The Hidden Threat of Stalkerware: Understanding and Protecting Against Stealthy Surveillance

Note: This guide is based on security research, forensic analysis techniques, and documentation from anti-stalkerware coalitions. The detection and removal methods described are technically validated but should be applied carefully, especially in situations involving domestic abuse where device tampering may escalate danger.

Unusual battery drain and device overheating are among the most common indicators of stalkerware infection. Unlike sophisticated state-sponsored malware or advanced persistent threats (APTs), commercial stalkerware represents a $30/month consumer product that anyone can purchase with a credit card. These applications are marketed as “parental monitoring software” or “employee tracking tools,” yet research from the Coalition Against Stalkerware indicates their primary use is intimate partner surveillance.

This guide examines the technical characteristics of stalkerware, provides forensic detection techniques, and outlines safe removal procedures for Android devices based on current security research and documented case studies.

Prerequisites

To get the most out of this article, you should have a basic understanding of Android operating systems and mobile security concepts. Access to an Android device is optional but recommended for practical demonstrations.

Commercial Stalkerware: Technical Characteristics and Forensic Indicators

The commercial stalkerware market includes major players like mSpy, FlexiSPY, Hoverwatch, and Cocospy, which offer professional marketing and customer support infrastructure. Unlike sophisticated exploits requiring remote code execution, these applications rely on social engineering—specifically, physical device access for installation.

Forensic analysis of stalkerware infections reveals consistent patterns across different vendors:

The Three Categories of Stalkerware

1. GPS Trackers (least invasive)

  • Continuously poll GPS coordinates and upload to remote servers
  • Battery drain is the primary indicator
  • Examples: Life360 (legitimate, but often misused), mSpy Lite

2. Keyloggers + Message Interceptors (most common)

  • Log every keystroke, screenshot every app, intercept SMS/WhatsApp/Signal
  • Require Android Accessibility Services permissions (huge red flag)
  • Examples: mSpy, FlexiSPY, Cocospy

3. Full Remote Access Tools (most invasive)

  • Live microphone/camera access, remote screen viewing, call recording
  • Require device rooting (for Android) or jailbreaking (for iOS)
  • Examples: FlexiSPY Premium, TheTruthSpy

Obfuscation and Concealment Techniques

Documented stalkerware installations commonly employ disguises such as “System Service” in the app list with generic Android icons. Common obfuscation tactics include:

App name obfuscation:

  • “System Service,” “Update Service,” “WiFi Service”
  • Blank app name (yes, literally an empty string)
  • Legitimate-sounding names like “Device Care” or “Security Update”

Icon hiding:

  • Some stalkerware removes its launcher icon entirely—you won’t see it in your app drawer
  • To access it, the attacker dials a secret code like *12345 in the phone dialer

Permission abuse:

  • Stalkerware always needs Accessibility Services (to log keystrokes and read screen content)
  • Background location access (24/7 GPS tracking)
  • Notification access (to read message content from other apps)

Security and Safety Risks

Stalkerware poses risks that extend beyond privacy violation:

Physical safety threats: Real-time location tracking enables stalking and ambush scenarios. Research from domestic violence prevention organizations links stalkerware to escalation of intimate partner violence, including homicide risk.

Financial exploitation: Keylogger functionality captures banking credentials, credit card information, and cryptocurrency wallet keys, enabling direct financial theft.

Data broker concerns: Some stalkerware vendors reportedly sell aggregated user data to third-party data brokers, potentially exposing private communications beyond the immediate attacker.

Stalkerware Detection: Forensic Methodology

The following systematic detection process takes approximately 5-10 minutes and identifies the majority of commercial stalkerware based on documented forensic techniques.

Step 1: Check Accessibility Services (The #1 Red Flag)

Stalkerware must enable Android Accessibility Services to log keystrokes and read app content. This is the smoking gun.

On the phone:

  1. Settings → Accessibility → Installed Services
  2. Look for anything you don’t recognize or that sounds generic (“System Service,” “Update Service”)
  3. If you see an unknown service with access, that’s your stalkerware

Using ADB (Android Debug Bridge) for deeper analysis:

# Connect phone via USB with Developer Mode + USB Debugging enabled
adb shell

# List all apps with Accessibility Service permission
dumpsys accessibility | grep -A 5 "Accessibility Service"

# Example output showing mSpy (actual package name: com.mspy.android):
# Service[com.mspy.android/.AccessibilityService]
#   Capabilities: 0x000003FF (can read screen, inject input)
#   Target API: 30

If you see an unknown package with accessibility access, google the package name—it’s almost certainly stalkerware.

