Stalkerware (commercial spyware): an app installed on your phone—often by someone close—to monitor messages, location, gallery, calls, or keystrokes, usually hidden. It is not financial malware or Pegasus-style zero-click spyware (high-profile targets).
Commercial stalkerware usually needs brief physical access to an unlocked phone (especially Android via APK). On iPhone the common paths are a stolen Apple ID, an MDM profile, or a jailbreak. Below: signs, detection, USSD codes, known vendor breaches, 2026 law/tech notes, and safe removal. For abuse-specific planning, use the hotline and stopstalkerware.org alongside technical steps.
Abuse or fear of retaliation: do not remove stalkerware immediately; many products alert the buyer. Call 1-800-799-7233 (US, 24/7) or use stopstalkerware.org to plan. The Coalition Against Stalkerware links this abuse to coercive control.
📑 Table of Contents
- What is stalkerware?
- What can a spy app do?
- How is stalkerware installed?
- Common signs
- Detect stalkerware on Android
- Detect stalkerware on iPhone
- AirTags and Bluetooth trackers
- USSD codes (call forwarding)
- Vendor data breaches
- 2026: EU AI Act, iOS, Android 15
- Your situation → action
- Remove stalkerware
- Law and hotlines
- Prevention
- Interactive checker
- Quiz: five scenarios
- Frequently Asked Questions (FAQ)
🔍 What is stalkerware?
Marketed as “parental” or “employee” software but often used to monitor someone without real consent. After install it typically hides from the app drawer and phones home to the buyer’s dashboard.
👁️ What can a spy app do?
Typical features (varies by product):
| Feature | What the spy can access | Without your knowledge |
|---|---|---|
| Messages | WhatsApp, Telegram, DMs, SMS, email | ✅ Yes |
| Calls | History; sometimes recording | ✅ Yes |
| GPS | Location and history | ✅ Yes |
| Photos/video | Gallery and attachments | ✅ Yes |
| Camera/mic | Remote capture or audio | ✅ Yes |
| Keyboard | Keylogger (typed text) | ✅ Yes |
| Social | Instagram, Facebook, TikTok, Snapchat | ✅ Yes |
| Browsing | History and searches | ✅ Yes |
| Contacts | Full address book | ✅ Yes |
📱 How is stalkerware installed?
Android
APK sideload: 5–10 minutes unlocked, “install unknown apps” enabled, Play Protect sometimes disabled, icon hidden, browser history cleared.
iPhone
- Jailbreak — search for Cydia/Sileo if you didn’t jailbreak.
- Stolen Apple ID — photos, Find My location, backups per settings.
- MDM — Settings → General → VPN & Device Management (unexpected on a personal phone).
🔍 Common signs (device and social)
- Higher battery/data use, heat while idle, slowdown, screen waking alone.
- Camera/mic indicator on without use; odd call audio (forwarding/recording).
- Someone quotes private chats or locations you didn’t post; pressure for PIN or “phone repair”; pre-set gift phone.
Abuse context: call 1-800-799-7233 before changing the device.
🤖 How to detect stalkerware on Android
Practical order:
- Install unknown apps: Settings → Apps → Special app access → Install unknown apps. Revoke anything you don’t recognize.
- Play Protect: Play Store → profile → Play Protect. If it was off without your choice, turn it on and scan. (Independent tests often miss part of commercial stalkerware; don’t rely on this alone.)
- Accessibility: Settings → Accessibility → Downloaded apps / installed services. Unknown “System…” / “Sync…” services → disable and uninstall the app.
- Notifications: Settings → Apps → Special app access → Notification access. Remove access from unknown apps.
- Device admin: Settings → Security → Device admin apps. Turn off suspicious entries before uninstalling.
- App list: Settings → Apps → See all (include system if needed). Search generic names online.
- Antimalware from Play Store: e.g. Malwarebytes or Kaspersky for commercial stalkerware signatures.
🍎 How to detect stalkerware on iPhone
- Spotlight: Cydia, Sileo, Zebra, Installer — if they appear and you didn’t jailbreak, treat as serious compromise.
- MDM: Settings → General → VPN & Device Management. Screenshot before removal if you may report it.
- Safety Check (iOS 16+): Settings → Privacy & Security → Safety Check — sharing, Apple ID devices, permissions; Emergency Reset and quick exit.
- Apple ID: Settings → your name → devices; remove others; change password and enable 2FA from a trusted device.
⚡ New passwords
If there was surveillance, rotate credentials from a clean device.
🛡️ Generate Secure Passwords Free📡 AirTags and Bluetooth trackers
Not phone stalkerware, but physical tracking. iPhone: AirTag alerts and Find My → Items. Android: Apple’s Tracker Detect or Google unknown-tracker alerts. Check car, bags, and clothing if you suspect it.
📞 USSD codes (call forwarding)
Network-level (GSMA); OS malware can’t block them. They reveal call/SMS forwarding, a vector separate from app-based spyware:
| Code | What it checks | Suspicious result |
|---|---|---|
| *#21# | Status of all call, data, and SMS forwarding on your line | Any “active — forwarded to: [unknown number]” |
| *#62# | Forward target when phone is off or unreachable | Unrecognized destination number |
| *#67# | Forward target when line is busy | Unknown number intercepting unanswered calls |
| ##002# | Disables all forwarding on many networks (emergency reset) | Use if the checks above show unauthorized forwarding |
If *#21# fails on iPhone, ask your carrier to report forwarding status. ##002# clears forwarding on many carriers.
