Leak Check Me
Sign inRun Leak Check
All privacy guides
how to detect stalkerwareMay 28, 2026Leak Check Me

Stalkerware on Your Phone: How to Detect and Remove It

Stalkerware is consumer spyware sold openly and installed by people you know. Here's how to detect it on iPhone and Android, and what to do safely.

In February 2025, a server belonging to the stalkerware vendor SpyX leaked the data of nearly two million victims — call logs, photos, messages — all harvested from phones whose owners had no idea the software was running. It was the fourth such breach in roughly a year, following Cocospy, Spyic, and Spyzie. The pattern is consistent: spyware sold openly, installed by someone close to the victim, leaking the victim's life out the back door.

Stalkerware is the unglamorous, domestic cousin of nation-state spyware. It is cheap, it is legal to buy, and it is overwhelmingly used by current or former intimate partners. If you suspect it is on your phone, this post will help you check — carefully — and then decide what to do.

One-sentence answer: To detect stalkerware, look for battery drain, mystery data usage, unfamiliar device-admin or configuration profiles, and run a scan with a tool like Malwarebytes, Certo, or iVerify — but if you might be in an unsafe situation, plan your next steps with a domestic-violence advocate before removing anything.

TL;DR

  • Stalkerware (mSpy, FlexiSpy, Cocospy, Hoverwatch, Eyezy) is sold openly and usually installed by someone with physical access to your phone.
  • Tell-tale signs: rapid battery drain, unexplained data spikes, a hot phone when idle, unfamiliar apps, a jailbroken iPhone, unknown device-admin apps on Android, mystery configuration profiles on iOS.
  • Free detection: review device-admin and accessibility permissions on Android; check Profiles & Device Management on iOS; scan with Malwarebytes Mobile, Certo, or iVerify.
  • The Coalition Against Stalkerware maintains an indicator list used by most reputable scanners.
  • Do not immediately uninstall if you might be in an abusive situation. Removing the app can tip off the abuser. Get to a safe place and a safety plan first. National Domestic Violence Hotline: 1-800-799-7233.

What stalkerware actually is

Stalkerware is consumer-grade spyware marketed as "parental control" or "employee monitoring," sold openly on websites with money-back guarantees and customer service phone numbers. The most common products include mSpy, FlexiSpy, Cocospy, Spyic, Hoverwatch, Eyezy, and iKeyMonitor.

Once installed, it streams the contents of the phone — texts, call logs, GPS location, photos, microphone audio, sometimes keystrokes — to a web dashboard the operator logs into from anywhere. The operator is almost never a stranger. According to research compiled by the Electronic Frontier Foundation and Coalition Against Stalkerware, the typical installer is a current or former partner, a parent, or another family member with brief physical access to the device.

That is the part that makes this different from a virus. There is no malicious link to avoid. The "attack" is someone who knows your passcode picking up your unlocked phone for five minutes.

How it gets installed

On Android, the abuser sideloads the app, sometimes after enabling "install from unknown sources," and grants it Accessibility permissions so it can read screen content and log keystrokes. A 2025 analysis from researchers studying commercial spyware found that checking Accessibility Services permissions identifies roughly 90% of Android stalkerware, because almost all of it requires that permission to function.

On iPhone, installation is harder. Stock iOS sandboxing blocks most monitoring. The two real paths are:

  1. Jailbreak the device (visible, breaks updates, increasingly rare).
  2. Install a mobile device management (MDM) profile that lets the operator push apps and read certain data without jailbreaking.

In either case, the abuser needs your unlocked phone, or your iCloud credentials plus your 2FA code (a method some products use to mirror iCloud backups without ever touching the phone).

The signs

None of these by themselves prove stalkerware. Together, they raise the score.

  • Battery drains faster than it used to, especially overnight.
  • Mobile data usage spikes — stalkerware uploads recordings and screenshots.
  • The phone is warm when idle.
  • You notice apps you didn't install, or generic icons labeled "System Service" or "Sync Manager."
  • Pop-ups, redirects, or settings changes you didn't make.
  • An iPhone that boots to a Cydia or Sileo screen, or shows "JB" in the status — signs of jailbreak.
  • An unfamiliar configuration profile in iOS Settings → General → VPN & Device Management.
  • An unknown device-administrator app in Android Settings → Security → Device admin apps.
  • Your accounts are getting accessed from new locations even though your passwords are strong.
  • The person you suspect knows things they shouldn't — that you went to a specific address, or what you said in a private chat.

How to check, step by step

iPhone

  1. Open Settings → General → VPN & Device Management (older iOS: Settings → General → Profiles). If a profile is installed that you don't recognize — especially one from a vendor like "mSpy" or generic names like "Mobile Device Management" — that is a serious flag.
  2. Open Settings → Battery and look at the per-app breakdown. Anything draining significant battery in the background that you don't recognize is worth investigating.
  3. Check Settings → Apple Account → Devices and remove any device you don't own.
  4. Update iOS to the latest version. Updates often break stalkerware that relied on jailbreaks.
  5. Run iVerify (for configuration-profile abuse and known indicators) or Certo AntiSpy (which goes deeper, including jailbreak and known-spyware artifacts). Certo has historically outperformed iVerify in side-by-side detection tests, though iVerify is solid for profile-based attacks.

