Spyware and stalkerware sit at the darker end of the malware spectrum. Unlike ransomware that announces itself loudly, these tools are engineered to stay hidden — silently siphoning passwords, screenshots, keystrokes, GPS coordinates, and private messages for weeks or months before a victim notices anything wrong. Understanding how they work is the first step toward finding and eliminating them.
What Is Spyware?
Spyware is a broad category of software designed to collect information about a user without their knowledge or meaningful consent. It typically reaches a system bundled with free software, via drive-by downloads, or through phishing links. Once installed, it operates in the background with minimal visible footprint.
Common spyware capabilities include:
- Keystroke logging — recording everything typed, including passwords and messages
- Screenshot capture — periodically saving the screen to a remote server
- Browser credential theft — extracting saved usernames, passwords, and cookies
- Clipboard monitoring — capturing copied text such as crypto wallet addresses
- Microphone and webcam activation — recording audio/video without consent
Well-known commercial spyware families include FinFisher (FinSpy), Pegasus (developed by NSO Group), and Predator by Intellexa. While these are sold to governments, commodity spyware like RedLine Stealer and AgentTesla circulates freely in cybercriminal markets.
What Is Stalkerware?
Stalkerware is a subset of spyware oriented toward domestic surveillance. It is typically installed manually on a victim’s device by an intimate partner, family member, or employer who has brief physical access to the unlocked phone or computer. Products like mSpy, FlexiSPY, and Hoverwatch market themselves as “parental control” or “employee monitoring” tools but are routinely abused for coercive control.
Stalkerware differs from enterprise MDM (Mobile Device Management) in one critical way: it is designed to be invisible to the person being monitored. No icon appears in the app drawer. No notification warns the user. The app silently uploads call logs, texts, location, photos, and even encrypted messaging app content to a dashboard accessible to the installer.
How to Detect Spyware and Stalkerware
On Windows
Unexpected network activity is often the first clue. Open Task Manager and check the App history tab for apps with unusual data usage. Then open Resource Monitor > Network to see which processes have active connections.
Useful detection steps:
- Run
netstat -anoin an elevated command prompt to list active connections alongside their Process IDs (PIDs). Look for connections to unfamiliar IP addresses on unusual ports. - Cross-reference PIDs against Task Manager to identify the parent process.
- Check startup entries with Autoruns (Sysinternals). Spyware often persists via
HKCU\Software\Microsoft\Windows\CurrentVersion\Runor scheduled tasks. - Scan with Malwarebytes (free tier covers on-demand scanning) and HitmanPro for a second opinion.
- Submit any suspicious executables to VirusTotal before deleting.
| Tool | Purpose | Cost |
|---|---|---|
| Malwarebytes | On-demand malware scan | Free (on-demand) |
| HitmanPro | Second-opinion cloud scanner | Free (30-day trial) |
| Autoruns | Startup and persistence analysis | Free (Microsoft) |
| Wireshark | Deep network traffic analysis | Free |
On Android
Android stalkerware typically requires the attacker to enable “Install unknown apps” and disable Google Play Protect first — two settings worth checking immediately.
Detection indicators:
- Battery drain faster than normal without increased usage
- Data usage spike for an app you don’t recognize
- Device runs hot when idle
- Settings > Apps shows an app named something generic like “System Service” or “Phone Monitor” with no icon
Go to Settings > Apps > See all apps, then enable Show system apps. Look for anything unfamiliar. Also check Settings > Accessibility — stalkerware frequently abuses accessibility permissions to read screen content.
Run a scan with Malwarebytes for Android or Lookout Security. The Coalition Against Stalkerware maintains a list of verified stalkerware at stopstalkerware.org.
On iOS
iOS is significantly harder to compromise without a jailbreak. However, iCloud-based monitoring requires no device access at all — an attacker only needs the victim’s Apple ID credentials. Revoke access by changing your Apple ID password, enabling two-factor authentication, and reviewing Settings > [Your Name] > iCloud to see which apps are syncing.
If you suspect a jailbroken device running Cydia-based spyware, a full factory reset and restore from a trusted backup (or setting up as new) is the most reliable remediation.
Removal Steps
Step 1: Disconnect from the internet
Before removing anything, disconnect from Wi-Fi and mobile data. This prevents the spyware from alerting its operator or exfiltrating data during removal.
Step 2: Document for legal purposes
If this is an abuse situation, photograph the evidence before removing it. Screenshots of installed apps, network connections, and suspicious settings can be used in legal proceedings. Contact the National Domestic Violence Hotline (1-800-799-7233) or a local organization if you are in an unsafe situation.
Step 3: Run a trusted scanner
On Windows, boot from a Windows Defender Offline scan (accessible via Settings > Windows Security > Virus & threat protection > Scan options). This scans before the OS and spyware load.
On Android, perform a factory reset — stalkerware is often deeply embedded enough that simple uninstallation is unreliable. Back up only contacts and photos (not app data, which may reintroduce the spyware).
Step 4: Change all credentials
After cleaning the device, change passwords for all accounts — especially email, banking, and social media — from a known-clean device. Enable multi-factor authentication everywhere.
Step 5: Harden the device post-removal
- Windows: Enable tamper protection in Windows Defender, keep auto-updates on, and consider Microsoft Defender for Endpoint if you’re in a business context.
- Android: Re-enable Google Play Protect, review app permissions monthly, and avoid sideloading APKs.
- iOS: Use a strong, unique Apple ID password with 2FA. Never share your Apple ID.
Defensive Habits Going Forward
Physical access is the primary attack vector for stalkerware. A strong PIN or biometric lock that you never share eliminates most installation opportunities. For spyware delivered through malicious links, a combination of a reputable browser with strict tracking protection, ad-blocking, and skepticism toward unsolicited downloads covers the majority of commodity threats.
Monitor your network periodically. Home routers with Pi-hole or AdGuard Home log DNS queries for every device — patterns of unusual outbound connections become visible over time.
Finally, be aware that stalkerware is a safety issue as much as a technical one. If you suspect a domestic abuser is monitoring your device, prioritize your physical safety first. Removing spyware without a safety plan can escalate dangerous situations.