The Abuser in Your Pocket
How Stalkerware Threatens Women’s Privacy

(This article was written by Aaron Thomas)

With so much rapidly growing technology in our daily lives, people are becoming more and more reliant on their smartphones, whether it is to take pictures of their families, send text messages to their friends, or use it as a GPS to find a nearby restaurant. Our smartphones are the gateway to our personal lives, and it is extremely important for our devices to be safe against unnecessary intrusion by threat actors. That is precisely why smartphone companies have given the ability to use a passcode or password to log into the device. This gives the user extra protection with full disk encryption enabled with a passcode. We are always told not to hand over our passcodes or passwords to anyone, but the one exception that is so common is between couples. Both partners may want to share their passwords to give each other trust and transparency. In fact, a survey in 2023 showed that password sharing between couples is very common, with 81% of Americans saying that they have shared a password with their loved ones (ExpressVPN, 2023). While this is not a bad thing altogether, it could lead to severe consequences if the relationship turns out bad, leading to a breakup. Even if there were no breakups, some partners might become overly obsessive about whether or not their own partner is cheating on them. This is often seen in abusive relationships, especially towards women. The abuser may resort to adapting and abusing spying software on their partner’s device. This type of software is often referred to as stalkerware, which is a type of spyware that allows the abuser to see everything their victim is doing, from tracking their victims’ locations and allowing abusers to read their encrypted text messages, monitor phone calls, see photos, videos, their web history, and much more. It is being used all over the world to intimidate, harass, and harm victims and it is a favorite tool for stalkers and abusive spouses or ex-partners (Electronic Frontier Foundation, 2019). Although stalkerware companies such as mSpy and CocoSpy claim the use of their software is for parents to monitor children’s devices, this article argues that stalkerware helps domestic abusers spy on women without their permission. By confronting stalkerware, we can work towards a safer digital environment for all women and respect for their privacy in an increasingly interconnected world.

Your partner knows where you were last night even though you did not tell them? Were there specific conversations that you’ve had with friends or family, and does your partner know exactly what was said? How is that possible? It could be Stalkerware (Coalition Against Stalkerware, 2020).

Stalkerware, also known as Spouseware, is commercially available software used to spy on a victim’s device without their knowledge or consent. Stalkerware, like any type of spyware, is extremely invasive when deployed against a victim of domestic abuse. It can be deployed on both mobile operating systems like iOS and Android. Stalkerware can also be deployed on MacOS and Windows if the abuser knows the password or passcode to get into the device. Apple’s strict security policy is very effective at keeping iOS users safe. iOS simply does not let apps get deep enough into the system software to be able to secretly monitor what a person is doing to a compromised phone (Nield, 2020). Google will also remove apps from the Play Store if it finds evidence of stalkerware or spyware type of behavior. Google Play Protect can block stalkerware installation and remove installed stalkerware, but it may not protect against the newest versions of stalkerware (Parsons et[.]al, 2019). While it may be harder to deploy stalkerware on iOS, it is still possible with a jailbreak done to the device. This makes the device completely vulnerable, with all of its security stripped away. Women who are under this type of surveillance by their partners would often censor their own thoughts and would not be themselves online. Monitoring someone through their phone or computer is a form of violence and causes considerable fear for victims (Coalition Against Stalkerware, 2021). The scary part of having commercially available stalkerware is that the abuser does not need any technical expertise to deploy it on their victim. As Eva Galperin, the Electronic Frontier Foundation’s Director of cybersecurity, claims:

The stalker doesn’t have to be a skilled hacker; they just need easily accessible consumer spyware and an opportunity to install it on their target’s device. The people who end up with this software on their phones can become victims of physical abuse and physical stalking. They get beaten. They can be killed. Their children can be kidnapped. It’s the small end of a very large, terrifying wedge (Greenberg, 2019).

