How a phone gets turned into a listening device — and why most of us would never know
Synexmedia.com | The Media Glen
Your phone knows where you slept last night. It knows who you texted at 2 a.m. and what you said. It knows your banking password, your medical searches, the name of the person you've been afraid to call. It knows all of this because it was built to know it — every sensor, every log, every notification queued up and timestamped like a court record.
Now imagine someone else has access to all of that.
Not a hacker in some far-away basement running obscure exploit code. Someone closer. Someone who has held your phone before, knows your passcode, and had fifteen minutes alone with the thing while you were in the shower. That's the scenario that stalkerware was designed for. And it works — not because of some exotic technical sorcery, but because your phone's own legitimate features make it almost embarrassingly easy.
This is not a story about the people who do this. It's about how it gets done, why the technology cooperates so willingly, and whether the same tricks still work today. They mostly do. That's the part that should keep you up at night.
GETTING IN: THE FIFTEEN-MINUTE WINDOW
The first thing to understand about stalkerware is that it isn't delivered by clicking a bad link. It can't infect your phone from across a room. It needs hands. Specifically, it needs your phone, unlocked, in someone else's hands, for roughly five to fifteen minutes. That limitation sounds like a significant barrier right up until you remember that most victims of intimate partner surveillance live with, or regularly encounter, the person doing the surveilling.
On Android phones, the process starts by switching off a safeguard that Google built in. By default, Android only allows apps downloaded from the official Google Play Store. Somewhere in the Settings menu, under a heading that changes name depending on which phone manufacturer made the device, there is a toggle labelled something like "Install unknown apps" or "Install from unknown sources." Turning it on takes about ten seconds.
Then the person with your phone opens a web browser, visits the stalkerware vendor's website, and downloads a file ending in .apk — Android's equivalent of an .exe installer. They tap it. Android shows a permission screen. They accept. The app installs.
That's the mechanical reality of it. No vulnerability exploited. No special knowledge required. The operating system was designed to allow this, and it does.
THE PERMISSIONS GAME
Here's where it gets more interesting. An installed app on Android can't do anything without permissions — access to your camera, your microphone, your location, your messages. These are supposed to be granted by the user, consciously, after being asked.
Stalkerware asks for them anyway. And because the person installing it is the one holding the phone, they grant everything the app requests. Location. Contacts. SMS. Phone calls. Storage. Camera. Microphone.
But permissions alone don't explain the full range of what these apps can see. The most important technical component isn't a permission at all. It's a feature called Accessibility Service.
Accessibility Service was designed for people with visual impairments or motor difficulties. It allows apps to read the contents of the screen out loud, simulate touches and gestures, and monitor what's happening across the entire device. It was built to be powerful. That power turns out to be equally useful for surveillance.
A stalkerware app granted Accessibility Service access can read the text inside every app you open. WhatsApp. Signal. Banking apps. Your keyboard. Every character you type triggers what's called a TYPE_VIEW_TEXT_CHANGED event, and that event contains the full text and the name of the app where you typed it. Keystroke logging, the kind of thing that used to require specialised spy hardware, comes free with a single accessibility toggle.
Silent screenshots are also available through the same channel. Android 11 introduced a function called takeScreenshot() inside Accessibility Service. There is no notification. No sound. No indicator that it fired. Research published in 2026 demonstrated a working proof-of-concept that granted itself full accessibility permissions in 2.4 seconds by silently auto-clicking the "Allow" button on every permission dialogue before a person could read it.
Android 13 introduced a "restricted settings" feature specifically meant to block sideloaded apps from enabling accessibility. Independent security analysis found it was trivially bypassed.
DISAPPEARING INTO THE BACKGROUND
An app you can see is an app you can delete. Stalkerware knows this.
After installation, the abuser typically follows the vendor's setup instructions — which are usually detailed and clearly written, because these companies have paying customers and want them to succeed. One common step is to disable Google Play Protect, which is Android's built-in security scanner. Play Protect runs automatically and might flag the app. Turning it off is a two-tap process in the Play Store settings.
Then comes the icon. Android allows an app to remove itself from the launcher by disabling its own entry in the system. That's the screen where your apps live. A stalkerware app does this after setup is complete. The app is still running. It still has permissions. It still has network access. But it no longer appears anywhere a normal user would look.
Many apps rename their background processes to sound like something you'd expect to find. "System Service." "Wi-Fi." "Accessibility." A person poking around in Settings, looking for something unusual, sees a name that sounds like part of the phone's own infrastructure, and keeps scrolling.