Android

  1. Open Settings → Apps → Special app access → Device admin apps. Disable anything you do not recognize.
  2. Open Settings → Accessibility. Most Android stalkerware needs Accessibility to function. Anything granted Accessibility that isn't a screen reader, password manager, or known utility deserves scrutiny.
  3. Open Settings → Security → Install unknown apps and check which apps have permission to install other apps. Revoke for anything unexpected.
  4. Install Malwarebytes Mobile or Lookout and run a full scan. Both consume the Coalition Against Stalkerware indicators list, an open-source IOC repository maintained by Echap and used across the antivirus industry.
  5. Consider SpyGuard (the open-source successor to Kaspersky's TinyCheck), which inspects your phone's network traffic from a separate device — a Raspberry Pi or laptop — so the spyware can't tell it is being watched.

Before you remove anything: please read this

If you suspect a partner, ex, or family member installed stalkerware, removing it can be the most dangerous moment. Abusers often interpret the loss of surveillance as a sign that their victim is preparing to leave, and that escalation point is statistically the highest-risk window in an abusive relationship.

Please do the following first:

  1. Get to a safe, private device — a friend's phone, a library computer, a Tor Browser session — and contact the National Domestic Violence Hotline at 1-800-799-7233, text "START" to 88788, or use the chat at thehotline.org.
  2. Talk through a safety plan. Advocates can help you decide whether to remove the spyware now, leave it in place while you prepare, or do a coordinated reset.
  3. Document evidence. Screenshots of the configuration profile, the unfamiliar device-admin app, or the iCloud login log can matter later if you pursue a protection order or charges.
  4. If you are not in an unsafe situation (you suspect a former employer, a creepy roommate who has moved out, etc.), you can proceed straight to removal.

This is not a small caveat. The Coalition Against Stalkerware exists specifically because mishandled removals have gotten people hurt.

How to actually remove it

Once you are safe to do so:

iPhone:

  • Delete unfamiliar configuration profiles from Settings → General → VPN & Device Management.
  • Update iOS. Then perform a full factory reset and restore from a backup made before you suspect stalkerware was installed (or set up as a new phone if no clean backup exists).
  • Change your Apple ID password and revoke trusted devices. Enable two-factor authentication if you somehow don't have it on.

Android:

  • Disable device-admin status for the suspicious app, then uninstall it.
  • If you can't uninstall it (some stalkerware hides as a "system app"), boot into Safe Mode and try again.
  • The cleanest fix is a factory reset followed by setting up the phone fresh — not restoring from a backup, because the backup may contain the spyware.
  • Change every password from the cleaned device, starting with email and bank.

What you can do today

  1. Check your iOS profiles and Android device-admin list right now. Two minutes. If you spot something off, do not delete it yet — read the safety section above.
  2. Install Malwarebytes Mobile (Android) or iVerify (iPhone) and run a scan. Both have free tiers that detect the major commercial stalkerware families.
  3. If anything looks suspicious and you might be in an unsafe situation, contact the National Domestic Violence Hotline before removing the app.
  4. Audit physical access to your phone. Change the passcode to something the suspected person doesn't know. Turn off message previews on the lock screen.
  5. File data broker opt-outs. Stalkerware tells the operator where you are. Public-profile sites tell anyone where you live. Both matter — see our first-24-hours doxxing playbook and the pillar piece on why your profile is the attack surface.

A note on the bigger picture

Stalkerware is one end of a spectrum. The other end is your publicly aggregated profile — the address, phone, employer, and family data that a hostile ex, a stalker, or a future employer can pull from people-search sites in under a minute. The link between the two is the same: surveillance only works when someone can find you. Cleaning up your data broker footprint is part of the same hygiene as auditing your phone for stalkerware.

We built Leak Check Me to help with the broker half of that problem. If your phone is compromised, fix that first. Then come scrub the link at leakcheckme.com.

Sources

Keep going

Related privacy guides

data leak protection

Leaks Happen. The Real Risk Is the Link Between Them. (Our Manifesto)

Leaked passwords are recoverable. Joined profiles are not. Why data leak protection has to break the link, not just chase the breach.

Read guide
what to do if doxxed

You've Been Doxxed. Here's What to Do in the First 24 Hours.

A calm, hour-by-hour playbook for the first day after a dox: what to report, what to lock down, who to call, and how to start scrubbing the source.

Read guide
remove personal info before job search

Privacy for Job Seekers: How to Clean Up Before Recruiters (and Scammers) Find You

Recruiters Google you. So do background-check vendors and scammers. A pre-job-search privacy checklist for cleaning up your digital footprint.

Read guide
Leak Link Check

See what is exposed before it gets joined.

Run a verified check for known breach exposure and public identity links, then authorize eligible scrub actions from the dashboard.

Run Leak Check