All abusers need to do is know their victim’s passcode or password to install the stalkerware on their device. Abusers can install stalkerware in a matter of seconds to minutes when a victim does not have their device. This sets a dangerous precedent for women who are in an abusive relationship and who are attempting to talk privately to family members or friends to safely escape the relationship. If stalkerware were installed on the victim’s device and the abuser saw them sending messages to family about attempting to leave the relationship, the abuser might escalate their abusive tactics leading to severe consequences. Abusers do not even need to use stalkerware apps to find and track their partners. Instead, abusers attempt to use apps that collect location data and ping it in real time, such as Life360 or Apple’s Find My Friends. Abusers will also attempt to set up profiles or Mobile Device Management on the victim’s phones to get copies of their text messages and call records. Victim’s emails may be sent to a forwarding address so that the abuser always gets a copy of what emails the victim receives. Abusers would even try to install stalkerware on their children’s devices in order to spy on what their spouse is doing. For example, Ali Nassar Abulaban, a popular TikToker, murdered his wife and a man after he listened to them through an app he had installed on his daughter’s iPad that allowed Abulanban to wiretap the nearby conversation (Cox, 2021).

This shows the real-world threat of stalkerware, software that is installed on victim devices to listen, track, or surveil them and others. But it also highlights the risk, more specifically of family monitoring apps, software that may be marketed more for keeping tabs on children but which can play a more sinister role in domestic violence.

This leaves a woman in this digital prison forever under the watch of the abuser. Women would often bring their phones to the police if they fear it has stalkerware, but there is no guarantee officers will be able to help. Many police departments lack the training and tech resources needed to find and detect stalkerware. (Hautala, 2020). It is difficult for investigators to find the apps on phones because it may require access to expensive software. The majority of domestic violence law enforcement officers may not even know what stalkerware is.

When it comes to situations of domestic abuse, the abuser is often blamed first on the victim’s digital harassment, but the tech company behind the product is equally as guilty as the abuser. The stalkerware provided to the abuser often markets itself as an easy way to spy on their partners or even a way for parents to monitor their children (Electronic Frontier Foundation, 2021). These stalkerware companies even compare their own software to those of their competitors to get more users. This sick form of advertising gives abusers options to choose regarding what stalkerware suits their needs the best. Stalkerware companies even like to set up YouTube tutorial videos on how to deploy their stalkerware on a victim’s device. mSpy, a very popular type of stalkerware in the United States, markets itself as a way for parents to monitor children. mSpy, like most stalkerware, collects keystrokes and location data in real time, listens to phone calls, reads text messages, and spies on social media activity. mSpy even compares itself to its other popular competitor, Cocospy. As mSpy says in their FAQ:

Cocospy and mSpy are both mobile monitoring apps with similar features like Call Monitoring, real time location, and tracking Website history. mSpy provides features such as Keywords Alert, which means if the user enters ‘dangerous’ words, you’ll get alerted. Additionally, mSpy includes support for different types of encrypted messaging apps such as Line, Telegram, Skype, Facebook Messenger, and even Tinder, unlike the competitor, Cocospy. The best type of monitoring app for you will depend on your specific needs (mSpy). Stalkerware companies like mSpy even buy ads on social media platforms or just showcase their software on their website to abusers to catch their cheating partner. The companies attempt to appeal to the abuser to use their spyware by using targeted advertising.

 

This move by tech companies like Xnspy and mSpy makes the job of the abuser much easier and more user-friendly. What abusers do not realize when deploying stalkerware on their victims is that they are not the only ones seeing this personal and sensitive data. The majority of these stalkerware companies have easy access to the same data the abuser is seeing on their end. This leaves the victim being spied on by both the abuser and the stalkerware company collecting their sensitive data. On top of all of this, stalkerware companies do not do a good job of protecting the data they have collected, and it often gets leaked. According to TechCrunch, there have been at least 21 stalkerware companies since 2017 that are known to have been hacked, have leaked customer and victims’ data online, and four stalkerware companies were hacked multiple times (Bicchieral, 2024). Stalkerware companies also have a horrible security response to patching critical vulnerabilities. Some of these companies even ignore it when white hat hackers and security researchers express major concern about the exploit. This leads to the company’s data being breached by threat actors, leaving the women’s own private data to be completely compromised and stolen. By utilizing stalkerware, the abuser now puts the victim in more danger of data breaches and having their information in the hands of rogue employees and threat actors. Domestic violence victims’ personal text messages, emails, location data, and social media activities are now publicly viewable by anyone.

