My Friends if you're knowingly sharing, Uber and Lyft while driving. Any app with "Always" access you don't explicitly recognize and use for location-dependent features should be downgraded to "While Using" or "Never."

Settings → Privacy & Security → Microphone: No app should have continuous microphone access that you're not actively using for audio recording or calls. Review every entry and revoke anything you can't justify.

Settings → Privacy & Security → Camera: Same analysis. Apps that don't need camera access for their core function shouldn't have it.

AirTags and Physical Trackers

Physical trackers are increasingly common in intimate partner surveillance scenarios. They're small, cheap, and use the network of existing Apple devices to relay location — meaning coverage is nearly ubiquitous in populated areas.

Apple's anti-stalking system: Since late 2021, iPhones automatically detect when an unknown AirTag has been traveling with them for an extended period and display a notification: "AirTag Found Moving With You." This notification includes a map showing where the AirTag has been detected and an option to play a sound on the AirTag to locate it.

The limitations: The detection window is deliberately vague (Apple hasn't published the exact timing, and has adjusted it multiple times in response to abuse reports). Android users can install Apple's "Tracker Detect" app, but it requires manually triggering a scan rather than passive background detection. Competing trackers (Tile, Samsung SmartTag) don't trigger Apple's alerts.

Where to physically check:

• Inside bags, backpacks, and purses (particularly in inside pockets or sewn into lining)
• Inside the frame or lining of jackets
• Under vehicle seats (run your hand under both front and rear seat rails)
• In the wheel wells of your car (AirTags and magnetic trackers are often attached here)
• Inside the trunk, particularly behind side panels
• In the OBD-II port under your dashboard (hardwired GPS trackers plug directly here)
• In diaper bags, children's backpacks, car seats if you have children

Dedicated tracker scanning: The AirGuard app (iOS and Android) passively scans for all Bluetooth tracking devices — AirTags, Tiles, Samsung SmartTags, and others — and alerts you to items traveling with you. It also covers products that Apple's own alerts miss.

The Recovery Process: Step-by-Step

Once you have assessed the situation — and, if applicable, consulted with a DV advocate or legal advisor — take the following steps in order. The order matters because changing account credentials from a compromised device may alert the stalker through their monitoring dashboard.

Step 1: Secure Your Accounts From a Clean Device

The first priority is taking back control of your accounts. Do this from a device you are certain is clean — a trusted friend's phone, a library computer, a new device, or any device that has never been in your partner's physical access.

1. Change your primary email password first (Gmail, iCloud, Outlook — whichever is your main account)
2. Enable two-factor authentication immediately using an authenticator app (Google Authenticator, Authy), NOT SMS if you can avoid it
3. Make sure the recovery phone number and recovery email for your email account are ones you control exclusively — not a shared number or one associated with a shared account
4. Change your Apple ID password or Google account password
5. Change passwords for banking and financial accounts
6. Change any account that is connected to the same email address

Do not use a password manager or browser on the device you suspect is compromised — the stalkerware may log keystrokes. Generate new passwords on a clean device.

Step 2: Revoke All Device Sessions

Apple ID:

• Visit appleid.apple.com
• Under Devices, remove every device you don't currently own or recognize
• Under Sign-In and Security → Active Sessions, review and revoke any sessions you don't recognize

Google:

• Visit myaccount.google.com → Security → Your devices
• Select "Sign out" on every device that should not have access
• Under Recent security activity, review and act on any unfamiliar sign-ins

Email:

• Sign out all active sessions from your email provider's security settings
• Revoke any third-party app access you don't recognize

Step 3: Remove Suspicious Apps and Profiles

Android:

1. Revoke device administrator privileges first (Settings → Security → Device Admin Apps) — otherwise the app blocks its own uninstallation
2. Revoke accessibility service permissions for the suspicious app
3. Uninstall via Settings → Apps → [App Name] → Uninstall
4. Revoke "All Files Access" and "Install Unknown Apps" permissions

iOS:

1. Remove suspicious configuration profiles: Settings → General → VPN & Device Management → [Profile] → Remove Profile
2. Change your Apple ID password immediately after removing a profile — if someone installed a profile, they had physical access to your phone and may have your passcode
3. If the profile is protected and cannot be removed, your device may be in supervised mode — this requires a factory restore

Step 4: Factory Reset (The Nuclear Option)

A factory reset removes all locally installed stalkerware with certainty. When to do it:

• You found confirmed stalkerware but cannot fully determine its scope
• You found a jailbroken iOS device
• You want absolute certainty rather than relying on your audit

Before resetting:

• Back up contacts and photos to a new, clean account (not the same Google or Apple account that may have been compromised)
• Do NOT restore from an iCloud or Google backup made during the period of compromise — this can reinstall the stalkerware or restore the conditions that allowed it
• Selectively export what you need (contact list, photos) rather than doing a full system restore

After resetting:

• Set up with a new Apple ID or Google account that the stalker has never had access to
• Use strong unique passwords and enable 2FA with an authenticator app
• Do not sign back into any account without first changing its password from a clean device

Step 5: Audit Location Sharing and Connected Services

After securing accounts and devices, audit what is still sharing your location:

iPhone: Settings → Privacy & Security → Location Services → Share My Location — turn this off and review every "family sharing" arrangement. Settings → Privacy & Security → Location Services → System Services → Location Sharing — review everything listed.

