What Is Stalkerware?

December 29, 2025

Stalkerware is a type of invasive software designed to secretly monitor a personโ€™s digital activity without their knowledge or consent.

what is stalkerware

What is Stalkerware?

Stalkerware is software that enables someone to monitor another personโ€™s device activity in a covert, unauthorized, and non-consensual way. It is typically installed with physical access to the target device and then runs in the background to collect and transmit data to the installer, often through a web dashboard, email reports, or a companion app.

While some products are marketed as โ€œparental control,โ€ โ€œemployee monitoring,โ€ or โ€œfamily safetyโ€ tools, stalkerware is defined by how it is used: it is deployed to surveil an adult partner, ex-partner, or other individual without their informed consent, and it is configured to hide its presence or minimize visible signs of monitoring.

Types of Stalkerware

Stalkerware comes in a few common forms, usually grouped by how it gets installed and what level of access it has. The categories below cover the most typical types youโ€™ll see in the real world.

Commercial โ€œSpywareโ€ Apps (Consumer-Grade Monitoring Tools)

These are paid apps marketed with phrases like โ€œphone tracker,โ€ โ€œmonitoring,โ€ or โ€œcatch a cheating spouse,โ€ and they often provide a dashboard where the installer can view collected data. They typically request broad permissions (notifications, accessibility, location, contacts) to capture call/SMS logs, device location, browsing activity, and app usage. Many try to stay hidden by removing icons, using generic names, or running silently in the background.

Abuse of Legitimate Parental-Control or Monitoring Software

Some mainstream tools are designed for consent-based use cases (like monitoring a childโ€™s device) but become stalkerware when installed on an adultโ€™s device without informed consent. The software may not be as aggressively stealthy as โ€œspyโ€ apps, but it can still enable extensive tracking, especially when configured to report location, communications metadata, and screen time or app activity. The harm comes from the non-consensual deployment and the power imbalance it creates.

Device-Admin/Mobile Device Management Misuse

On some platforms, an abuser can install an MDM profile or otherwise enroll a device in management, giving them elevated control over settings and data flows. This can enable restrictions, remote configuration, and persistent oversight thatโ€™s hard for a non-technical user to spot, especially if the device appears โ€œnormalโ€ on the surface.

In workplace contexts, management tools can be legitimate, but when used privately on someoneโ€™s personal device without consent, they function like stalkerware.

Account-Based Monitoring and Cloud Sync โ€œStalkerwareโ€

Instead of installing an app, a stalker may gain access to online accounts and monitor data through synced services, such as email, cloud photo libraries, shared calendars, โ€œfind my deviceโ€ services, social media accounts, or shared family plans. This type can be especially sneaky because the victim may not see any new app on their device as surveillance happens through the account layer. It often relies on stolen passwords, reused credentials, or tricking someone into staying logged in.

Platform-Level Tracking via Bult-In Features

Built-in features like continuous location sharing, shared device access, or family location services can be used for safety and convenience, but they become a form of stalkerware when enabled without clear, informed agreement or when used to control someoneโ€™s movements. The tracking is โ€œlegitimateโ€ in the sense that it uses native OS features, which can make it harder to identify as abuse. The abuse risk is highest when the tracker controls the account settings or the device itself.

Custom Malware and Remote Access Tools (RATs)

More advanced attackers may use general-purpose malware or remote access tools that provide deeper control through file access, live screen viewing, keylogging, microphone/camera activation, or command execution. This type is less โ€œoff-the-shelf consumer appโ€ and more like traditional cybercrime tooling repurposed for personal surveillance. It tends to be harder to detect and may involve persistence techniques that survive reboots or hide within system processes.

How Does Stalkerware Work?

