Stalkerware: What It Is, How It Gets Installed, and How to Detect It on Your Device

The term “stalkerware” didn’t appear in cybersecurity literature until around 2017, but the software it describes has existed for much longer. What changed is the scale, the commercial availability, and the degree to which it became normalized through dual-use marketing. A product sold in a Google ad as “the #1 parental monitoring app” is the same product documented in National Domestic Violence Hotline case files as a tool used to track victims’ every communication and location. The app has no awareness of the relationship between the person who installed it and the person being monitored. It just runs.

For parents, understanding stalkerware is urgent in two directions: understanding whether a monitoring tool they’ve considered using crosses into stalkerware territory when deployed without consent, and understanding the signs that someone else may have installed stalkerware on a device used by their child or themselves.

Key Takeaways

• Stalkerware is commercial monitoring software installed without the device owner’s knowledge or consent; the same apps are marketed legitimately as parental controls or employee monitoring tools when disclosed.
• The Coalition Against Stalkerware — which includes cybersecurity firms Kaspersky, ESET, Malwarebytes, and NortonLifeLock — has documented thousands of stalkerware variants and provides detection tools.
• Common technical signs include unexplained battery drain, unfamiliar background processes, new device management profiles, and data usage attributed to apps the user doesn’t recognize.
• Android devices are more vulnerable to stalkerware installation than iPhones due to Android’s more open application ecosystem.
• Removal requires careful sequencing — immediately resetting a compromised device may destroy evidence needed for legal protection and may alert the abuser.

What Stalkerware Actually Is

Stalkerware is a subset of spyware. Specifically, it refers to commercial software products designed and sold for the purpose of monitoring a device and its user, typically with features to conceal the app’s presence on the device. What separates stalkerware from general spyware is that stalkerware is:

1. Commercially sold through legitimate-appearing websites, often with customer support and subscription plans.
2. Marketed with dual-use framing: “parental monitoring” or “employee tracking” in the marketing materials, but with explicit tutorials for hiding the app from the monitored person.
3. Designed specifically to hide itself — by removing its icon from the home screen, using a disguised name in the app list, and running in the background without visible notifications.

The Federal Trade Commission took its first major stalkerware enforcement action in 2021, against SpyFone, ordering the company to destroy all collected data and banning it from the surveillance industry. The FTC explicitly framed stalkerware as a consumer protection and safety issue, noting in its press release that “SpyFone’s secret surveillance app was a dangerous product” and that the company “enabled stalkers and domestic abusers.”

CISA classifies stalkerware as a cybersecurity threat and has published technical guidance specifically for victims and support organizations. The FBI’s Internet Crime Complaint Center receives stalkerware-related complaints categorized under both cybercrime and intimate partner violence.

How Stalkerware Gets onto Devices

There is no single pathway. Understanding all of the vectors helps parents and teens assess their own risk profile.

Physical Access Installation (Android)

The most common installation method for Android devices is brief physical access to an unlocked phone. The abuser or controlling person:

1. Enables installation from unknown sources (Settings > Security > Unknown Sources or Install Unknown Apps).
2. Downloads the stalkerware APK file from the vendor’s website, either by navigating to it on the victim’s phone or by transferring it from another device.
3. Installs the app and configures it: sets up the remote monitoring account, specifies what data to collect, and enables the hide-icon option.
4. Reverts the unknown-sources setting and hands the device back.

The entire process typically takes 5-15 minutes. The victim’s device now has a hidden app running in the background that reports its activity to a remote dashboard the installer controls.

Most stalkerware apps don’t appear in the app drawer after installation. They continue to run as a background process and transmit data at configured intervals (some in real time, some periodically). Some apps use service names that sound like system processes (“SyncService,” “TaskManager,” “com.android.systemtools”) to blend into the device’s process list.

iCloud Credential Access (iPhone)

iPhones are significantly more difficult to compromise with stalkerware at the device level, due to Apple’s restrictions on sideloading and the sandboxed app environment. However, iCloud provides an alternative attack surface.

If an abuser has a victim’s Apple ID credentials, they can log into iCloud.com and access:

• iCloud Drive files
• Photos (if iCloud Photos is enabled)
• iMessage backups (through iTunes/Finder backups; not directly on iCloud.com, but available if the abuser has computer access)
• Find My: the victim’s location if location sharing was set up between the accounts
• iCloud backup metadata

Some commercial stalkerware services explicitly market an “iPhone solution” that operates entirely through iCloud credentials rather than device installation. These services download and parse the victim’s iCloud backup to extract messages, photos, contacts, and call logs.

Mobile Device Management (MDM) Profiles (iPhone and Android)

MDM profiles are designed for enterprise device management — they allow organizations to configure employee devices remotely. Abusers who are technically sophisticated can create malicious MDM profiles and install them on a victim’s device.

On iPhones: MDM profiles can be installed through a web link that the victim clicks, through a QR code, or if the abuser had control of the phone during initial setup. A profile gives the abuser the ability to install apps remotely, restrict device settings, and in some cases monitor device activity.