Step 2: Analyze Battery Usage for Background GPS Polling

Settings → Battery → Battery Usage shows which apps are draining power. Stalkerware with GPS tracking will show:

  • High background activity (60%+ background vs foreground usage)
  • Constant location access (24/7, even when phone is idle)

ADB command to see detailed battery stats:

adb shell dumpsys batterystats | grep -A 20 "Uid u0a"

# Look for apps with high "Total run time" but low "Screen-on time"
# Example of suspicious activity:
# Uid u0a234: com.unknown.service
#   Total run time: 23h 45m
#   Screen-on time: 0h 2m
#   Location requests: 1,440 (once per minute!)

Step 3: Network Traffic Analysis

Stalkerware requires regular data exfiltration to remote command-and-control servers. Network traffic analysis can identify this behavior.

PCAPdroid (open-source Android packet sniffer available on F-Droid) provides non-root network monitoring capabilities. Documented mSpy infections show characteristic HTTPS connections to api.mspy.com at regular intervals (typically 1-5 minutes), transmitting JSON payloads containing GPS coordinates, intercepted messages, and call metadata.

Analysis procedure:

  1. Install PCAPdroid from F-Droid (free, no root required)
  2. Start packet capture
  3. Use your phone normally for 10 minutes
  4. Stop capture and filter by “Unknown Apps” or specific suspicious package names
  5. Look for connections to unfamiliar domains, especially:
    • mspy.com, flexispy.com, hoverwatch.com, cocospy.com
    • Generic cloud services (stalkerware often uses S3 buckets)

Network traffic red flags:

  • Constant HTTPS POST requests (uploading collected data)
  • Large upload sizes (screenshots, audio recordings are big files)
  • Connections to IP addresses instead of domain names (obfuscation)

Step 4: The Nuclear Option - ADB Package List Inspection

This finds stalkerware with hidden icons (no app drawer entry):

# List ALL installed packages (including hidden ones)
adb shell pm list packages -3

# The "-3" flag shows only third-party apps (not system apps)
# Look for suspicious package names like:
# package:com.mspy.android
# package:com.flexispy.android
# package:com.android.systemupdate (fake system app)

# Get detailed info on suspicious package:
adb shell dumpsys package com.mspy.android | grep -A 5 "permission"

# This shows what permissions the app has
# Stalkerware will have: LOCATION, RECORD_AUDIO, READ_SMS, CAMERA

In documented cases, pm list packages has revealed stalkerware packages (e.g., com.mspy.android, com.flexispy.android) that don’t appear in the standard app drawer due to launcher icon removal.

Stalkerware Removal: Safety-First Approach

CRITICAL WARNING: In situations involving domestic abuse, removing stalkerware may alert the attacker and potentially escalate danger. The National Domestic Violence Hotline (1-800-799-7233) provides 24/7 confidential guidance for safe device security in abusive situations.

The following removal procedures are based on documented forensic practices:

Step 1: Evidence Collection (Before Removal)

Before removing stalkerware, forensic evidence should be preserved for potential legal proceedings (restraining orders, criminal charges):

# Take screenshot of Accessibility Services showing the stalkerware
# Screenshot battery usage showing excessive background activity
# Export ADB package list showing the stalkerware package name

adb shell pm list packages -3 > installed_packages.txt

# Get network logs showing connections to mspy.com
# (Use PCAPdroid export feature)

Step 2: Safe Mode Boot (Disables Stalkerware)

Stalkerware can’t run in Safe Mode (third-party apps are disabled). This gives you a window to uninstall it without the attacker being notified.

Enter Safe Mode:

  1. Hold the power button
  2. Long-press “Power off” option
  3. Tap “OK” when prompted to reboot in Safe Mode

Step 3: Uninstall Via ADB (Most Reliable Method)

Some stalkerware prevents uninstallation through the normal app settings. ADB bypasses this:

# Uninstall the stalkerware package
adb shell pm uninstall --user 0 com.mspy.android

# Verify it's gone
adb shell pm list packages -3 | grep mspy

# Expected output: (nothing - package removed)

If the app has Device Administrator privileges (common for stalkerware), you’ll need to revoke them first:

On the phone (while in Safe Mode):

  1. Settings → Security → Device Administrators
  2. Find the suspicious app and tap “Deactivate”
  3. Then uninstall via ADB

Step 4: Factory Reset (Nuclear Option)

If the stalkerware is persistent (rooted device, system-level installation), the only guaranteed fix is a factory reset:

  1. Backup important data (photos, contacts) to Google account or external storage
  2. Settings → System → Reset → Factory Data Reset
  3. After reset, change ALL passwords for Google, email, banking, social media
  4. Enable 2-factor authentication on everything

Important: If the device was rooted or jailbroken, the stalkerware could have modified system partitions. In that case, you may need to reflash the stock ROM (advanced) or replace the phone entirely.

