How to Check Your Devices for Stalkerware

How to Check Your Devices for Stalkerware

Whether it’s a prying boss or a paranoid partner, no one should snoop on your phone or laptop. But that’s exactly what can happen if stalkerware somehow gets installed on your devices. These software tools are designed to be hidden and difficult to detect, but you can find them if you know how.

There’s a wide range of scenarios here, from friends playing pranks to partners being abusive. If you’re in a relationship where you feel trapped and afraid, help is available from the National Domestic Violence Hotline, the Coalition Against Stalkerware, and many other places—please reach out.

Dealing with programs planted on company-owned devices by your employer is a little different than someone you know personally trying to spy on you. The company you work for may have what it sees as valid reasons to keep tabs on how productive you are, especially if it provides the hardware and software you use every day.

Regardless of whether that kind of monitoring is justified, at the very least your bosses should be telling you they’re watching rather than keeping it a secret from you. Plus, with company-owned phones and laptops, it’s always safer to assume you are being monitored.

This guide focuses on software designed to be hidden—but remember there are plenty of legitimate parental control apps and built-in tracking tools (like Apple’s Find My) that can be used by people in your family or by people who set up your devices. The difference is that it should be obvious if these types of apps are running, but you should still be aware of them and how they can be used.

How to Check Your Phone

The good news for iPhone users is that it’s virtually impossible to install stalkerware on an iPhone: Apple’s locked-down approach to apps and app security isn’t always user-friendly, but it’s very effective at keeping you safe. iOS simply doesn’t let apps get deep enough into the system software to be able to secretly monitor what you’re doing on your phone.

There’s one exception to this, and that’s if your iPhone is jailbroken (unlocked so that any apps can be installed). Considering how difficult this is to do nowadays, we’re assuming that isn’t the case—someone else would need to be tech-savvy and borrow your phone for an extended period of time to jailbreak it. The easiest way to check is to look for apps called Cydia and SBSettings on the home screen.

Reduced battery life is one sign that your phone has been compromised.

Screenshot: David Nield via Apple

If you do find yourself with a jailbroken iPhone, a full factory reset should fix it (and wipe everything else, so make sure your important stuff is backed up somewhere). This is best done through a connected Mac or Windows computer, and Apple has a full guide to the process that you can work through here.

Getting sneaky surveillance apps onto Android devices is somewhat easier, though officially speaking they’re not allowed: Google will remove apps from the Play Store if it finds evidence of stalkerware-like behavior. Apps do slip through the net, but someone will need to access your phone (or have to have set up your phone initially) to install one. That’s actually one of the most telling warning signs to look out for: If you set up your own Android phone and no one else has ever had it for more than a few seconds, it should be stalkerware free.

If your phone has been compromised, you might notice it gets hot or the battery drains quickly while you’re not using it. You might also see notifications that you’re not expecting, or shutdown or startup times that are longer than they should be. It’s not an exact science—stalking apps are designed to be hard to spot—but any sort of unusual phone behavior could be telling.

Check the apps list to look for anything suspicious.

Screenshot: David Nield via Google

Monitoring apps will very often hide their app icons but they might show up in the main apps list, albeit under an innocuous, alternative name: From Settings on Android, tap Apps and notifications then See all apps to check. Stalkerware can also be tucked away in the actual Settings menu in Android (often in sections related to security)—look for menu items that don’t look right, or that you haven’t noticed before, or that don’t match the official documentation.

For extra peace of mind, you can enlist the help of a third-party tool: Incognito, Certo, and Kaspersky Antivirus are three phone-scanning apps that come well recommended by their users, and they should tell you if you have anything to worry about. It’s encouraging to note that the issue of secret surveillance apps is now more high profile than ever, and both Google and Apple take a very dim view of any app that attempts anything of the sort.

How to Check Your Computer

Most of the same stalkerware-spotting principles for Android and iOS apply for Windows and macOS too. Someone else needs access to your computer for a start, or to trick you into installing something yourself—not difficult for an IT manager who is supplying you with a work laptop, but a bit trickier for someone in your household. As always, keep your laptop or desktop well protected with your own user account and a password, and pay attention to its physical security, like who has access to it and when.

Both Microsoft and Apple are very conscious of the stalkerware problem, and Windows and macOS will detect and block some hidden tools without any extra help. As with any other kind of malware, stalkerware can usually be spotted by a third-party security suite: We don’t have room for a full guide here, but the likes of Norton, Bitdefender and Malwarebytes have both Windows and Mac options.

Task Manager shows what’s running and what starts up with Windows.