WHAT IT SENDS BACK
Once installed, hidden, and running, the app begins its actual job. GPS coordinates go to a server the abuser can log into from any web browser. The interval varies — some apps report location every minute, some every five. A 2025 analysis of 8,422 apps found that 90.66% of those classified as stalkerware included GPS tracking.
SMS and MMS messages are captured and uploaded in real time. Call logs include the number, duration, and direction of every call. Some apps record calls directly, or activate the microphone to capture ambient sound from the room.
Browser history. Photos. Clipboard contents, meaning anything you copy and paste, including passwords copied out of a password manager. The contacts list. Calendar entries. Wi-Fi network names, which reveal where you've been even when GPS is disabled.
WhatsApp messages are not encrypted against this kind of attack, because the attack reads the text off the screen after WhatsApp has already decrypted it. Signal displays the same vulnerability when read through Accessibility Service — the only difference is that Signal uses a system flag to prevent screenshots, which blocks screen-capture tools but does nothing against the accessibility tree. The research community has been aware of this gap for years.
THE iPHONE PROBLEM
iPhones are harder. iOS runs on a closed architecture with no sideloading, strict limits on background app activity, and nothing equivalent to Android's Accessibility Service. Until regulatory changes forced Apple's hand in the European Union, that design made traditional stalkerware installation far more difficult than on Android.
But there's a different attack that doesn't require touching the phone at all.
An iPhone regularly backs up its contents to iCloud. Messages. Photos. Call history. Notes. Health data. If someone knows your Apple ID and password, and in many abusive relationships one partner knows the other's login credentials, they can access those backups from any web browser, or through one of the many stalkerware apps that offer an iCloud monitoring mode.
No installation. No physical access. No trace on the phone itself.
This is why the conventional image of stalkerware misses a large portion of actual practice. Someone sneaking an app onto a device is only one scenario. The more common reality involves shared accounts, known passwords, and location sharing through legitimate Apple features that the victim may not realise is still active.
For those who want something closer to full monitoring on an unmodified iPhone, there is a second method. Mobile Device Management, or MDM, is a system Apple built for businesses to remotely manage corporate devices. It allows an organisation to push configuration profiles to a phone, install apps, and set restrictions. In the wrong hands, a malicious MDM profile can be enrolled on someone's phone by someone with physical access who walks them through the setup process or does it while the victim isn't watching.
The phone, once enrolled, will show the MDM profile in Settings under General. It's visible. But most people have no idea what an MDM profile is, never look there, and wouldn't necessarily recognise one as unusual if they did find it.
WHAT'S CHANGED — AND WHAT HASN'T
Google banned stalkerware from the Play Store effective October 1, 2020. It also banned advertising for stalkerware products through Google Ads, effective August 11, 2020. The ads ban turned out to be enforced inconsistently — researchers found prohibited ads still appearing years later.
The Play Store ban pushed stalkerware to the sideloaded web. This made distribution marginally harder, but the websites selling these apps have remained operational. The vendors have generally reframed their marketing language to emphasise parental monitoring, employee oversight, and family safety — while the technical capabilities of the products remain unchanged.
Android 12 introduced a green indicator dot in the status bar when the camera or microphone is actively in use. This is a genuine improvement. An app that activates the camera while the screen is on will be visible. Whether it deters or merely changes behaviour is a different question.
Android 13's restricted settings, intended to block sideloaded apps from requesting Accessibility Service, were found to be bypassable in 2026 research. The bypass requires no special privilege.
Apple introduced a feature called Safety Check in iOS 16, released in 2022. It allows users to review what they've shared with others, revoke access to location sharing, and reset privacy permissions across the device. For someone who suspects their iPhone is being monitored through shared account access or location sharing, Safety Check is genuinely useful. For someone with an MDM profile enrolled without their knowledge, it will not help.
HOW WELL DOES ANTIVIRUS CATCH IT?
In November 2025, AV-Comparatives and the Electronic Frontier Foundation published the results of an independent stalkerware detection test. Thirteen security products were tested against seventeen stalkerware apps on a Samsung Galaxy A36 running Android 15.
Google Play Protect is the security scanner built into every Android device. It runs by default. Anyone who hasn't installed additional security software is relying on it. In the 2025 test, it detected nine of the seventeen apps. That's 53%. The worst performance of any product tested.
Malwarebytes detected all seventeen. Bitdefender, ESET, Kaspersky, and McAfee each detected sixteen. Avast, Avira, and F-Secure each detected fifteen.
The gap between the built-in tool and third-party options is significant. It means that a person running no additional security software on their Android phone, trusting Google's own scanner to alert them to problems, is operating with roughly a coin-flip chance of detection for each piece of stalkerware installed.
