Stalkerware in 2026: How to Detect and Safely Remove It From Your Phone (Including the New ZeroDayRAT Threat)

Stalkerware in 2026: How to Detect and Safely Remove It From Your Phone (Including the New ZeroDayRAT Threat)

Disclaimer: This article is for educational and informational purposes only and is not a substitute for professional safety planning, legal advice, or victim-services support. If you believe you are being monitored by an abusive partner, family member, or stalker, please read the safety section before changing anything on your phone. In the United States, the National Domestic Violence Hotline is available 24/7 at 1-800-799-7233 (call or text "START" to 88788). Outside the U.S., the Coalition Against Stalkerware maintains a directory of vetted local victim-support organizations.

I run production access for seven aggregator sites and around fifty client projects at Warung Digital Teknologi, and several of those projects ship as Android and iOS apps built in Flutter. Over eleven years I have been pulled into more than a few "something is wrong with my phone" conversations — sometimes from clients, sometimes from their family members. The pattern that has emerged is uncomfortably consistent: by the time someone suspects their phone is being watched, the spyware has usually been on the device for weeks, the suspicious behavior has a clear explanation that is rarely the one the user fears, and the wrong removal step can make a bad situation dangerous instead of merely intrusive.

This guide is the playbook I use when I am asked to triage a possibly compromised phone in 2026. It covers the detection signals that actually matter on Android and iOS, the safety planning step that has to come before removal, and how the new ZeroDayRAT commercial spyware kit — first observed on Telegram in early February 2026 — has changed the threat model.

What Stalkerware Is, and Why It Is Different From Ordinary Malware

Stalkerware (sometimes called "spouseware" or "consumer-grade spyware") is software designed to silently record what a phone's owner does and forward that data to someone else — almost always someone who has, or recently had, physical or relational access to the target. The Coalition Against Stalkerware, an alliance founded in 2019 by ten organizations including the U.S. National Network to End Domestic Violence (NNEDV), defines it as software that enables surveillance "without the affected person's knowledge or consent."

The distinction from ordinary malware is operational, not technical. Generic malware is sprayed at strangers for profit and rarely cares which device it lands on. Stalkerware is installed by someone with intent toward a specific victim — most often by an abusive partner, an estranged spouse, a controlling parent, or a stalker — and the operator usually had at least a few minutes of physical access to the unlocked phone, or knew the iCloud or Google account credentials. That is why "how did this get installed" is almost never a malware question and almost always a relational one.

That distinction is what makes the safety steps in the next section non-negotiable. With ransomware, you contain and eradicate. With stalkerware, you contain only after you have a plan for the human being on the other end of the surveillance.

The 2026 Threat Update: ZeroDayRAT and the Commodification of Mobile Spyware

On February 2, 2026, researchers at iVerify and The Hacker News reported a new mobile-spyware platform called ZeroDayRAT being advertised in five languages on Telegram. For a flat fee of around $2,000, a buyer receives a web-based control panel that turns any compromised Android (versions 5 through 16) or iOS (up through iOS 26) device into a full surveillance endpoint. SecurityWeek documented the capability set: live camera and microphone feeds, GPS history plotted on Google Maps, keystroke logging, SMS exfiltration, enumeration of every account registered on the device (Google, WhatsApp, Instagram, Telegram, banking and payment apps), and a "crypto stealer" that scans for MetaMask, Trust Wallet, Binance, and Coinbase wallets and silently swaps copied wallet addresses with the attacker's.

What is meaningful for a stalkerware audience is not the feature list — pricier nation-state tools have done all of this for years. It is the price floor and distribution model. A toolkit that used to require bespoke exploit work is now sold turnkey on a messaging app for less than the cost of a used car. That economics shift changes who shows up in the threat model. In 2022, a jealous ex with $50 could buy a watered-down stalkerware app that read SMS. In 2026, the same person with $2,000 can read SMS, see live video from the front camera, listen to the room, and watch every keystroke in real time. From eleven years of seeing how attackers actually deploy tools, I would treat ZeroDayRAT-class capabilities as something an unusually motivated abuser will reach for, not just nation-state actors.

Read This First: Safety Planning Before You Touch Anything

If you suspect stalkerware on your phone and there is any chance the person installing it has a history of controlling, monitoring, or violent behavior, do not begin removal yet. The Coalition Against Stalkerware's survivor guidance is direct on this point: removing the spyware can tip off the operator, and survivors of intimate-partner abuse have reported escalation — physical, financial, or custodial — in the hours and days following discovery.