Stalkerware typically works by getting installed with enough permissions to observe a deviceโ€™s activity, then quietly collecting data and sending it to the person who installed it. While the exact details vary by platform and product, the overall flow is usually similar, and includes the following steps:

  1. Access is gained to the target device or account. The installer often needs physical access (even briefly) to unlock the phone and install an app or change settings, or they may gain access to an online account (email, Apple/Google account) tied to the device. This step is what makes the surveillance possible in the first place.
  2. The software or configuration is installed and set up. An app is installed, a management profile (like MDM) is added, or a cloud service is configured for ongoing tracking. The installer typically creates a linked account or dashboard so they can later view the victimโ€™s data remotely.
  3. High-risk permissions are granted to expand visibility. To capture more than basic information, stalkerware often requests broad permissions such as access to location, notifications, accessibility services, contacts, call/SMS logs, or device admin controls. This step increases what the tool can observe and how deeply it can monitor activity.
  4. Stealth and persistence are enabled. The software may hide its icon, change its name, suppress notifications, or configure itself to start automatically after reboot. The goal of this step is to reduce the likelihood of the victim noticing it and to keep monitoring active over time.
  5. Data is collected in the background during normal device use. As the device is used, the tool records selected data, like location history, app activity, browser history, or message metadata, and sometimes more sensitive content if it can access notifications or the screen. This step turns everyday behavior into a stream of trackable events.
  6. Collected information is transmitted to the installer. The data is typically sent over the internet to a vendor server or directly to the installerโ€™s dashboard, sometimes in near real time and sometimes in periodic uploads to conserve battery and avoid attention. This step gives the installer remote visibility without needing the device again.
  7. The installer reviews and uses the information to track or control. The installer logs into a web portal or companion app to view reports, maps, logs, screenshots, or alerts, and may adjust settings to increase monitoring or target specific apps. This final step is where surveillance becomes actionable, enabling ongoing tracking, intimidation, or coercive control.

What Data Does Stalkerware Collect?

Stalkerware can collect a wide range of data depending on the device, the permissions it gets, and whether itโ€™s an app, an MDM profile, or account-based access. Common data types include:

  • Location data: real-time location, location history, geofences/alerts, routes, and timestamps.
  • Call and messaging records: call logs, SMS metadata (who/when), and sometimes message content if the tool can access notifications or messaging apps.
  • Contacts and relationship data: address book entries, call/message frequency patterns, and sometimes calendars.
  • Photos, videos, and files: access to media libraries, downloads, and stored documents, sometimes including cloud-synced content.
  • Browser and internet activity: browsing history, search queries, bookmarks, and sometimes visited URLs captured via accessibility or VPN-style tracking.
  • App usage and device activity: installed apps, time spent in apps, screen activity, and interaction logs.
  • Email and social media visibility: email headers/content or social app messages when the attacker has account access or the software can read notifications/screen content.
  • Audio and screen capture (higher-risk variants): microphone recordings, call recording (where possible), screenshots, or screen recording.
  • Device identifiers and system details: IMEI/serial, OS version, network info, and sometimes Wi-Fi networks used to tie data to a specific device and maintain access.
  • Keylogging and typed input (advanced/malware-like tools): keystrokes, passwords, and form inputs, typically via accessibility abuse or malware techniques.

Who Uses Stalkerware?

Stalkerware is most commonly used by people who want to monitor someone they know in real life, usually without consent. The most frequent scenario is an abusive partner or ex-partner using it to track location, communications, and daily routines as part of harassment or coercive control. It can also be used by other individuals in close proximity, such as someone in the same household, a roommate, or a family member, because installation often requires brief physical access to the device or shared account credentials.

In other cases, stalkerware-like monitoring can come from someone with authority over the device, such as a parent misusing a monitoring app on an older teen or adult child, or an employer misusing device-management tools on a personal phone.

Less commonly, itโ€™s used by people outside the victimโ€™s circle (for example, a private investigator or a targeted harasser), but those situations usually still depend on obtaining device access or account access rather than โ€œremote hackingโ€ alone.

How to Prevent Stalkerware?