Google: myaccount.google.com → Data & privacy → Location History — review and disable if not needed. Google Maps → profile → Your Timeline → Timeline settings — check whether location history is being retained.

Third-party apps: Review every app with location access on both platforms. Life360, Find My Friends, family location apps, and carrier family tracking features can all persist as surveillance channels if you set them up during a relationship and forgot to revoke them.

Step 6: Secure Your Home Network

If you share or previously shared a home Wi-Fi network, the router remains a monitoring vector even after securing your device and accounts. The router's admin can see DNS queries — what websites and services you access, roughly when, and from which device.

• Change the Wi-Fi password immediately
• Change the router admin username and password (default credentials are frequently used unchanged)
• Check whether any port forwarding rules have been created (which can expose your devices to external access)
• Consider whether you need to replace the router entirely if you suspect deeper tampering

For sensitive communications while still in the same household, use cellular data rather than the home Wi-Fi.

The Legal Path Forward

In most US jurisdictions, installing monitoring software on someone's device without consent violates multiple federal statutes (18 U.S.C. § 2511, § 2701, § 1030) and likely multiple state statutes (stalking, harassment, computer crimes). These are felony-level offenses at the federal level.

Before removing stalkerware, document it:

• Screenshot the app in Settings (if visible)
• Screenshot device admin entries showing the app
• Screenshot battery usage showing the app's background consumption
• Screenshot data usage showing abnormal upload patterns
• Take a clear photo of your screen with a separate device
• Screenshot the accessibility services entry

This documentation is evidence for:

• A police report (criminal complaint)
• A civil lawsuit under 18 U.S.C. § 2520 (Wiretap Act civil action) — statutory damages of $10,000 per violation
• A domestic violence protection order application
• Custody proceedings where coercive control is relevant

Organizations with specialized resources:

• Coalition Against Stalkerware (stopstalkerware.org): Maintains a list of support organizations by country and provides device documentation guidance
• Safety Net at NNEDV (nnedv.org/content/safety-net): Technology safety resources specifically for DV survivors
• Electronic Frontier Foundation's Surveillance Self-Defense (ssd.eff.org): Technical guides for protecting yourself from surveillance
• Clinic to End Tech Abuse (CETA) at Cornell: Legal and technical resources for tech abuse survivors

If you discover surveillance evidence, consult a lawyer before removing it. In some scenarios, preserving the evidence intact — while conducting your communications on a clean device — gives you significantly more legal leverage than a cleaned device with no proof.

Summary Checklist

Use this checklist as your systematic audit. Work through it in order.

Account checks (do these first, from a clean device):

• [ ] Apple ID: review signed-in devices, revoke unknowns
• [ ] Google: review active devices and recent security activity
• [ ] Primary email: check forwarding rules, filters, access logs
• [ ] Review third-party app access on both Apple ID and Google
• [ ] Check Google Maps Timeline for unexpected location data

Device checks (iOS):

• [ ] Settings → General → VPN & Device Management: any unknown profiles?
• [ ] Settings → [Your Name]: review all signed-in devices
• [ ] Settings → Privacy & Security → Location Services: review "Always" permissions
• [ ] Settings → Privacy & Security → Microphone/Camera: review all access
• [ ] Signs of jailbreak: Cydia, Sileo, or unfamiliar sideloaded apps
• [ ] Run iVerify for automated compromise detection

Device checks (Android):

• [ ] Settings → Apps → All apps: review full list for unknowns
• [ ] Settings → Security → Device Admin Apps: review all entries
• [ ] Settings → Accessibility → Installed Services: review all entries
• [ ] Settings → Apps → Special App Access → Install Unknown Apps: review
• [ ] Settings → Apps → Special App Access → All Files Access: review
• [ ] Run Malwarebytes or Certo for automated detection

Physical check:

• [ ] Inspect bags, jacket pockets, and belongings for trackers
• [ ] Inspect vehicle (wheel wells, under seats, trunk, OBD port)
• [ ] Install AirGuard for continuous Bluetooth tracker detection

If surveillance is found:

• [ ] Document with screenshots before removing anything
• [ ] Contact DV hotline or attorney for safety planning
• [ ] Change all passwords from a clean device
• [ ] Revoke all account sessions
• [ ] Remove app/profile (if safe to do so)
• [ ] Factory reset if needed
• [ ] Audit all location-sharing arrangements
• [ ] Change home Wi-Fi credentials