While it may seem that a victim is defenseless against surveillance when stalkerware is installed on their device, they can take steps to prevent and remove it by installing anti-virus software and changing their device passwords. Although stalkerware tries to hide itself on the victim’s device, the spyware could give itself away with a few symptoms. If women find that their phone’s battery is draining rapidly and has massive data usage, it could be a sign that stalkerware exists on their devices. Another sign could be constant apps crashing and the phone becoming very hot. Women can also restart their phones, which would eliminate nonpersistent stalkerware from their devices. This will not work with all types of stalkerware, but it could temporarily disable the more advanced spyware. iPhones and iPads running iOS 18 or above perform an automatic restart when the phone is locked for more than three days. After an iPhone is rebooted, it goes into an “at rest” state, also known as Before First Unlock mode, which no longer stores encryption keys in memory. This makes the disk fully encrypted, making it much more resistant to hacking attempts (Gatlan, 2024). For iOS 16 and above, Apple introduced the Safety Check feature to help individuals facing domestic abuse have control over their personal information and privacy. Safety Check allows users to review and reset permissions for those who have access to their location data, passwords, messages, and other apps. When Safety Check is enabled, iCloud access is removed from every device except your handset, privacy permissions are reset, and both FaceTime and messaging services are limited to just one device connected to an iCloud account (Osborne, 2022). This is an excellent move by Apple to help increase users’ security from both malware, such as stalkerware, and physical access.

Women can also perform a factory reset on their device to help remove more persistent stalkerware, but everything on the device will be lost. If victims use anti-virus software, the stalkerware can be detected and removed from the device. This can eliminate the invasive intrusion by the stalkerware, which relays all the victim’s personal information to the abuser. While it is good that most anti-virus software can detect and remove stalkerware, most of these stalkerware programs often alert the abuser that the spyware has been removed from their target’s device. This may cause an increase in abuse. That is why anti-virus companies such as Kaspersky have warned about removing stalkerware without having a safe plan in place. As Kaspersky states:

Kaspersky has now updated its Privacy Alert to victims if stalkerware is found on their devices so that they will now be notified if an abuser will notice if the software is removed. If the stalkerware is deleted, it erases proof that stalkerware has been installed, and if an abuser loses control over a device, the situation might escalate badly for the victim (Kaspersky, 2023).

This is extremely important to consider when attempting to prove the victim has been under such surveillance, whether it be by law enforcement or a trusted family member. Kaspersky has also released a tool called “TinyCheck” that scans a victim’s device’s outgoing traffic by using a Wi-Fi connection, and it looks for any signs of stalkerware. The device is configured to mediate between the router and the connected Wi-Fi router gadget. This enables TinyCheck to capture network traffic and instantly analyze it. If your smartphone sends a lot of data to known stalker or spyware servers, TinyCheck will detect it (Coalition Against Stalkerware, 2022). It doesn’t require installation on a user’s device because it works separately, such as on a Raspberry Pi, to avoid being detected by a stalker (Kaspersky, 2022). This is a great tool to detect and scan for signs of stalkerware present on a device without removing the stalkerware which notifies the abuser. This report can be brought as evidence if the victim wants to bring charges against the abuser. When determining women’s safety level, it is important to remember that everything the victim does on their compromised device can be recorded and watched by an abusive partner (Ruiz, 2019). Women must also change their passwords to their devices and enable two-factor authentication when possible, which would lock out their abuser from getting in. If the device is too compromised to retrieve, women must try to replace their phone with a new phone if possible. Web browsers, such as Brave browser, allow for an “Off The Record” to help people who need to hide their browsing behavior from others, such as an abuser who may have access to their computer or phone. This move by Brave allows victims to browse the web for resources and get help in domestic abuse situations.

Brave Browser’s attention to detail with OTR Mode—users can more easily choose which websites are recorded in their browsing history—is an important privacy innovation that can protect users in ‘attacker you know’ situations or anyone who wants more control over what their Browser remembers and what it doesn’t. This feature empowers people who browse the web—all of us—and gives us more agency over content consumption (Brave, 2023).

