Stalkerware on Mobile Devices: Detection and Removal

Stalkerware represents a category of surveillance software specifically designed to operate covertly on a target's mobile device, transmitting location data, communications, and device activity to a third party without the device owner's knowledge or consent. This page covers the definitional boundaries of stalkerware, its technical mechanisms, the scenarios in which it most frequently appears, and the criteria used to distinguish stalkerware from lawful monitoring tools. The subject intersects civil law, criminal statute, and mobile security practice across all major U.S. jurisdictions.

Definition and scope

Stalkerware — also categorized under the broader classification of "spouseware" or intimate partner surveillance software — is a subset of mobile malware types that differs from traditional spyware primarily by its deployment context and intent. Where commercial spyware may target enterprise credentials or financial data, stalkerware is predominantly deployed by individuals against known victims: intimate partners, family members, or coworkers.

The Federal Trade Commission (FTC) addressed the stalkerware category directly in its 2021 enforcement action against Support King, LLC, which operated the SpyFone platform. The FTC found that the software secretly harvested location data, photos, and text messages and transmitted them to purchasers, resulting in a ban on the company from the surveillance business (FTC Press Release, September 2021). This enforcement action established that covert consumer surveillance software constitutes an unfair business practice under Section 5 of the FTC Act.

At the federal criminal level, the deployment of stalkerware without consent can implicate the Electronic Communications Privacy Act (ECPA), 18 U.S.C. § 2511, which prohibits the intentional interception of electronic communications. State-level statutes vary: as of 2023, at least 11 states have enacted laws that explicitly criminalize the installation of tracking software on another person's device without consent, according to the Cyber Civil Rights Initiative.

The Coalition Against Stalkerware, a multi-organization working group that includes the European Network for the Work with Perpetrators of Domestic Violence and cybersecurity vendors operating under defined research criteria, publishes a technical definition that distinguishes stalkerware from parental controls and enterprise mobile device management security tools on the basis of concealment, consent, and the identity of the monitoring party.

How it works

Stalkerware functions by exploiting device-level permissions and, in advanced cases, operating system vulnerabilities. Installation typically requires one of 3 access vectors:

1. Physical device access — The installer has brief physical possession of the unlocked device, sufficient to sideload an application from outside official app stores or enable an accessibility permission that grants the app broad system access.
2. Phishing-based installation — The target is manipulated into clicking a link that triggers an automated installation, often via SMS (smishing). This vector is detailed further in the coverage of mobile phishing and smishing.
3. Exploitation of jailbroken or rooted devices — On devices where OS-level protections have been bypassed, stalkerware can achieve deeper system integration with fewer permission prompts. The security implications of these configurations are addressed in jailbreaking and rooting security risks.

Once installed, stalkerware typically operates under disguised process names — appearing in the application list as a utility, system service, or battery tool. Core data collection capabilities vary by product but commonly include:

• GPS and cell-tower location tracking, reported at intervals ranging from 1 minute to 30 minutes
• SMS and MMS interception, capturing message content before or after encryption at the application layer
• Call log access, recording call metadata and, in some implementations, audio
• Keylogging, capturing typed text across all applications
• Ambient recording, activating the device microphone on a schedule or upon command
• Screenshot capture, triggered by time interval or specific application focus
• Social media and messaging app data extraction, targeting platforms such as WhatsApp, Signal, and Telegram by accessing local data stores

On iOS, stalkerware historically relied on iCloud credential access to pull backed-up data remotely, bypassing direct device installation. This method does not require physical device access but depends on the perpetrator possessing the victim's Apple ID credentials. iOS security vulnerabilities and Android security vulnerabilities each present distinct attack surfaces that stalkerware developers exploit differently.

Common scenarios

Stalkerware deployment concentrates in 3 primary relationship contexts, each with distinct legal and technical characteristics:

Intimate partner surveillance is the most documented scenario. The National Domestic Violence Hotline reported that technology-facilitated abuse — including GPS tracking and device monitoring — is present in a substantial proportion of domestic violence cases handled by its network. In this scenario, the perpetrator typically has historical physical access to the device and may know the device unlock code.

Parental monitoring crossing into covert surveillance occurs when monitoring tools designed for child safety are deployed against adult children or in contexts where the monitored individual has not consented and is unaware. The legal threshold shifts when the monitored person is a legal adult; consent requirements apply regardless of familial relationship.

Employer-deployed monitoring without disclosure represents the enterprise variant. When monitoring software is installed on employee-owned devices under BYOD security policy frameworks without adequate written disclosure, it may constitute unauthorized surveillance under state wiretapping statutes even if permitted under general employment agreements.

Decision boundaries

Distinguishing stalkerware from lawful monitoring tools requires evaluating 4 criteria:

1. Consent and disclosure — Lawful monitoring tools (parental controls, enterprise MDM) require documented consent or are deployed under notice. Stalkerware operates without the device owner's knowledge. The presence of an icon, notification, or setup disclosure is the primary technical differentiator.
2. Identity of the monitoring party — Enterprise and parental tools transmit data to an organizational dashboard or parent account. Stalkerware transmits to an individual purchaser operating outside any institutional framework.
3. Installation vector — Legitimate monitoring applications are available through official app store channels (Google Play, Apple App Store) with published privacy policies. Stalkerware is predominantly distributed through third-party sources, as covered in third-party app store dangers, or requires device modification to install.
4. Detectability by design — Products purpose-built to conceal their presence from the device owner — hiding their icon, masking their process name, or disabling uninstall options — meet the Coalition Against Stalkerware's technical definition regardless of how the product is marketed.

Detection on Android devices involves reviewing installed applications with elevated permissions (particularly Accessibility Services, Device Administrator, and overlay permissions), auditing battery and data usage for unrecognized background processes, and scanning with anti-stalkerware tools. NIST SP 800-124 Rev. 2 provides a framework for enterprise endpoint auditing that, when applied to personal devices, surfaces anomalous permission configurations (NIST SP 800-124 Rev. 2).

Removal carries a documented risk: perpetrators who lose surveillance capability may escalate physical behavior. The National Domestic Violence Hotline and the Coalition Against Stalkerware both publish safety-planning protocols that recommend consulting with an advocate before removing stalkerware, particularly in active intimate partner violence situations. For professionals operating in mobile security incident response contexts, victim safety planning is a documented step in the remediation workflow when stalkerware is confirmed.

Factory reset is the definitive removal method for both Android and iOS platforms. Selective uninstallation carries residual risk if root-level components or accessibility permissions persist. Device replacement combined with new account credentials is recommended when the perpetrator is known to have access to account recovery information.

References

• Federal Trade Commission — FTC Bans SpyFone and Support King from Surveillance Industry (September 2021)
• NIST SP 800-124 Rev. 2 — Guidelines for Managing the Security of Mobile Devices in the Enterprise
• Electronic Communications Privacy Act (ECPA), 18 U.S.C. § 2511
• Coalition Against Stalkerware — Stalkerware Definition and Detection Criteria
• National Domestic Violence Hotline — Technology Safety Resources
• Cyber Civil Rights Initiative — State Law Resources