Preventing stalkerware focuses on reducing unauthorized access to your devices and accounts, and making it harder for someone to install or hide monitoring tools. The steps below work together to limit both initial installation and ongoing surveillance:

  1. Secure physical access to your devices. Use a strong device lock (PIN, password, or biometric) and never share it. Avoid leaving phones or laptops unattended or unlocked, since most stalkerware requires brief physical access to be installed.
  2. Protect key online accounts first. Change passwords for your email, Apple ID, Google account, and cloud services, and enable two-factor authentication. These accounts control backups, app installs, location sharing, and device settings, so securing them prevents account-based monitoring.
  3. Review installed apps and permissions regularly. Check for unfamiliar apps, generic-sounding services, or apps without icons, and review which apps have access to location, notifications, accessibility services, device admin, or screen recording. Remove anything you donโ€™t recognize or no longer need.
  4. Check for device management or profile enrollment. Look for mobile device management (MDM) profiles, โ€œsupervisedโ€ status, or unknown configuration profiles in system settings. If you find one you didnโ€™t consent to, it may indicate persistent monitoring that needs removal.
  5. Keep your operating system and apps up to date. Install OS and security updates promptly. Updates often close permission loopholes and add warnings or controls that make stalkerware harder to install or easier to detect.
  6. Use trusted security and anti-stalkerware tools. Reputable mobile security apps can scan for known stalkerware behaviors and suspicious configurations. If you suspect abuse, use these tools cautiously, as removing stalkerware can escalate a dangerous situation.
  7. Reset or replace the device if necessary. If monitoring persists or youโ€™re unsure what was changed, a factory reset and fresh account setup can remove most stalkerware. In high-risk situations, switching to a new device and accounts may be the safest option.

How to Detect Stalkerware?

how to detect stalkerware

Detecting stalkerware involves looking for signs of hidden monitoring on both the device and the accounts connected to it. Because many tools are designed to stay out of sight, detection often relies on checking settings, permissions, and unusual behavior rather than spotting a visible app. Here is how to detect stalkerware:

  1. Watch for unusual device behavior. Sudden battery drain, increased data usage, overheating, or performance slowdowns can indicate background monitoring or frequent data uploads.
  2. Review installed apps and system services. Look for unfamiliar apps, generic names (for example, โ€œSystem Serviceโ€), or apps without icons. Pay attention to anything you donโ€™t remember installing.
  3. Check high-risk permissions. Inspect which apps have access to location, notifications, accessibility services, device admin controls, screen recording, or microphone access. Stalkerware often depends on one or more of these.
  4. Look for device management or configuration profiles. Check whether the device is enrolled in mobile device management (MDM), โ€œsupervisedโ€ mode, or has unknown configuration profiles installed, as these can enable persistent control and monitoring.
  5. Review account activity and security logs. Check email, Apple/Google account, and social media security settings for unfamiliar logins, linked devices, forwarding rules, or active sessions you donโ€™t recognize.
  6. Scan with a reputable security or anti-stalkerware tool. Use a trusted mobile security app that can detect known stalkerware patterns or suspicious configurations. Be cautious, as removing stalkerware can alert the person who installed it.
  7. Trust external signals and inconsistencies. If someone consistently knows your location, messages, or plans without being told, it may indicate account- or device-level monitoring even if no app is visible.

How to Remove Stalkerware?

Removing stalkerware requires care, especially if monitoring is linked to harassment or abuse. The goal is to eliminate unauthorized access while minimizing personal risk and preventing the stalker from reinstalling the software. Here is how to do it:

  1. Assess personal safety before taking action. If you believe the person monitoring you could react aggressively, consider delaying removal and seeking advice from a trusted person or support organization. Sudden loss of access can alert the installer.
  2. Back up essential data safely. Save important contacts, photos, and documents to a secure location or a new account you control. Avoid using accounts or devices the stalker may already access.
  3. Remove suspicious apps and revoke permissions. Uninstall unknown or suspicious apps and revoke high-risk permissions such as accessibility, device admin, location, and notification access. Restart the device to prevent services from restarting.
  4. Delete device management profiles and reset settings. Remove any unknown MDM profiles, configuration profiles, or supervision settings. These often enable persistent control and must be removed before other steps are effective.
  5. Secure all linked accounts immediately. Change passwords for email, cloud, and app store accounts, enable two-factor authentication, and review connected devices and active sessions. This prevents reinstallation through account access.
  6. Run a full security scan or perform a factory reset. Use a reputable security tool to scan the device, or perform a factory reset if you want the most reliable removal. After resetting, set up the device as new rather than restoring from old backups.
  7. Monitor for signs of reinstallation or continued access. After removal, watch for unusual behavior, new apps, or changed settings. If monitoring continues, switching to a new device and new accounts may be necessary.