The standard sequence advised by NNEDV's Safety Net project and similar victim-services organizations is:

1. Use a different, safer device for any planning conversations. A friend's phone, a public-library computer, or a brand-new pay-as-you-go phone that has never been associated with your accounts. Do not search for victim resources from the phone you suspect is monitored.
2. Contact a trained advocate before removal. In the U.S., call or text the National Domestic Violence Hotline (1-800-799-7233). Internationally, use the directory at stopstalkerware.org/resources. Advocates can help you build a removal plan that accounts for shared finances, custody arrangements, and physical safety logistics.
3. Document evidence first if you may need it later. Photographs of suspicious settings screens, dated screenshots of the unfamiliar app, and saved system logs may be useful for protective orders or law enforcement. Your advocate can advise on what is admissible in your jurisdiction.
4. Plan the removal moment. If the operator is likely to react when surveillance goes dark, you and your advocate may decide to remove only after physical separation is secured.

If you are confident the situation is not abusive — for example, you suspect a malicious app you yourself installed accidentally from a sideloaded marketplace — you can move directly to detection and removal. The detection steps below do not, by themselves, alert most stalkerware operators.

Detection on Android: What I Actually Check, in Order

Android is the more common stalkerware target because it allows app installation outside the Play Store and exposes more permission surfaces. When I am asked to look at an Android phone, I work through the following sequence. I have done this on Pixel, Samsung, and Xiaomi devices; menu paths vary slightly by OEM but the destinations are the same.

1. Settings → Apps → See all apps. Scroll the entire list. Stalkerware often hides under generic, unmemorable names like "System Service," "Sync Manager," "Wi-Fi Helper," or just an Android-style icon with no label. Anything you do not remember installing is a candidate. Tap each suspicious entry; legitimate system apps will show "App info" details that link to Google Play or the OEM. Stalkerware usually does not.

2. Settings → Accessibility → Installed services. This is the single highest-signal screen on Android. Most stalkerware abuses Accessibility to read other apps' screen contents and capture keystrokes — Google itself has been tightening Accessibility permissions in every release because of this exact misuse. Anything in this list that is not a screen reader you knowingly enabled (TalkBack, Voice Access) or an OEM utility you trust should be considered hostile until proven otherwise.

3. Settings → Security → Device admin apps. Stalkerware often grants itself device-admin status so it cannot be uninstalled without first being demoted. If you see anything here you do not recognize, the surveillance hypothesis just got much stronger.

4. Settings → Apps → Special app access → Install unknown apps. Review which apps have permission to install other apps. A stalkerware loader will need this permission and will keep it.

5. Run a recognized scanner. The major mobile security vendors — Malwarebytes, Lookout, Kaspersky, ESET, Bitdefender — share stalkerware signatures with the Coalition Against Stalkerware and detect most off-the-shelf families (mSpy, FlexiSpy, Cocospy, KidsGuard, Spyzie, and the rest). They will not catch a custom-built or zero-day implant, but they will catch the 80 percent of cases that use commercial stalkerware-as-a-service.

6. Check for unexpected battery and data usage. Settings → Battery → Battery usage by app and Settings → Network & internet → Internet → SIMs → App data usage. Stalkerware that uploads camera, microphone, or screen content burns measurable battery and data. An app you do not recognize sitting in the top five battery consumers, or using hundreds of megabytes of background data, is a strong signal.

Detection on iPhone: What Actually Matters in 2026

iOS is harder to compromise than Android, but it is not immune. The two realistic paths to spyware on a non-jailbroken iPhone are: an iCloud account whose credentials the operator already knows (which exposes Messages, Photos, location, and backups without anything being installed on the device at all), and a malicious configuration profile that the operator installed during physical access. I check both.

1. Settings → General → VPN & Device Management. On an unmanaged personal iPhone, this screen is usually blank. If it shows a configuration profile you did not install — and that did not come from your employer or school's official MDM — that profile may be redirecting your traffic, installing root certificates that intercept TLS, or pinning a VPN endpoint controlled by the operator. Remove anything you do not recognize.

2. Settings → [your name] → Devices. This shows every device signed into your Apple ID. An unfamiliar iPhone, Mac, or iPad here means someone else is logged into your account and likely has access to iMessage, Photos, and iCloud Drive. The fix is to remove the device and immediately change your Apple ID password from a different, trusted device.

3. Settings → Privacy & Security → Location Services. Review which apps have "Always" permission. The status-bar location indicator (the small arrow) staying lit when you are not actively using maps is iOS's way of telling you something is reading your GPS in the background. Tap each entry and downgrade anything that does not need persistent location.

4. Look for jailbreak indicators. Apps named Cydia, Sileo, Zebra, Checkra1n, or unc0ver are jailbreak managers and will not appear on a stock iPhone. If you find one, the device has been jailbroken — a precondition for installing the more invasive iOS spyware families.