On Android: Similar MDM functionality exists through Android’s Device Policy Controller.

Both Apple and Google have tightened restrictions on MDM profile abuse in recent OS updates, but older devices on older operating systems remain more vulnerable.

Carrier-Level Access

This pathway requires no device access at all. If the abuser is the account holder on the victim’s phone plan, the carrier’s account portal provides access to:

• Call records (who called whom, duration, timestamps)
• Text message metadata (sender, recipient, timestamp — not content, but metadata)
• Data usage records
• Device location through the carrier’s own tools (some carriers offer family location features to account holders)

This is why controlling partners who pay for a phone plan retain significant surveillance capability even without any app on the device.

Technical Detection: A Step-by-Step Approach

Detecting stalkerware requires examining several different layers of your device. The following steps do not require any specialized tools — they use built-in device features.

On Android

Check for unknown sources being enabled: Go to Settings > Apps > Special App Access > Install Unknown Apps. If any apps show “Allowed” that you don’t recognize, this is a red flag — it means the device was configured to allow installation from outside the Play Store.

Review all installed apps: Go to Settings > Apps > See All Apps. Sort by “Last Updated” or look for apps with no icon, generic names, or descriptions that don’t match anything you recall installing. Tap any unfamiliar app to see its permissions — stalkerware typically requests access to contacts, SMS, camera, microphone, location, and storage simultaneously.

Check data usage by app: Go to Settings > Network & Internet > Internet > (your carrier) > App Data Usage. Look for apps consuming data that you don’t recognize. Compare what you see against your list of known installed apps.

Check battery usage by app: Go to Settings > Battery > Battery Usage. Unfamiliar apps appearing in the list of significant battery consumers are worth investigating.

Check running services: Enable Developer Options (go to Settings > About Phone, tap Build Number 7 times). Then go to Settings > Developer Options > Running Services. This shows every process actively running on the device, including background services that don’t appear in the normal app list.

Examine device administrator access: Go to Settings > Security > Device Admin Apps. Any app listed here that you didn’t authorize has elevated system permissions and cannot be uninstalled through normal means.

On iPhone

Check VPN and Device Management for profiles: Go to Settings > General > VPN & Device Management. Any profile listed that you didn’t deliberately install — especially from an unfamiliar organization name — is a serious red flag. Tap the profile to see what permissions it grants.

Review privacy indicators: Go to Settings > Privacy & Security > App Privacy Report (if enabled). This shows which apps have recently accessed your microphone, camera, location, contacts, and other sensitive data. An unfamiliar app name appearing here warrants investigation.

Check iCloud account access: Go to appleid.apple.com and review which apps and devices have access to your Apple ID. If you see unfamiliar devices or apps with access, revoke them immediately.

Review trusted devices: On the same Apple ID page, review which devices are signed into your Apple ID. An unfamiliar device listed as trusted means someone has verified your Apple ID on their device — which gives them access to two-factor authentication codes sent to your account.

Check iCloud sharing: Go to Settings > [Your Name] > Family Sharing. If you’re in an iCloud Family Sharing group with someone, they may have access to your location through Family Sharing’s location features.

Detection Check	Android Path	iPhone Path	What to Look For
Unknown app installations	Settings > Apps > Special App Access	N/A (iOS restricts this)	Any app with “Install Unknown Apps” allowed
Device management profiles	Settings > Security > Device Admin Apps	Settings > General > VPN & Device Management	Profiles you didn’t install
Unfamiliar running processes	Settings > Developer Options > Running Services	N/A (iOS restricts process visibility)	Processes with system-sounding names
Anomalous data usage	Settings > Network > Data Usage	Settings > Cellular	Apps with unexplained data consumption
Camera/mic access logs	Settings > Privacy > Permission Manager	Settings > Privacy & Security > App Privacy Report	Unfamiliar apps accessing sensitive permissions
Shared account access	N/A	appleid.apple.com > Devices	Unfamiliar devices signed into your Apple ID

What Stalkerware Does With the Data It Collects

Understanding the data flow helps contextualize the risk. When stalkerware captures data, it transmits it to a remote server operated by the stalkerware vendor. The installer — the abuser — logs into a web dashboard or mobile app provided by the vendor to view the collected data.

This dashboard typically presents:

• A feed of intercepted text messages, sorted chronologically
• A log of call records
• A map with location history plotted as a track
• Screenshot galleries captured from screen recording
• Notifications configured by the installer (e.g., “alert me when this contact is messaged”)

The data is stored on the vendor’s servers, potentially indefinitely. This creates a secondary risk: vendor data breaches. Several stalkerware vendors have experienced significant data breaches in which victim data — collected covertly, stored on vendor servers — was exposed to third parties. mSpy experienced a major breach in 2015. Retina-X Studios (maker of PhoneSheriff and other products) was hacked by a researcher in 2017 and 2018 who published data revealing the scale of the victim database. These breaches expose victims to additional privacy harms beyond the original surveillance.