Does a Factory Reset Remove Stalkerware?

In most cases, a factory reset will remove stalkerware because it deletes installed apps, resets system settings, and removes most hidden services from the device. However, it may not be fully effective if the device is enrolled in mobile device management (MDM), set up in a โ€œsupervisedโ€ or managed mode, or if the stalker retains access to the victimโ€™s Apple ID, Google account, or cloud backups and can re-enable monitoring after the reset. To ensure the reset works, itโ€™s important to remove any unknown management profiles first and secure all linked accounts before setting the device up again.

Stalkerware FAQ

Here are the answers to the most commonly asked questions about stalkerware.

Stalkeware vs. Spyware

AspectStalkerwareSpyware
Primary purposeTo secretly monitor a specific person, usually someone the installer knows (partner, ex-partner, family member).To covertly collect data at scale, often for financial gain, advertising, or intelligence gathering.
Typical targetAn individualโ€™s personal device (smartphone or laptop) belonging to a known person.Many users or systems, often indiscriminately.
InstallerCommonly a private individual with physical or account access to the device.Cybercriminals, state actors, or malicious operators.
ConsentInstalled and used without the victimโ€™s informed consent.Installed without consent, usually through malicious downloads or exploits.
Distribution methodPhysical access, shared credentials, or misuse of legitimate monitoring features.Phishing, malicious websites, bundled software, or security exploits.
Stealth levelOften hides icons and notifications but may rely on legitimate permissions.Designed to be highly stealthy and difficult to detect.
Data collectedLocation, calls/SMS, app activity, messages, photos, and account data focused on one person.Credentials, financial data, browsing habits, keystrokes, and system data across many victims.
Common framingSometimes marketed as โ€œmonitoring,โ€ โ€œtracking,โ€ or โ€œfamily safetyโ€ tools.Clearly malicious and rarely marketed openly to end users.
Associated harmPrivacy invasion, coercive control, harassment, and abuse.Data theft, fraud, identity theft, and large-scale cybercrime.
Legal/ethical viewWidely considered abusive and unethical; legality depends on jurisdiction and use.Generally illegal and universally considered malicious.

Can Stalkerware Be Installed Remotely?

Stalkerware usually cannot be installed remotely on a fully updated, properly secured device. In most real-world cases, the installer needs physical access to the phone or computer, even if only for a few minutes, to unlock it, install an app, grant permissions, or change system settings.

However, there are limited exceptions. Monitoring can occur without touching the device if someone already has access to the victimโ€™s online accounts, such as email, Apple ID, Google account, or cloud backups, which can enable location tracking, message access, or silent re-installation after a reset.

More advanced attacks using malware exploits are possible but rare and typically associated with sophisticated cybercrime rather than consumer stalkerware.

Is Stalkerware Illegal?

Stalkerware is often illegal, but its legality depends on how it is used and the laws of the country or region. In many jurisdictions, secretly installing monitoring software on someoneโ€™s device without their knowledge or consent violates privacy, wiretapping, data protection, or stalking laws, especially when it involves tracking location, intercepting communications, or accessing personal data.

Even where the software itself is marketed as โ€œlegal,โ€ using it to monitor an adult without consent is commonly unlawful, and courts increasingly treat stalkerware use as a form of digital abuse or coercive control.

Anastazija
Spasojevic
Anastazija is an experienced content writer with knowledge and passion for cloud computing, information technology, and online security. At phoenixNAP, she focuses on answering burning questions about ensuring data robustness and security for all participants in the digital landscape.