How To Detect Stalkerware On Your Phone – A Glitch Investigator’s Field Guide Welcome back to Glitch in the System. I’m your host, the Glitch Investigator, and today we’re diving deep into a threat that’s more personal than any “bug” you’ve ever run into: stalkerware. If you’ve ever felt that odd warmth in your pocket, watched a battery drain faster than it should, or spotted an app that looks like it belongs in a lab‑rattled sci‑fi movie, you might be dealing with a covert piece of software that’s watching you as closely as a security camera on a bank vault. In this companion post, I’ll walk you through the technical clues, the free tools you can run right now, and the actionable steps to clean and harden your device. Think of it as a forensic checklist you can pull up on any device—iPhone or Android—while you’re sipping coffee and listening back to the episode. ### 1. What Exactly Is Stalkerware? Stalkerware is a class of commercial spyware sold to anyone who wants to monitor a target’s device without consent. The vendors market it as “parental control,” “employee monitoring,” or “relationship safety” tools, but the code lives in the exact same space as legitimate apps: the OS’s permission system, background services, and notification channels. - Installation vectors: phishing links, malicious QR codes, USB debugging, or even a “lost‑phone” hand‑off (as in our listener’s story). - Typical capabilities: location tracking, call‑log scraping, microphone activation, screenshot capture, and remote data exfiltration. - Camouflage tactics: fake system services, renamed system apps, or deliberately obscure package names that slip past casual glances. Because the software pretends to be a legitimate system component, detection isn’t as simple as “look for an unknown app.” You’ll need to combine behavioral analysis with a few quick forensic tools. ### 2. Red Flags – The “Glitch” Symptoms on Your Device Below is a checklist you can run in under two minutes. Highlight any that match your phone’s recent behavior: - Battery drops > 10% per hour with the screen off. - Unexpected spikes in data usage (especially cellular). - Device heating up even when idle. - Unexplained “System Service Manager” or similarly generic process names. - New, untitled icons in the app drawer that disappear when you try to open them. - Random pop‑ups asking for “permissions” you never granted. - Calls or texts appearing in the log that you didn’t make. - Background audio playing from the microphone when you’re not on a call. - Unusual “unknown source” apps showing up in Settings → Apps → All. If two or more of these symptoms line up, you’re probably looking at more than a simple glitch. ### 3. Quick‑Start Detective Tools (Free & Open‑Source) Grab these apps or desktop utilities before you start tearing your device apart. All of them are either free on the Play Store (Android) or available as a one‑click Mac/Windows download. ToolPlatformWhat It Checks Aurora StoreAndroidDownloads apps from F‑Droid, letting you compare installed packages versus official versions. KomKAndroid (ADB)Lists all running services and shows hidden background processes. Firefox Password CheckerDesktopScans exported Android backup for suspicious strings. Malwarebytes MobileAndroid / iOSDetects known stalkerware signatures. iOS‑DetectoriOS (Mac)Parses iTunes/iMazing backups for unknown launch agents. Below we’ll walk through an Android‑focused workflow (the majority of stalkerware targets Android), then a concise iOS version for Apple users. ### 4. Android Deep‑Dive: Step‑by‑Step Detection - Backup before you tamper. Connect your phone to a PC, enable USB debugging, and run adb backup -apk -shared -all -f backup.ab. This gives you a snapshot you can restore if anything goes sideways. - List every installed package. Open a terminal and run: adb shell pm list packages -f Scan the output for anything that looks out of place: packages with .svc, .system., or random mixture of letters (e.g., com.xr7v7h). - Cross‑reference with Google Play. Paste each suspicious package name into the Play Store URL: https://play.google.com/store/apps/details?id=PACKAGE_NAME If the store returns “App not found,” you have a hidden or sideloaded app. - Inspect background services. Run: adb shell dumpsys activity services | grep -i "service" Look for services that keep restarting or have cryptic names. Note the UID numbers; a UID > 10000 typically belongs to third‑party apps. - Check app permissions. Use: adb shell pm dump PACKAGE_NAME | grep permission Anything requesting READ_CALL_LOG, RECORD_AUDIO, ACCESS_FINE_LOCATION without a clear reason is suspect. - Run Malwarebytes or an open‑source scanner. Let the app enumerate the installed list again; many stalkerware families (e.g., FlexiSPY, mSpy) have known