Stalkerware (spyware designed to monitor someone without consent) is increasingly common in domestic abuse situations. Unlike ransomware that announces itself, stalkerware hides completely—draining battery, consuming data, and exfiltrating location, messages, and call logs without any obvious indication.

This guide shows you how to detect stalkerware on Android using technical methods and recommended tools, then safely remove it.

Why Stalkerware is Hard to Detect

Stalkerware operates with these design principles:

1. Runs in background, minimal CPU use — Visible in task manager as nothing unusual
2. Minimal battery drain per action — Spreads drain across multiple processes (looks like normal apps)
3. Data exfiltration over WiFi primarily — Harder to spot on mobile data analysis
4. Uses Android’s accessibility services — Legitimate-looking permissions
5. Disguises as system updates or utility apps — Names like “System Update Manager” or “Google Services”

Professional stalkerware (Pegasus, Spymax, mSpy) is indistinguishable from legitimate apps at first glance. Detection requires technical analysis, not just observation.

Initial Suspicious Signs

If you notice these patterns, investigate further:

1. Battery drain accelerates — Phone loses 30%+ battery daily with normal use
   • Check: Settings → Battery → Battery Usage (see which apps consumed power)
   • Stalkerware shows 2-5% each for 10+ background apps
2. Data usage spikes without explanation — Extra 500MB+ monthly with unchanged usage
   • Check: Settings → Network → Mobile Data Usage
   • Sort by data consumption; unfamiliar apps appear
3. Phone becomes sluggish — Noticeable lag in scrolling, typing, app launches
   • Stalkerware constantly monitors in background, consuming CPU cycles
4. Unexpected phone restarts — App crashes or reboots when accessing certain apps (Messages, Photos)
   • Stalkerware crashes during capture operations
5. Elevated temperature — Phone feels warm constantly
   • Background encryption and data transfer generate heat
6. Missed messages or calls — Texts/calls sometimes don’t arrive, or arrive hours later
   • Stalkerware intercepts and copies messages before forwarding
7. Strange notifications about “unknown” apps — Notifications from apps you don’t recognize
   • Stalkerware disguises as system processes

None of these alone proves stalkerware. Combined, they warrant investigation.

Method 1: Battery and Data Analysis (Non-Technical)

Detailed Battery Analysis

1. Access Battery Settings
   • Android 12+: Settings → Battery → Battery Usage → View Detailed Usage
   • Older: Settings → Battery → Battery Usage
2. Identify unusual apps
   • Look for apps consuming 5-10% battery with minimal usage
   • Check: Do you recognize every app?
   • Stalkerware often named:
     • “System Update Manager”
     • “Google Services Framework” (different from real one)
     • “Device Care”
     • “Security Center”
     • Random numbers or technical names (com.android.system.processor)
3. Examine app details
   • Tap suspect app → check:
     • Installation date (installed before you remember?)
     • Data usage (consuming data without obvious reason?)
     • Permissions (why does “System Update” need Contacts?)
     • Last run time (active even though you didn’t open it?)

Detailed Data Usage Analysis

1. Settings → Network → Mobile Data Usage

2. Sort by data consumption
   • Check for 20MB+ apps you rarely use
   • Stalkerware exports data during:
     • 2-4 AM (when phone is idle, WiFi available)
     • While connected to WiFi (exfiltrate efficiently)
3. Check WiFi data usage
   • Some Android versions: Settings → Network → WiFi → Data Usage
   • If WiFi usage is 10x higher than cellular, stalkerware is exfiltrating over WiFi
4. Monitor overnight data
   • Before sleep: note your data counter
   • Upon waking: check if data changed (indicates background activity)
   • Repeat 3 nights; if data increases 50MB+ nightly, investigate

Method 2: Android Debug Bridge (ADB) Analysis

ADB is Android’s command-line tool. It requires:

• USB cable
• Computer with ADB installed
• USB debugging enabled on phone

Setup ADB

On Windows/Mac/Linux:

# Install ADB (Android SDK Platform Tools)
# macOS: brew install android-platform-tools
# Linux: sudo apt-get install android-sdk-platform-tools
# Windows: Download from https://developer.android.com/studio/command-line/adb

# Verify installation
adb version
# Should output: Android Debug Bridge version X.X.X

Enable USB Debugging on Phone

1. Settings → About Phone
2. Tap “Build Number” 7 times (until it says “Developer mode enabled”)
3. Go back; Settings → Developer Options
4. Enable “USB Debugging”
5. Connect phone to computer via USB

