Stalkerware on Mobile Devices: Detection and Removal

Stalkerware represents a category of surveillance software installed on mobile devices — typically without the target's knowledge or consent — that transmits location data, communications, and behavioral information to a third party. The threat is distinct from conventional malware in that it operates covertly over extended periods and is most frequently deployed in domestic contexts rather than by external criminal actors. Detection requires specific technical indicators, and removal carries procedural considerations that differ from standard malware remediation. This page covers the definition and regulatory classification of stalkerware, its technical mechanisms, the scenarios in which it appears, and the decision thresholds that govern detection and removal approaches.

Definition and scope

Stalkerware is classified as a subset of spyware under the broader taxonomy of potentially unwanted applications (PUAs), distinguished by its intentional concealment from the device owner and its deployment for interpersonal surveillance rather than financial fraud. The Federal Trade Commission (FTC) has taken enforcement action under Section 5 of the FTC Act against stalkerware operators, most notably in the 2019 action against Retina-X Studios, which distributed SpyFone, PhoneSheriff, and MobileSpy applications — products the agency found enabled covert tracking of device users.

The Coalition Against Stalkerware, a working group that includes cybersecurity vendors and domestic violence advocacy organizations, defines stalkerware as software that monitors without persistent, transparent, and ongoing consent. This framing differentiates stalkerware from legitimate parental control tools and enterprise Mobile Device Management (MDM) systems, both of which require disclosed enrollment.

NIST addresses spyware and covert monitoring software within NIST SP 800-83 Rev. 1, Guide to Malware Incident Prevention and Handling, which identifies persistent background processes, unauthorized data exfiltration, and anti-removal mechanisms as defining behavioral characteristics.

From a legal classification standpoint, the Electronic Communications Privacy Act (ECPA), 18 U.S.C. § 2511, prohibits the interception of electronic communications without consent, establishing a federal statutory basis for stalkerware as an illegal instrument in contexts where the device owner has not consented to monitoring.

For a broader orientation to mobile security service categories, see the Mobile Security Providers page.

How it works

Stalkerware reaches a target device through one of three primary installation vectors:

1. Physical access installation — The most common method, requiring brief, unlocked physical access to the device. The installer downloads and sideloads an application outside the platform's official app store (Google Play or Apple App Store), often enabling "unknown sources" installation on Android temporarily.
2. Social engineering delivery — The target is directed to install an application misrepresented as a utility, a software update, or a shared tool. The actual payload is a surveillance client.
3. Pre-installed compromise — Less common in consumer contexts, but documented in cases where a device is purchased or gifted with stalkerware already installed at setup.

Once installed, stalkerware typically performs the following functions through persistent background services:

• GPS and network location harvesting at configurable intervals, transmitted to a remote dashboard
• SMS and call log interception, often relying on Android's READ_CALL_LOG and READ_SMS permission groups
• Ambient audio and camera activation in advanced variants
• Keylogging to capture credentials and message content typed into any application
• Encrypted data exfiltration to command-and-control infrastructure using HTTPS to blend with normal traffic

On iOS, stalkerware faces greater architectural constraints due to sandboxing restrictions. iOS-targeting variants typically exploit iCloud credential access rather than on-device installation, pulling synchronized data from Apple's servers without touching the device directly. Android devices face higher risk from direct installation due to the platform's more permissive sideloading capabilities.

A key operational characteristic differentiating stalkerware from adware or ransomware is its active concealment design: the application icon is hidden, the process name is disguised, and battery or data usage entries are obfuscated. This is in direct contrast to commercial MDM solutions, which are disclosed to the device user as a condition of enrollment under enterprise policy.

Common scenarios

Stalkerware appears in documented patterns across three primary contexts:

Intimate partner surveillance is the most prevalent deployment scenario. The National Domestic Violence Hotline has documented technology-facilitated abuse as a consistent pattern in reported cases, with location tracking and communications monitoring cited as common tools of coercive control. The NCSC (UK National Cyber Security Centre) and the US Cybersecurity and Infrastructure Security Agency (CISA) have both issued guidance recognizing this threat category.

Parental monitoring misuse occurs when applications designed and marketed for child safety — products sold openly through app stores — are deployed on adult family members' devices without disclosure. The legal distinction between lawful parental monitoring of a minor's device and illegal surveillance of an adult is addressed under ECPA and relevant state wiretapping statutes.

Employer-on-employee surveillance outside of disclosed MDM enrollment represents a third scenario. When an organization installs monitoring software on a personally owned device without the employee's documented consent, the action may violate both federal and state electronic surveillance laws. The covers the regulatory boundaries governing enterprise mobile monitoring programs.

Decision boundaries

Determining whether an application constitutes stalkerware — rather than a legitimate monitoring tool — and how to respond involves structured evaluation across four decision points:

1. Consent and disclosure status — Was the device owner informed of and actively consented to monitoring? Absence of documented consent is the primary legal and ethical threshold. Legitimate MDM systems deployed under enterprise policy generate visible enrollment profiles on iOS and Android.

2. Detection indicators — Technical indicators suggesting stalkerware presence include: unexplained battery drain exceeding 20–30% above baseline, elevated background data consumption, device warm to the touch during screen-off periods, unfamiliar processes in the device's app or battery usage report, and the presence of .apk files in download directories that were not user-initiated.

3. Removal sequencing — Abrupt removal without safety planning can alert a controlling party and escalate risk in domestic abuse contexts. The Coalition Against Stalkerware's safety considerations documentation recommends consulting with a domestic violence advocate before removing detected stalkerware. From a purely technical standpoint, factory reset of the device followed by restoration from a pre-infection backup is the most reliable remediation.

4. Platform-specific mitigation — On Android, reviewing and revoking suspicious permissions under Settings > Apps > Permissions, combined with Google Play Protect scan results, provides a first-pass detection layer. On iOS, reviewing installed profiles under Settings > General > VPN & Device Management reveals unauthorized MDM enrollment. Third-party security applications vetted against the Coalition Against Stalkerware's detection criteria provide structured scanning capabilities.

For professionals assessing organizational exposure to stalkerware risks or researching detection service providers in this sector, the Mobile Security Providers provider network maps available professional resources.