Screenshot: David Nield via Microsoft

If you want to do some of your own sleuthing, open up Task Manager in Windows (search for it in the taskbar search box) or Activity Monitor in macOS (search for it in Spotlight via Cmd+Space) to see everything running on your computer. Bear in mind that spyware won’t typically list itself under its real name, and may well try and pass itself off as a system app or use a short name that you’re likely to overlook.

Check through all the tabs that come up in the dialog on screen. Should you see anything that you don’t recognize, or anything that doesn’t match up to the programs you know you have installed, or that just seems suspicious in its behavior (excessive disk usage maybe), then a quick web search for the app or process name is usually enough to reveal what you’re dealing with.

You should also check for applications and processes that are starting up at the same time as your operating system, as most surveillance tools will need to do this. On Windows, you’ll find this list of software under the Start-up tab of Task Manager; on macOS, open System Preferences then select Users & Groups and Login Items. Again, run a web search for any application that you’re not sure about.

The macOS Activity Monitor tells you what’s going on with your system.

Screenshot: David Nield via Apple

There are some extra permissions stalkerware apps are likely to need on macOS: From System Preferences head to Security & Privacy, and then Privacy. Check the entries for Input Monitoring and Full Disk Access, as spying software will often need these permissions. Windows doesn’t have exactly the same setup, but you can see the permissions that apps have (including location, camera access and so on) by choosing Privacy from the Settings menu and scrolling down to App permissions.

As we’ve said, if your employer is keeping tabs on your working day then the tools should be visible and running with your knowledge. But if you’re really worried, a complete system reset for Windows or macOS should clear the majority of hidden monitoring tools, if you suspect one has taken root (just make sure you back up your files first).

How to Check Your Accounts

For someone who wants to invade someone’s privacy, it’s often easier just to gain access to their online accounts rather than try to get access to their devices. With just about everything accessible on the web, from social media to email, it’s far more effective.

With that in mind, as well as checking for unauthorized access to your devices, you should also check for unauthorized access to your accounts. This obviously starts with protecting your usernames and passwords: Make sure they’re known only to you, difficult to guess, not used across multiple accounts, and not written down anywhere. Consider using a password manager to keep those passwords strong, randomized, and different for every account you have. On accounts where it’s available, turn two-factor authentication on.

Facebook will list all of the devices that you’ve logged in on.

Screenshot: David Nield via Facebook

If there’s an unwanted visitor in your accounts, you should be able to find evidence of it. For Facebook, for example, open your settings page in a browser and click Security and login to see all the devices where your account is active (and to log out of ones you don’t recognize). In the case of Gmail on the web, click the Details button in the lower right-hand corner to see other active sessions.

Some mobile apps, like WhatsApp and Snapchat, can only be used on one device, so you know that the login you’re using is the only active one. This isn’t the case for every app though—on Instagram, for example, if you open up the app settings then tap Security and Login activity, you can see a list of all the devices linked to your account. To remove a device, tap the three dots to the side of any of the entries, then Log out.

We’d also recommend looking through the activity on your accounts—activity such as the sent folder in your email account, for example, or the messages that have been received and sent on Twitter or Facebook Messenger. It’s worth checking the drafts and trash folders in your accounts too for any evidence of unrecognized activity.

Check Instagram to see recent login activity.

Screenshot: David Nield via Instagram

If someone else has gained access to your email account, they may have set up an automatic forwarding function to another account—this is something else to check for. In Gmail on the web, for example, click the cog icon (top right), then See all settings and Forwarding and POP/IMAP: Look under the Forwarding heading to see if your email is being sent somewhere else. Check the Filters and Blocked Addresses tab too for anything that hasn’t been set up by you.

The approach is slightly different depending on the apps you use and the accounts you have, but staying on top of your active logins and keeping an eye on app activity are the best ways of spotting unwelcome visitors. Regularly changing your password is an effective way of locking other people out too.


More Great WIRED Stories

  • Behind bars, but still posting on TikTok
  • My friend was struck by ALS. To fight back, he built a movement
  • Deepfakes are becoming the hot new corporate training tool
  • America has a sick obsession with Covid-19 polls
  • Who discovered the first vaccine?
  • 👁 Prepare for AI to produce less wizardry. Plus: Get the latest AI news
  • 🎙️ Listen to Get WIRED, our new podcast about how the future is realized. Catch the latest episodes and subscribe to the 📩 newsletter to keep up with all our shows
  • 📱 Torn between the latest phones? Never fear—check out our iPhone buying guide and favorite Android phones

Continue…