Stalkerware still represents a significant threat to women’s privacy and safety, as it enables invasive surveillance and control by abusers. The rapid increase of using this malicious software highlights the urgent need for increased awareness, education, and legal protections to safeguard personal privacy. Stalkerware should be illegal for spying on victims, and abusers should be charged under the Computer Fraud and Abuse Act for installing malicious software on someone’s device without permission. The Computer Fraud and Abuse Act of 1986 prohibits accessing a protected computer or device without authorization. Stalkerware is typically installed on a target’s device without their knowledge or consent, which constitutes unauthorized access. Additionally, the use of stalkerware can violate federal wiretapping laws and state recording laws such as the Electronic Communications Privacy Act. In New York, Jackie’s Law makes stalking by GPS illegal. Jackie’s Law updates New York State’s stalking law to allow law enforcement to pursue criminal charges against individuals who use GPS or other electronic tracking devices to stalk their victims, even if the victim does not press charges (Kennedy, 2014). This legislation closes a loophole in the law, enabling authorities to take action against abusers who use stalkerware or similar technology to track and intimidate their victims. In 2022, the Safe Connections Act was signed into law, which makes it easier for survivors of domestic violence to separate their phone line from a family plan while keeping their own phone number and requires the FCC to create safeguards to protect the privacy of the victims seeking this protection (McKinney, 2022). The Federal Trade Commission has even banned several stalkerware companies like Support King and SpyFone from operating in the United States due to the app secretly “harvested and shared data on people’s physical movements, phone use and online activities through a hidden device hack” (Federal Trade Commission, 2021).

The law must keep up in holding stalkerware companies and abusers accountable for using stalkerware. Women must be empowered with the knowledge and tools to recognize and fight stalkerware, such as using strong passwords, anti-virus software, and more. As technology continues to evolve, it is important that society collectively addresses the challenges posed by stalkerware. Together as a society, we can spread awareness and put an end to stalkerware prying on women’s private lives once and for all.

You are never alone in this fight. You can always get help.

Operation Safe Escape Hotline: 1-800-997-SAFE (7233)

Official Website of the Coalition Against Stalkerware: stopstalkerware.org

References:

Brave Software. (2023, May 24). Request “off the record.” Brave. https://brave.com/privacy-updates/26-request-off-the-record/

Coalition Against Stalkerware. (2022, March 22). The coalition against stalkerware welcomes the inclusion of cyberstalking and cyber-harassment in the new European Commission’s proposal on combating violence against women and domestic violence. Coalition Against Stalkerware. https://stopstalkerware.org/2022/03/22/the-coalition-against-stalkerware-welcomes-the-inclusion-of-cyberstalking-and-cyber-harassment-in-the-new-european-commissions-proposal-on-combating-violence-against-women-and-domestic-violen/

Coalition Against Stalkerware. (2020, May 22). What is Stalkerware? YouTube. https://www.youtube.com/watch?v=zLtfoCw16Z0

Cox, J. (2021, October 28). Alleged Tiktok “Skyrim Irl” murders shows the real danger of Stalkerware. VICE. https://www.vice.com/en/article/jinkidd-skyrim-irl-murders-app-stalkerware/

Electronic Frontier Foundation. (2019, November 19). EFF, anti-virus companies, and human rights groups launch coalition to combat stalkerware. Electronic Frontier Foundation. https://www.eff.org/press/releases/eff-antivirus-companies-and-human-rights-groups-launch-coalition-combat-stalkerware

Electronic Frontier Foundation. (2021, May 28). EFF at home: Fighting stalkerware. https://www.eff.org/event/eff-home-fighting-stalkerware

ExpressVPN. (2023, February 1). Survey: 81% in the U.S. tell partners their passwords. ExpressVPN Blog. https://www.expressvpn.com/blog/u-s-survey-81-have-shared-passwords-with-romantic-partners/

FTC bans SpyFone and CEO from Surveillance Business and Orders Company to delete all secretly stolen data. Federal Trade Commission. (2021, September 1). https://www.ftc.gov/news-events/news/press-releases/2021/09/ftc-bans-spyfone-ceo-surveillance-business-orders-company-delete-all-secretly-stolen-data