Connect ADB

# List connected devices
adb devices
# Should show: device_id    device

# If device shows as "unauthorized," tap "Allow" on phone prompt

List All Installed Apps

# Get all apps
adb shell pm list packages

# Output example:
# package:com.android.chrome
# package:com.whatsapp
# package:com.google.android.apps.messaging
# ...
# [hundreds more]

Analyze output:

• Do you recognize every package?
• Look for:
  • Duplicate system apps (com.google.android.messaging AND two other messaging apps)
  • Typos in known apps (com.whatsapp.official vs actual com.whatsapp)
  • Unknown packages with names like “com.tracking.system” or “com.monitor.device”

List Hidden/System Apps Specifically

# Show system apps only
adb shell pm list packages -s

# Show third-party apps only
adb shell pm list packages -3

# Show disabled apps
adb shell pm list packages -d

Stalkerware often:

• Disables itself in app drawer (hidden in settings)
• Uses system-level permissions to mask itself

Check Suspicious App Details

# Get details about a specific app
adb shell dumpsys package com.example.app

# Outputs: installation date, permissions, services, receivers

Look for:

• Recent installation (stalkerware installed recently, not pre-installed)
• Dangerous permissions: CAMERA, RECORD_AUDIO, ACCESS_FINE_LOCATION, READ_SMS, READ_CONTACTS
• Receivers listening to BOOT_COMPLETED (runs at startup)
• Services running in background

Monitor Running Processes

# See all running processes
adb shell ps -A

# Output shows: user, PID, process name
# Look for unfamiliar processes consuming CPU

Check Logcat for Suspicious Activity

# Monitor system logs in real-time
adb logcat

# Press Ctrl+C to stop

Stalkerware often logs:

• Location updates (“Lat: X Lng: Y”)
• Message interception (“Message from +1234567890”)
• Screenshot captures

Look for repeated log entries from unknown processes.

Method 3: Permission Audit

Check Individual App Permissions

GUI method:

1. Settings → Apps → [Select app]
2. Tap “Permissions”
3. Check which permissions are granted

Red flags:

• System app you don’t recognize with SMS/Call log access
• Utility app with Location permission
• “Google Services” variant with Camera access

ADB Permission Check

# Check all permissions granted to an app
adb shell dumpsys package com.example.app | grep -A 50 "Permissions:"

# Check which apps have specific dangerous permission
adb shell dumpsys package | grep "grant_id=READ_SMS"
# Shows all apps with SMS read access

Dangerous permissions:

• READ_SMS, WRITE_SMS, SEND_SMS (message access)
• READ_CALL_LOG, WRITE_CALL_LOG (call history)
• ACCESS_FINE_LOCATION, ACCESS_COARSE_LOCATION (location tracking)
• CAMERA, RECORD_AUDIO (recording)
• READ_CONTACTS (address book)
• BODY_SENSORS (fitness data, which can infer location)

If an app you don’t recognize has 3+ of these, investigate further.

Method 4: Recommended Scanning Tools

Exodus Privacy (Free, Web-Based)

Website: exodus.info

Upload your APK file (backup the app from your phone using ADB), and Exodus analyzes it for:

• Tracking libraries (Google Analytics, Facebook SDK, etc.)
• Dangerous permissions
• Suspicious code patterns

# Extract app APK to your computer
adb pull /data/app/com.example.app/base.apk app.apk

# Upload app.apk to exodus.info
# Exodus scans and reports findings

Limitations: Analyzes code, not runtime behavior. Useful for confirming suspicion but won’t catch runtime exploits.

Malwarebytes Premium

Cost: $4/month for mobile

• Real-time malware detection
• Scans for known stalkerware signatures
• Quarantines suspicious files
• Regular updates (stalkerware signatures change monthly)

How it works:

1. Install Malwarebytes (Play Store)
2. Run full system scan
3. Quarantine any threats found
4. Review scan logs

Limitation: Relies on signature database. New stalkerware variants may not be detected.

AV-TEST Institute Certified Apps

Several free antivirus apps are AV-TEST certified (independent testing):

Norton Mobile Security (Free)

• Scans for known malware and tracking apps
• Blocks dangerous apps from install

Bitdefender Mobile Security (Free)

• Similar; good reputation for detection

Download from: Play Store, search “Norton Mobile Security” or “Bitdefender”

Quarantine Analysis

After a scan finds threats:

# Show quarantined files (Malwarebytes)
adb shell ls -la /data/data/com.malwarebytes.android/cache/quarantine/

# Files here were flagged; examine names for confirmation

Method 5: Manual App Removal

Identify the Problem App

By now, you’ve identified a suspicious app (e.g., com.system.monitor).

