Privacy Tools Guide

Stalkerware disguises as legitimate apps but secretly records location, messages, and calls. Detection involves checking running processes, analyzing network traffic, examining file permissions, and monitoring battery drain. iOS: Focus on jailbreak detection and MDM profiles. Android: Review installed apps, permissions, and adb logs. This technical guide covers detection methods, commands you can run, and how to preserve evidence for authorities.

Understanding Stalkerware vs Legitimate Monitoring

Legitimate monitoring (parental controls, corporate MDM):

Stalkerware (illegal in most jurisdictions):

Stalkerware is illegal in the US, EU, UK, Canada, Australia, and many other countries. If you suspect stalkerware, you have legal options: contact police, file a restraining order, or work with organizations like NNEDV (National Network to End Domestic Violence).

iOS Stalkerware Detection

Method 1: Check for Jailbreak

Most stalkerware apps require iOS jailbreak (removal of Apple’s security sandbox). Run these checks:

# On your iPhone (using any SSH terminal app like SSH Files):
# Try to access private directories that shouldn't be accessible:
ls /var/mobile/Library/Caches/

# If this succeeds, your phone is likely jailbroken
# Non-jailbroken iOS should deny access

# Check for common jailbreak artifacts:
ls /System/Library/LaunchDaemons/ | grep -E "com.saurik|com.cydia"

# Common jailbreak tweak names (stalkerware hides here):
ls /Library/MobileSubstrates/DynamicLibraries/ 2>/dev/null

If jailbreak detection succeeds and you didn’t authorize it, your phone is likely compromised.

Method 2: Check for MDM Profiles (Management Profiles)

Stalkerware sometimes hides as a Mobile Device Management (MDM) profile. Check Settings:

Settings → General → VPN & Device Management

Look for:
- Unknown profiles from organizations you don't recognize
- Profiles named "Monitoring," "Control," or generic names like "Profile1"
- Profiles from email addresses you don't recognize

Legitimate MDM profiles should be from your employer (if work phone)
or your device manufacturer.

Real stalkerware example: Profile named “Apple Security Update” but installed by unknown email address. Legitimate Apple MDM profiles show “Apple Inc.” as the issuer.

Method 3: Check Battery and Data Usage

Stalkerware runs constant background processes: location tracking, data upload.

Settings → Battery → Battery Usage

Suspicious patterns:
- Apps using 10%+ battery while in background
- System services using >5% battery (unusual)
- Multiple background refreshes of unfamiliar apps

Settings → Cellular Data

Suspicious patterns:
- High data usage from background sources
- Data spikes at regular intervals (every 15 minutes, every hour)
- Data usage at night when phone is idle

Real example: SpyBubble variant used 8% battery daily on background process named “System Services.”

Method 4: Network Traffic Analysis

Stalkerware exfiltrates data to external servers. Monitor outbound connections:

# Using Network Link Conditioner (Apple's tool):
# 1. Download from Apple's Additional Tools for Xcode
# 2. Observe network traffic spikes

# Or use Surge (network monitoring app):
# 1. Install Surge from App Store ($3 one-time)
# 2. Enable "Network Activity Logging"
# 3. Look for:
   - Connections to IP addresses (not domain names, often obfuscated)
   - Regular data uploads at fixed intervals
   - Connections to non-US servers (many stalkerware servers are abroad)
   - Encrypted connections you didn't initiate

Real example: mSpy variant connected to 185.92.75.190 (Ukrainian server) every 600 seconds, uploading 2MB data packages.

Method 5: App Store Verification

Check if all installed apps are from legitimate App Store sources:

Settings → Apps → App Store

Review each installed app:
- Verify it exists in App Store (search for exact name)
- Check developer name matches
- Suspicious signs:
  - App doesn't exist in App Store
  - App exists but has different icon
  - Developer is unknown company
  - App description doesn't match functionality

Many stalkerware apps impersonate legitimate apps:

Real stalkerware names to check: If you see any of these, they’re definitely malicious:

Android Stalkerware Detection

Android is more vulnerable because it allows sideloading (installing apps from sources other than Google Play).

Method 1: Check App Installation Sources

# On Android (adb shell or local terminal app):
# List all installed apps with source:
adb shell pm list packages -3

# Third-party apps (should recognize all of them)
# Any unfamiliar app is suspicious

# Check specifically for common stalkerware packages:
adb shell pm list packages | grep -E "mspy|flexispy|spytech|trackioo"

# If any return results, stalkerware is installed

Method 2: Check App Permissions

# List which apps have dangerous permissions:
adb shell pm list packages -p | grep -E "FINE_LOCATION|CALL_LOG|READ_SMS"

# Or via GUI:
Settings → Apps → Permissions → Location
Settings → Apps → Permissions → Contacts
Settings → Apps → Permissions → SMS
Settings → Apps → Permissions → Call Logs