Resources for Victims and Parents

If you’ve found evidence of stalkerware on your device or a family member’s device, the following organizations have specific expertise in technology-facilitated abuse:

National Domestic Violence Hotline: 1-800-799-7233 or thehotline.org. Has trained technology safety specialists and safety planning resources.

Coalition Against Stalkerware: stopstalkerware.org. Provides a list of partner organizations by country, technical resources for detecting and documenting stalkerware, and guidance on next steps.

NNEDV Safety Net Project: techsafety.org. The National Network to End Domestic Violence’s technology safety project has the most comprehensive technical resources for advocates and victims.

FBI IC3: ic3.gov. For filing criminal complaints about stalkerware installation.

Kaspersky’s TinyCheck: An open-source tool developed specifically for detecting stalkerware network traffic on a device by analyzing network communications rather than device contents.

Malwarebytes and ESET: Both members of the Coalition Against Stalkerware, both have free scanning tools that detect known stalkerware variants.

What to Watch For Over 3 Months

• Run a full device audit every 90 days: check unknown sources, device admin apps, MDM profiles, and data usage by app.
• If you cleared suspected stalkerware and are in an ongoing situation with a controlling person, watch for re-installation attempts — physical device access is usually required, so note any times your device was out of your possession.
• Check your Apple ID trusted devices and iCloud sharing settings every time you change your password — abusers may retain access through trusted device status even after a password change.
• Stay current on OS updates: Apple and Google regularly patch exploits that stalkerware vendors use, and updates are among the most effective defenses.
• Watch for new stalkerware vendor names: the Coalition Against Stalkerware maintains an updated list of known stalkerware products at stopstalkerware.org/stalkerware-indicators.

Frequently Asked Questions

Is stalkerware the same as parental monitoring software?

The software is often identical. The legal and ethical difference is consent and transparency. A parental monitoring app installed on a child’s phone with the child’s knowledge — where the child knows they are being monitored and why — is lawful parental oversight. The same software installed without the device owner’s knowledge, or on an adult’s device without consent, is stalkerware and may be illegal under state and federal law.

Can antivirus software detect stalkerware?

Yes, but with important caveats. Kaspersky, ESET, Malwarebytes, and NortonLifeLock — all members of the Coalition Against Stalkerware — have updated their detection signatures to flag known stalkerware products. However, detection works only for known variants. New or modified stalkerware products may evade detection until signature databases are updated. Running a reputable antivirus scan is a useful first step, not a complete solution.

How do I know if someone is monitoring my iPhone through iCloud without a device app?

Check appleid.apple.com for unfamiliar devices under “My Devices.” Check if Find My is showing your location to someone you didn’t authorize in Settings > [Your Name] > Find My. Check which apps have access to your iCloud data under Settings > [Your Name] > iCloud and revoke access for anything you don’t recognize.

If I change my password, will stalkerware stop working?

For iCloud-based monitoring on iPhone: changing your Apple ID password and enabling two-factor authentication will immediately cut off iCloud-based stalkerware access. For device-installed stalkerware on Android: the app runs independently of your account passwords and will continue running. A factory reset or manual uninstallation is required to stop it.

Should I confront the person who installed stalkerware on my device?

Safety experts, including the National Domestic Violence Hotline, strongly advise against confronting an abusive person about having found stalkerware without first having a safety plan in place. Confrontation can escalate danger. Contact a domestic violence hotline or advocate first — they can help you develop a safety plan that accounts for the specific risks of your situation before you take any action on the device.

---

About the author

Ricky Flores is the founder of HiWave Makers and an electrical engineer with 15+ years of experience building consumer technology at Apple, Samsung, and Texas Instruments. He writes about how kids learn to build, think, and create in a tech-saturated world. Read more at hiwavemakers.com.

Sources

1. Federal Trade Commission. (2021). FTC Bans SpyFone and CEO from Surveillance Industry after Secretive Stalkerware App Enabled Domestic Abusers to Track Potential Victims. https://www.ftc.gov/news-events/news/press-releases/2021/09/ftc-bans-spyfone-ceo-surveillance-industry-after-secretive-stalkerware-app-enabled-domestic-abusers
2. Coalition Against Stalkerware. (2024). What is stalkerware? Definition, detection, and resources. https://stopstalkerware.org/what-is-stalkerware/
3. CISA. (2023). Stalkerware: Understanding Technology-Facilitated Abuse. https://www.cisa.gov/resources-tools/resources/stalkerware
4. National Network to End Domestic Violence, Safety Net Project. (2024). Stalkerware and Spyware: Resources for Advocates and Victims. https://www.techsafety.org/stalkerwareresources
5. Motherboard/VICE. (2018). I Hacked an App That Lets People Spy on Their Partners. Here’s What I Found. Documenting Retina-X breach. https://www.vice.com/en/article/kb7zpa/i-hacked-an-app-that-lets-people-spy-on-their-partners
6. Kaspersky. (2024). TinyCheck: Open source stalkerware detection tool. https://github.com/KasperskyLab/TinyCheck
7. National Domestic Violence Hotline. (2024). Technology Safety: Spyware and Stalkerware. https://www.thehotline.org/resources/technology-safety/