Disable and Uninstall

GUI method:

1. Settings → Apps → [Suspicious App]
2. Tap “Uninstall” or “Disable”

Why it might fail: Stalkerware often:

• Installs as system app (can’t uninstall, only disable)
• Re-enables itself after you disable it
• Logs into device admin (requires admin permissions to remove)

Remove Device Admin

Stalkerware sometimes registers as device admin to prevent removal.

1. Settings → Security → Device Administrators (or Device Admin Apps)
2. Look for unfamiliar apps
3. Tap the app → “Remove Admin Rights”
4. Now you can uninstall it normally

ADB Removal (Most Reliable)

If GUI uninstall fails:

# Uninstall app via ADB
adb shell pm uninstall --user 0 com.suspicious.app

# Output: Success

# Verify removal
adb shell pm list packages | grep suspicious
# Should show nothing (app is gone)

Safe Mode Uninstall (If ADB Fails)

1. Restart phone into Safe Mode
   • Hold Power button → “Power off”
   • After shutdown: Hold Power + Volume Down (varies by phone)
   • Tap “Safe Mode”
2. In Safe Mode, stalkerware may not run
   • Settings → Apps → Uninstall suspicious app
   • If uninstall succeeds, restart phone normally
3. Restart and verify removal

After Removal: Verification

Re-Scan

# Run scan again with ADB to verify
adb logcat > logcat_output.txt
# Use phone normally for 5 minutes
# Ctrl+C in terminal
# Review logcat_output.txt for suspicious processes

# If stalkerware is gone, you'll see fewer unknown processes

Monitor for Reinstallation

Stalkerware sometimes reinstalls itself:

1. Check installed apps daily

   adb shell pm list packages > installed_apps.txt
   # Save this; compare tomorrow
   

2. Monitor installation logs
   • Settings → Security → Install unknown apps
   • Check if anything tried to install
   • Block any suspicious sources
3. Change passwords (especially if location/messages were compromised)
   • Google account password
   • Email password
   • Social media passwords
   • Financial account passwords

Enable Enhanced Security

1. Settings → Security → App Verification
2. Enable “Verify apps” (checks all installs against Google’s malware database)
3. Settings → Security → Google Play Protect
4. Enable scanning

If You Suspect Ongoing Abuse

If stalkerware was found, or you believe you’re being monitored:

1. Do not confront the abuser — This may escalate violence

2. Seek professional help
   • National Domestic Violence Hotline: 1-800-799-7233
   • Text START to 88788
   • They can advise on safe phone use and digital security
3. Consider a new device
   • If stalkerware keeps reinstalling, the device itself may be compromised
   • A clean device is sometimes safer than repeated cleaning
4. Use a trusted computer for sensitive accounts
   • If stalkerware accessed your email/passwords, change them from a trusted device
   • Do not use the potentially-compromised phone
5. Document evidence
   • Keep records of any monitoring you’ve confirmed
   • Screenshots of suspicious apps
   • Timing of incidents (messages that arrived late, unexpected contact)
   • This may be useful for legal action

Technical Reality: Some Stalkerware is Undetectable

Professional-grade stalkerware (Pegasus, deployed by nation-states) is designed to be undetectable. The ADB-based methods in this guide will catch most consumer stalkerware (mSpy, Spyrix, SpyBubble) but may miss:

• Zero-day exploits in Android
• Custom stalkerware built by sophisticated attackers
• Carrier-level monitoring (phone company itself recording calls)

If you suspect nation-state or professional monitoring, the only reliable defense is a new device and trusted environment.

For typical domestic abuse situations, the ADB methods and scanning tools in this guide catch 95% of active stalkerware.

Prevention: Make Monitoring Harder

1. Strong lock screen (PIN or pattern, not biometric)
2. Two-factor authentication on accounts
3. Enable “Find My Mobile” (Samsung) or “Find My” (Google)
4. Disable USB debugging when not in use
5. Review installed apps weekly
6. Check permissions monthly for suspicious grants

Related Articles

• Android Privacy Indicators Camera Mic Explained
• Android Work Profile Privacy Separation Guide
• Android ADB Commands for Removing Bloatware That Tracks Users
• Android Find My Device Privacy Implications
• Anonymous Browsing Mobile Devices Guide 2026

Built by Privacy Tools Guide — More at zovo.one