Step 5: Post-Removal Security Hardening

After stalkerware removal, devices should be hardened against re-infection:

Strong device authentication:

  • Set strong PIN/password (avoid patterns—easily observed)
  • Never leave device unattended while unlocked
  • Enable biometric locks where available

Ongoing security monitoring:

  • Enable “Verify apps” (Settings → Google → Security → Play Protect)
  • Monthly Accessibility Services audits (stalkerware requires this permission)
  • Monitor battery/data usage for abnormal patterns

Prevention Strategies

Preventing stalkerware infection is more effective than post-infection remediation.

Physical Device Security

Stalkerware installation requires physical device access for 5-10 minutes. Unlike remotely-deployed malware, the attacker must directly handle the target device.

Prevention measures:

  • Never share device authentication credentials (PIN/password/pattern)
  • Enable biometric authentication to prevent credential observation
  • Avoid leaving devices unattended while unlocked
  • Perform security audits after device has been out of direct control

Regular security checks help detect stalkerware before significant data exfiltration occurs:

# Quick monthly stalkerware check script
#!/bin/bash

echo "=== Monthly Stalkerware Audit ==="

# Check for apps with Accessibility Services access
echo "\n[1] Apps with Accessibility Access:"
adb shell dumpsys accessibility | grep "Service\[" | grep -v "com.google" | grep -v "com.android"

# Check for unusual battery drain
echo "\n[2] Top 5 Battery-Draining Apps:"
adb shell dumpsys batterystats --charged | grep "Uid u0a" | head -5

# Check for hidden packages (no launcher icon)
echo "\n[3] Installed Third-Party Packages:"
adb shell pm list packages -3 | wc -l
echo "^ Number of third-party apps (review if this jumps unexpectedly)"

# Check Device Administrators
echo "\n[4] Device Administrators:"
adb shell dpm list-owners

If any output looks suspicious, dig deeper.

Here’s what makes stalkerware insidious: it’s mostly legal. Companies like mSpy and FlexiSPY operate openly, with customer service and money-back guarantees. They market as “parental monitoring” or “employee tracking,” but their primary use is intimate partner surveillance.

Law enforcement often can’t help because:

  • Stalkerware companies are based in jurisdictions with weak privacy laws (Cyprus, British Virgin Islands)
  • Installation technically requires physical device access (implied consent)
  • Proving who installed it is difficult without forensic evidence

Conclusion and Key Takeaways

Stalkerware detection and removal requires methodical forensic analysis combined with safety-first procedures, especially in domestic abuse situations.

Critical forensic evidence for legal proceedings includes:

  • Screenshots of Accessibility Service permissions showing stalkerware
  • ADB package listings proving hidden app installation
  • Network traffic logs showing connections to known stalkerware servers (e.g., mspy.com, flexispy.com)
  • Battery usage statistics demonstrating abnormal background activity

This evidence has proven sufficient for restraining orders and criminal charges in documented legal cases.

Most important detection technique:

Immediate Accessibility Services audit (Settings → Accessibility → Installed Services). This single check identifies approximately 90% of commercial stalkerware, as these applications require Accessibility Services permission for keylogging and screen content capture.

Resources That Actually Help:

  • National Domestic Violence Hotline: 1-800-799-7233 (24/7, free, confidential)
  • Coalition Against Stalkerware: www.stopstalkerware.org (technical resources and detection tools)
  • PCAPdroid (F-Droid): Open-source network traffic analyzer to detect stalkerware beaconing
  • TinyCheck (GitHub): Self-hosted stalkerware detection system using network analysis

Important perspective: Relationships requiring physical device surveillance to establish trust indicate fundamental relationship issues beyond technological solutions. Professional relationship counseling or domestic violence support services may be more appropriate than stalkerware deployment.