🔓 Vendor data breaches
Double exposure: the person who installed the app, then a leak at the vendor. Public cases: TheTruthSpy (~400k devices in an exposed dataset); Cocospy/Spyic (2025, millions of account-linked records per technical disclosure); mSpy (support-ticket leak). Check email at HaveIBeenPwned.com.
“Family” apps under coercion (Life360, shared location, etc.): legal on paper; if you didn’t freely consent, it’s control — talk to 1-800-799-7233 or a specialist.
⚡ 2026: EU AI Act, iOS, Android 15
EU — AI Act: prohibited practices (e.g. certain remote real-time biometrics; subliminal manipulation) and high fines for providers; AI-enabled stalkerware sits in that regulatory debate.
iOS 17.3+ Stolen Device Protection: away from trusted places, critical Apple ID changes need biometrics, not PIN alone. Android 15 Private Space: separate encrypted compartment from the main profile.
🗺️ Your situation → action
| Your situation | Recommended action | Risk if you rush | Risk if you don’t act |
|---|---|---|---|
| Suspicion, no violence risk | Full audit → Malwarebytes → factory reset if confirmed | Low: abuser learns you found it | Privacy loss continues |
| Active abuse | Call 1-800-799-7233 first — safety plan before touching the phone | High: stalkerware “offline” alerts may trigger violence | Monitoring undermines escape planning |
| Evidence for court | Deliver phone unchanged to police or a forensics lab — do not delete | Evidence destroyed | Weaker case |
| Forced family-tracking app | Speak with a DV advocate before acting | Escalation | Coercive control continues |
| Employer MDM on personal phone | Check HR policy or counsel — may be contractual | Job risk if you breach contract | Employer may access personal data |
| Unsure if infected | USSD check (~60 s) + Malwarebytes — low risk | None | Unknown exposure |
🗑️ Remove stalkerware
Evidence: deleting destroys proof. For a report, hand over the phone unmodified or get a forensic clone.
Factory reset removes stalkerware in almost all mobile cases. Copy only photos/videos/contacts manually; do not restore a full system backup (it may reinstall malware). Set up as new. Then: rotate passwords (email, Apple/Google, banking), 2FA, new PIN, revoke sessions on accounts.
⚖️ Law and hotlines
Without consent, installing spyware on your phone typically violates the federal Wiretap Act, CFAA-style unauthorized access, and state stalking / two-party-recording rules; the FTC has sanctioned stalkerware vendors. This is general US information, not legal advice.
Free resources
| Service | Contact | Role |
|---|---|---|
| National DV Hotline | 1-800-799-7233 or text START to 88788 | 24/7 US support |
| Coalition Against Stalkerware | stopstalkerware.org | Stalkerware-specific guidance |
| NNEDV | nnedv.org | Tech abuse and safety planning |
| CETA – Cornell | ceta.tech.cornell.edu | Technical removal guides |
| FBI IC3 | ic3.gov | Report cybercrime (US) |
🛡️ Prevention
Keep your PIN private; short auto-lock; biometrics; don’t accept “pre-configured” phones without wiping; monthly app/permission review; Apple/Google on an email the abuser doesn’t control.
🔎 Interactive checker
Tick what applies; the result suggests next steps (not a substitute for forensics or the hotline).
🕵️ Spy App Detector — 14 Warning Signs
Tick the signs you notice on your device or in your situation. The more you check, the higher the risk.
🧠 Quiz: stalkerware or not?
Five situations. Choose whether it matches a typical risk pattern or, in an ordinary context, isn’t enough on its own to call it stalkerware. You’ll get a score and a short explanation at the end.
Five scenarios
“Risk / stalkerware pattern” vs “doesn’t fit here.”
Scenario 1 of 5
correct out of 5
❓ Frequently Asked Questions (FAQ)
Click a question to expand the answer.
Can someone spy on my phone without touching it?
Usually commercial stalkerware needs physical access. Exceptions: stolen iCloud/Google credentials; state-grade spyware like Pegasus (high-risk profiles, not the typical case).
Does a factory reset remove stalkerware?
Yes for nearly all phones. Then change Apple ID / Google from a clean device if the abuser may have had access.
What is Apple Safety Check?
iOS 16+: Settings → Privacy & Security → Safety Check. Review sharing, Apple ID devices, and permissions; includes Emergency Reset and quick exit.
Detect without antivirus?
Yes: accessibility, device admin, notification access, full app list. A Play Store scanner (e.g. Malwarebytes) still helps catch samples manual review misses.
If I remove stalkerware, will the installer know?
Many apps notify the buyer’s dashboard. In abuse situations: 1-800-799-7233 or stopstalkerware.org before acting.
Is stalkerware illegal in the US?
Installing it without consent typically violates the Wiretap Act, CFAA-style rules, and state law; the FTC has acted against vendors. Not legal advice.
What are USSD codes?
Network diagnostics; *#21# shows forwarding; ##002# clears it on many carriers. They don’t replace an app audit.
Vendor breaches and my data?
Public leaks hit vendors (e.g. Cocospy/Spyic, mSpy, TheTruthSpy). Check HaveIBeenPwned.com and rotate credentials if your email appears.