stalkerware sweep (mobile) — methodology

safety first — before any of the path

if you are in immediate danger, start with crisis support — not forensic tooling. US: dial 988 (suicide & crisis lifeline) or 1-800-799-7233 (national DV hotline).

1. is the person physically safe right now?
2. does looking at the phone tip the abuser off? (shared passwords, screen mirroring, notification echoes)
3. is the device shared, gifted, or financially controlled by the abuser?
4. does the survivor want a forensic record, or do they just want it to stop?
5. if forensic record: pull artifacts before changing anything. if "make it stop": factory reset (which destroys evidence) may still be the right choice.

what evidence exists and how fast it dies

the first 10 minutes

1. put device in airplane mode — stops live exfil without an obvious "offline" notification on every app.
2. connect to a forensics workstation the abuser does not control.
3. iOS: pull pairing records. android: export installed packages + permission grants.
4. photograph the accessibility services list and device admin screen.
5. iOS: export significant locations if accessible. android: export usage stats if accessible.
6. inventory installed apps — note hidden icons and sideloaded packages.
7. do not remove the stalkerware yet unless safety requires it.
8. save all outputs locally with timestamps.
9. decide with the survivor: preserve longer vs remove now.
10. begin the platform path below.

the path

android and iOS share a case type but not a tool order. run the android block on Pixel/samsung exports; run the iOS block on lockdown/pairing artifacts.

1. 1. apk analyzer

   android: export the suspicious APK (or full package list first to find sideloaded packages). triages permissions, services, receivers, dex IOCs.why first on android: stalkerware hides under benign names. the manifest tells you what it can actually do.

2. 2. android permissions auditor

   drop the APK or permission-grant export. surfaces dangerous + signature permissions (accessibility, notification listener, device admin).why second: grant time proves when abuse was enabled — not just that the app is installed.

3. 3. android anonymous messaging app artifact detector

   installed-packages export + residue files. finds burner / ephemeral messaging traces the abuser used for comms.why third: abusers often pair stalkerware with a separate covert messaging app.

4. 4. android encrypted vault app artifact detector

   package list + filesystem residue. calculator vaults and disguised storage apps.why fourth: hidden media and exfil staging often live in vault apps, not the stalkerware APK itself.

5. 5. android app cloner artifact forensic detector

   detects parallel space / dual-app clones — separate databases the primary app scan will miss.why fifth: clone containers are a common way to hide a second WhatsApp or messaging account.

6. 6. ios pairing record forensic analyzer

   iOS: pull lockdown pairing plists from the forensic workstation. surfaces unknown host trust, EscrowBag, pairing age.why first on iOS: there is often no suspicious app icon — covert pairing + MDM profile is the abuse model.

7. 7. ios jailbreak artifact detector

   path inventory from backup or sysdiagnose extract. rules out (or confirms) jailbreak — a common false lead either way.why second: establish a clean baseline before blaming 'mystery profiles' on jailbreak tooling.

8. 8. ios lockdown certificate artifact extractor

   decode device/host/root lockdown certs from pairing plists or PEM exports. chain validation + UDID/host UUID mapping.why last: ties the pairing record to cryptographic identity — evidence for who had trusted-host access.

common false leads

• the app has a benign name, so it must be benign — renamed APKs and MDM display names are the default.
• it is not in the launcher, so it is not installed — icon hiding is one accessibility-service line of code.
• iOS does not get stalkerware — it gets config-profile + pairing-record abuse, which is functionally identical.
• the survivor would know if their phone was compromised — they often do not.

what we can tell you, what we can't

we can tell you:

• which apps have dangerous permission combinations
• permission grant times and sideload install sources
• proof of an unknown pairing relationship or EscrowBag on iOS
• location exfil patterns from exported location artifacts

we can't tell you:

• prove who installed it — device access chain-of-custody is human evidence
• whether the survivor should confront the abuser — advocate territory
• legal advice — counsel and law enforcement with advocate support

handing it off

• DV advocate (always if not already involved): safety plan before evidence sharing.
• local law enforcement (cautiously): some jurisdictions require advocate involvement — pairing plists, package exports, permission grants, timestamps.
• national DV hotline (US): 1-800-799-7233 · Coalition Against Stalkerware resources.

reference investigation