signatures now. - Delete the offending package. If you’ve identified com.xr7v7h as the culprit: adb uninstall com.xr7v7h If the package refuses to uninstall, you’ll need a factory reset (see Section 6). ### 5. iOS Quick‑Check (For the Apple‑Savvy) - Make a backup via iTunes or Finder. This captures the entire file system without jailbreaking. - Open the backup with iOS‑Detector. Run the script; it extracts the MobileInstallation.log and highlights any non‑Apple bundle identifiers. - Spot unknown profiles. Navigate to Settings → General → VPN & Device Management. Any profile you don’t recognize—especially ones that say “Mobile Device Management”—should be removed. - Monitor data usage. Go to Settings → Cellular → Scroll to the bottom. If an app you never installed is listed, it might be a hidden daemon. iOS normally hides such apps, but they occasionally surface in the list. - Run a reputable scanner. While iOS limits direct scanning, apps like Avira Mobile Security can detect configuration anomalies. - Erase & Restore. If you find an unknown launch daemon, the most reliable fix is a full restore: Settings → General → Reset → Erase All Content and Settings, then restore from an clean backup (one made before the suspected infection). ### 6. Removing Stalkerware Without Wiping Everything If you’ve identified a rogue package and the simple adb uninstall fails, try these escalation steps before resorting to a factory reset. - Disable the app via the system UI. Settings → Apps → App name → Disable. This prevents it from running, buying you time. - Revoke all permissions. Go to each permission category (Location, Microphone, etc.) and toggle off for the suspect app. - Use Safe Mode. Power off, then hold the volume down button while booting (Android). In Safe Mode, third‑party apps can’t start, letting you uninstall them safely. - Leverage a custom recovery (rooted only). Flash a stock recovery image, then use adb shell rm -rf /data/app/com.xxxx to delete the app folder directly. Warning: rooting or flashing can void warranties and expose you to further risk if done incorrectly. ### 7. Harden Your Phone – Prevent Future Glitches - Lock down app installations. Disable “Install from unknown sources” (Android) and only allow App Store downloads (iOS). - Enable two‑factor authentication (2FA) on your Apple ID/Google Account. This stops an attacker from swapping your backup or resetting passwords. - Turn on Find My Device. If a phone is truly lost, you can remotely wipe it before someone can repurpose it. - Use a privacy‑focused OS lock screen. Apps like CalyxOS (Android) limit background data collection by default. - Regularly audit permissions. Every month, open Settings → Permissions and revoke anything you don’t need. - Monitor battery & data stats. A sudden jump should trigger a deeper look—don’t ignore it. ### 8. Legal & Ethical Considerations Stalkerware sits in a gray zone of law in many jurisdictions. In the U.S., many states treat unauthorized device access as a computer crime, while others lack clear statutes. If you suspect you’re being targeted: - Document every anomalous event (screenshots, timestamps, battery logs). - Contact local law enforcement and hand over the evidence. Many police departments now have cyber‑crime units familiar with these tools. - If you’re a parent or employer, obtain explicit consent before installing monitoring software. Anything less could expose you to civil liability. ### 9. When to Seek Professional Help Even a Glitch Investigator can miss a well‑obfuscated piece of malware. If you’ve run the above steps and: - Data continues to leak (e.g., strange contacts showing up, unknown locations logged). - You notice “jailbreak” or “root” indicators you didn’t initiate. - Your device behaves erratically after removal attempts. It’s time to consult a digital forensics specialist or a reputable security firm. Some organizations offer free consultations for victims of domestic abuse. ### Key Takeaways - Stalkerware masquerades as system services; look for unusual background processes, unexplained battery drain, and spikes in data usage. - Use free tools (ADB, Malwarebytes, KomK, iOS‑Detector) to enumerate installed packages and verify they belong to official app stores. - Remove suspicious apps via uninstall, Safe Mode, or, as a last resort, a factory reset. - Hardening steps—disabling unknown sources, regular permission audits, and enabling Find My Device—reduce the attack surface. - Document everything and involve law enforcement if you suspect illicit surveillance. ### Stay on the Radar – Subscribe for More Glitch Hunting If you found this guide useful, don’t let the next glitch catch you off‑guard. Subscribe to the Glitch in the System newsletter
This article continues on our podcast...
Top comments (0)