Franceschi-Bicchierai, L. (2024, July 25). Hacked, leaked, exposed: Why you should never use stalkerware apps. TechCrunch. https://techcrunch.com/2024/07/25/hacked-leaked-exposed-why-you-should-stop-using-stalkerware-apps/

Gatlan, S. (2024, November 12). iPhones now auto-restart to block access to encrypted data after Long Idle Times. BleepingComputer. https://www.bleepingcomputer.com/news/security/iphones-now-auto-restart-to-block-access-to-encrypted-data-after-long-idle-times/

Greenberg, A. (2019, April 3). Hacker Eva Galperin has a plan to eradicate stalkerware. Wired. https://www.wired.com/story/eva-galperin-stalkerware-kaspersky-antivirus/

Hautala, L. (2020, June 5). Stalkerware sees all, and U.S. laws haven’t stopped its spread. CNET. https://www.cnet.com/news/privacy/stalkerware-sees-all-and-us-laws-havent-stopped-its-spread/

Interpol supporting coalition against Stalkerware to fight tech-enabled abuse: Coalition against stalkerware (EN). Coalition Against Stalkerware. (2021, April 23). https://stopstalkerware.org/2021/04/23/interpol-supporting-coalition-against-stalkerware-to-fight-tech-enabled-abuse/

Kaspersky. (2022). About Tinycheck. https://tiny-check.com/#/

Kaspersky. (2023, March 8). Digital violence through stalkerware showing little sign of slowing according to new Kaspersky Report. https://www.kaspersky.com/about/press-releases/digital-violence-through-stalkerware-showing-little-sign-of-slowing-according-to-new-kaspersky-report

Kaspersky. (2024, November 22). Kaspersky partners with psychologists, surveillance survivors in anti-stalking awareness initiative. https://www.kaspersky.com/about/press-releases/kaspersky-partners-with-psychologists-surveillance-survivors-in-anti-stalking-awareness-initiative

Kennedy, T. M. (2014, July 23). Governor Cuomo signs Jackie’s law, authored by Senator Kennedy and Assemblywoman peoples-stokes, to crack down on GPS stalking and domestic violence. NYSenate.gov. https://www.nysenate.gov/newsroom/press-releases/2014/timothy-m-kennedy/governor-cuomo-signs-jackies-law-authored-senator

mSpy. (n.d.). Cocospy vs. mSpy: Are Cocospy and mSpy the same thing? The Battle of the Best. https://www.mspy.com/cocospy.html

McKinney, I. (2022, December 8). Victory! The Safe Connections Act is now law. Electronic Frontier Foundation. https://www.eff.org/deeplinks/2022/12/victory-safe-connections-act-now-law

Nield, D. (2020, July 19). How to check your devices for Stalkerware. Wired. https://www.wired.com/story/how-to-check-for-stalkerware/

Osborne, C. (2022, June 7). Apple’s safety check combats domestic abuse, but timing its use is critical. ZDNET. https://www.zdnet.com/article/apples-safety-check-combats-domestic-abuse-but-timing-its-use-is-critical/

Parsons, C., Molnar, A., Dalek, J., Knockel, J., Kenyon, M., Haselton, B., Khoo, C., & Deibert, R. (2019, June 12). The predator in your pocket: A multidisciplinary assessment of the stalkerware application industry. The Citizen Lab. https://citizenlab.ca/docs/stalkerware-holistic.pdf

Ruiz, D. (2019, June 30). Helping survivors of domestic abuse: What to do when you find stalkerware. Malwarebytes Labs. https://www.malwarebytes.com/blog/stalkerware/2019/07/helping-survivors-of-domestic-abuse-what-to-do-when-you-find-stalkerware

Visit Tinycheck’s Brand New Page – a free, open-source tool for detecting stalkerware on your mobile device: Coalition Against Stalkerware. (2022, June 28). https://stopstalkerware.org/2022/06/28/visit-tinychecks-brand-new-page-a-free-open-source-tool-for-detecting-stalkerware-on-your-mobile-device/