Look for:
- Unfamiliar apps with location access (especially background)
- Apps you don't use with SMS/Call log access
- Multiple apps with camera/microphone permissions

Real example: Stalkerware app named “Device Manager” had:

Method 3: Check Running Processes

# View all running processes:
adb shell ps | grep -v 'com.android\|com.google'

# Common stalkerware service names:
# Look for processes with names like:
# - service_update
# - system_monitor
# - device_care
# - cloud_backup
# - security_check

# Anything suspicious:
adb shell dumpsys package [package_name] | grep requestedPermissions

# Example: Check if installed app "SystemUpdate" is legit:
adb shell dumpsys package com.system.update

# Legitimate system updates come from Google Play Services
# Fake updates come from unknown sources

Method 4: Check Device Administrator Apps

# Stalkerware often registers as Device Administrator
# (prevents user from uninstalling it)

# Via GUI:
Settings → Security → Device administrators

Look for any app you don't recognize.
Especially suspicious:
- Apps that don't have a corresponding icon
- Apps with blank names
- Apps from unknown developers

# Via command line:
adb shell dumpsys devicepolicy | grep "Admin User"

Method 5: Battery and Data Anomalies

# Check battery drain sources:
Settings → Battery → Battery Usage

# Check for:
- Background activity from unfamiliar apps
- Services like "SystemUpdate" using >5% battery
- GPS/Location services constantly active

# Monitor data usage:
Settings → Network → Data Usage

# Stalkerware uploads data constantly
# Look for regular hourly spikes (e.g., 2MB every 3600 seconds)

Method 6: Inspect /data Directory

# Advanced: Requires root access (careful!)
# Check for hidden apps or processes:
adb shell su -c "ls -la /data/data/ | grep -v com.android"

# Stalkerware sometimes stores data in hidden directories
# Named suspiciously:
# - /data/data/com.system.config
# - /data/data/service.update
# - /data/data/device.monitor

Preservation of Evidence

If you suspect stalkerware, preserve evidence for legal proceedings:

Screenshots and Documentation

1. Photograph your phone screen showing:
   - MDM profile (iOS)
   - Unknown app (Android)
   - Network traffic spike
   - Battery drain source
   - File system evidence

2. Document date, time, device model, OS version

3. Save this information:
   - Screenshot filename (includes timestamp)
   - Device UDID/serial number (Settings > About)
   - Complete app lists with installation dates

Data Export

# iOS: Export and backup
# Settings > iCloud > iCloud Backup > Back Up Now
# Save backup to external drive

# Android: Export data
adb shell pm list packages > installed_apps_$(date +%Y%m%d).txt
adb shell dumpsys > device_state_$(date +%Y%m%d).txt
adb shell logcat > system_logs_$(date +%Y%m%d).log

Network Traffic Capture

# iOS: Use Surge or similar to export connection logs
# Export in HAR format with timestamps

# Android: Use packet capture
adb shell tcpdump -i any -w /sdcard/capture.pcap
# Transfer file: adb pull /sdcard/capture.pcap

Removal and Recovery

iOS Removal

# If jailbroken:
1. Connect to computer with iTunes/Finder
2. Put phone in DFU mode
3. Restore from backup (before stalkerware installation)

# If MDM profile installed:
1. Settings > General > VPN & Device Management
2. Tap the unknown profile
3. Tap "Remove Management"
4. Confirm removal
5. Restart phone

# If app-based (rare):
1. Delete any suspicious apps from Home Screen
2. Go to Settings > Apps
3. Find suspicious app
4. Tap "Delete"

Android Removal

# If stalkerware as system app (most dangerous):
# Requires factory reset:
1. Backup important data to cloud
2. Settings > System > Reset > Erase all data
3. Set up phone from scratch
4. Restore data from cloud backup (NOT from previous backup)

# If stalkerware as user app:
1. Settings > Apps
2. Find the suspicious app
3. Tap "Uninstall"
4. If "Uninstall" is grayed out:
   - Go to Settings > Security > Device Admin
   - Find the app
   - Tap "Deactivate"
   - Then uninstall

# After removal:
1. Change all passwords (from computer, not phone)
2. Enable two-factor authentication
3. Review recent account activity
4. Update contact list (stalker may have stolen it)

Get Help and Report

Organizations assisting stalkerware victims:

Document everything for law enforcement: installation date, capabilities, duration, data stolen.

Prevention Going Forward

After removal:

1. Use strong, unique password for all accounts
2. Enable two-factor authentication everywhere
3. Review connected devices in account settings
4. Revoke app access to location, contacts, messages
5. Enable "Find My" location sharing only with trusted people
6. Use VPN to prevent location tracking
7. Disable location history on Google/Apple accounts
8. Review Privacy Dashboard regularly (iOS 15+, Android 12+)

Built by theluckystrike — More at zovo.one

Explore Our Developer Guides

© 2026 theluckystrike Developer Guides