One additional finding is worth attention. The test noted that Kaspersky was the only vendor whose product warned users that removing stalkerware could alert the person who installed it. Every other product either silently removed the app or prompted immediate deletion without context.
WHY THAT WARNING MATTERS MORE THAN THE DETECTION
The instinct, on finding that your phone has been compromised, is to get rid of it immediately. Delete the app. Factory reset the device. Take back control.
Security researchers, domestic violence advocates, and law enforcement specialists have all converged on the same position: that instinct can be dangerous.
An abuser who installed stalkerware is monitoring the device because they want real-time access to the victim's location, communications, and behaviour. When that access disappears, when the data stream cuts off, the person watching the dashboard knows something changed. They may assume, correctly, that the surveillance was discovered. The response to that discovery, in relationships where monitoring is already occurring, carries a documented risk of physical escalation.
Kaspersky developed a tool called TinyCheck precisely to address this problem. It runs on a separate Raspberry Pi device — a small, inexpensive computer about the size of a credit card. The TinyCheck device connects to the same Wi-Fi network as the suspected phone and analyses outgoing traffic patterns. It can detect the data transmissions characteristic of stalkerware without installing anything on the phone, touching the phone's settings, or triggering any alert inside the app.
The approach is slower. It doesn't identify specific apps by name. But it leaves no footprint on the device being checked, which means the person doing the checking can gather information without signalling that they've found anything.
CAN IT STILL BE DONE TODAY?
Yes. The core method has not fundamentally changed since roughly 2015. Physical access to an unlocked Android phone, fifteen minutes, a download, a series of permissions, an accessibility toggle, and the icon disappears. The data begins flowing. The monitoring begins.
Android updates have added friction. The green indicator light is a real disclosure mechanism. Restricted settings are a genuine attempt at a barrier, even if that barrier has been shown to fail. Google's Play Protect has improved, even if its 53% detection rate in 2025 reflects a significant gap between effort and result.
iOS remains resistant to traditional installation-based stalkerware, but the iCloud credential vector requires no installation at all. It requires only a known password and a logged-in web browser.
The stalkerware market has not contracted. Detection figures from Kaspersky show a decline between 2019 and 2022, a plateau, and then a modest increase in 2023. A 2024 Kaspersky-commissioned survey of 21,000 people across 21 countries found that the percentage of respondents who believed monitoring a partner without their knowledge was never acceptable dropped from 70% in 2021 to 54% in 2024. The normalisation question is probably as significant as the technical one.
WHAT YOU CAN CHECK RIGHT NOW
On Android, three places are worth examining. The first is Settings → Accessibility — look for any app in the list that you don't recognise or didn't intentionally grant access. Under Settings → Security → Device Admin Apps, you should see only Google's "Find My Device" feature under normal circumstances. Your notification access settings are worth checking too, because stalkerware sometimes uses that route to read messages from apps it couldn't otherwise access.
Also check whether "Install from unknown sources" is enabled. On most devices this lives under Settings → Apps, then the three-dot menu. If it's on and you didn't turn it on, that's worth investigating.
On iPhone, check Settings → General → VPN & Device Management for any profiles you don't recognise. Review Settings → Privacy & Security → Location Services for apps that have permanent location access you didn't consciously grant. Run Safety Check. It lives in Settings → Privacy & Security and walks through every form of shared access on the device.
If you find something, don't delete it yet. Contact a domestic violence support line first. In Canada, crisis lines vary by province; the ShelterSafe directory at sheltersafe.ca lists local resources across the country. The people there have dealt with this before. They know what questions to ask and what the removal of surveillance can trigger.
THE PART TECHNOLOGY CAN'T FIX
Stalkerware works because it exploits something that isn't a software vulnerability at all. It exploits proximity, trust, and the physical reality that most people don't lock their phones around the people they love. The fifteen-minute window exists because relationships contain fifteen-minute windows. Shared iCloud credentials exist because couples share passwords. MDM profiles get enrolled because one person trusts another enough to hand over the phone.
Technical countermeasures matter. Better antivirus detection matters. Platform policy changes matter. But the reason these apps have been installed on tens of thousands of devices is not a technical reason. Researchers estimate close to one million victims annually worldwide. The reason is social.
The phone didn't build the relationship. It just kept the records.
The AV-Comparatives/EFF Stalkerware Detection Test 2025 is publicly available. TinyCheck is open-source and hosted on Kaspersky's GitHub repository. The Coalition Against Stalkerware maintains a resource page at stopstalkerware.org with guidance for victims, advocates, and technology professionals.
Synexmedia.com | The Media Glen Publishing | Cumberland Bay, New Brunswick