5. Consider Lockdown Mode. Apple introduced Lockdown Mode specifically for users at elevated risk of targeted spyware. It disables many attack-surface features (FaceTime calls from unknown contacts, link previews in Messages, just-in-time JavaScript compilation in Safari). It is overkill for most users but appropriate if you have a credible reason to believe an advanced adversary is targeting you.

6. Run a specialized scan. iVerify (the same firm that documented ZeroDayRAT) and Certo offer iOS-side scanners that look for known-bad configuration profiles, suspicious provisioning profiles, and indicators of mercenary spyware. They are the closest equivalent to Android antivirus on iOS.

Safe Removal: Once Your Plan Is in Place

If you have completed safety planning — or if your situation does not require it — here is the removal sequence I follow. Do this from a location and timing window that you and your advocate, if applicable, have agreed is safe.

For Android: Back up only personal photos and documents to a clean account or external drive. Do not back up app data, because that is exactly where stalkerware persistence hides. Then perform a full factory reset (Settings → System → Reset options → Erase all data). After the reset, do not restore from a device backup. Set the phone up as a brand-new device, and reinstall apps individually from Google Play. If the device was rooted, also reflash the stock firmware from the manufacturer's official tool.

For iPhone: Remove suspicious configuration profiles first. Then update to the latest iOS (Settings → General → Software Update). Then: Settings → General → Transfer or Reset iPhone → Erase All Content and Settings. Set the phone up as new — not from an iCloud backup, which would restore the same compromised account state. Sign in to a fresh Apple ID if you suspect the original was the entry point, or change the original Apple ID password from a different device first.

For both platforms, after the reset:

• Change passwords for every account you accessed on the compromised phone, starting with email, banking, and the cloud account itself.
• Enable hardware-key or passkey-based 2FA on email and banking. SMS-based 2FA is not enough if the operator can still see your messages through other means.
• Review and revoke active sessions and OAuth grants on Google, Microsoft, Apple, and any social platform. Stolen sessions outlive password resets.
• Replace the SIM card and consider getting a new phone number if location-tracking via SS7 or carrier APIs is a credible concern in your situation.
• If financial theft is suspected (especially after a ZeroDayRAT-class compromise), place a fraud alert with your bank and review the last 30 days of transactions. The U.S. Federal Trade Commission identity-theft portal walks through the formal recovery steps.

What I Would Not Bother With

From eleven years of being asked the same questions, three things come up that I tell people not to spend energy on:

• "Stalkerware detection" apps that promise a free scan and then upsell. The vendors I named above (Malwarebytes, Lookout, Kaspersky, ESET, Bitdefender, iVerify, Certo) are the ones with documented relationships to the Coalition Against Stalkerware and to academic researchers. Random app-store apps with five-star reviews and no transparent threat intelligence are at best ineffective and at worst stalkerware themselves.
• Unrooting your phone manually to "look around." Rooting an Android device specifically to hunt stalkerware almost always weakens the device's security further and rarely turns up evidence you could not see through Settings → Apps and Accessibility.
• Jailbreaking an iPhone to inspect it. Same logic, more strongly. Jailbreaking removes Apple's signature checks and is one of the few preconditions that makes the worst iOS spyware families possible. Do not do this as part of a hunt.

Authoritative Resources

• Coalition Against Stalkerware — international resource hub and victim-organization directory.
• NNEDV Safety Net — U.S. project specializing in tech-enabled abuse.
• National Domestic Violence Hotline (U.S.) — 1-800-799-7233, 24/7.
• CISA Cybersecurity Best Practices — U.S. federal guidance on personal device hygiene.
• FBI Internet Crime Complaint Center (IC3) — file a complaint if financial loss or identity theft occurred.
• FCC stalkerware guidance — wireless-carrier-side resources for victims.

FAQ

Will a factory reset definitely remove stalkerware? For ordinary commercial stalkerware on Android, yes — provided you do not restore from a backup that contains the malicious app. For nation-state or ZeroDayRAT-class implants that establish persistence in firmware partitions, possibly not, and replacing the device entirely is the conservative choice. iOS has stricter firmware integrity, so factory reset is generally sufficient.

If my partner installed an Apple Family Sharing or Google Family Link account, is that stalkerware? Family-sharing tools are legitimate and consensual when both parties agree to them. They become stalkerware when they are installed without informed consent or are used to monitor and control an adult against their will. The Coalition Against Stalkerware's distinction is consent and intent, not the technology itself.

Can I tell if someone has my iCloud or Google password without installing anything? Both Apple and Google show every active sign-in session under your account-management page. Review them and sign out anything you do not recognize. Then change the password from a trusted device and turn on hardware-key two-factor authentication.

Should I confront the person I suspect? Not as a first step. Confrontation tips off the operator, may escalate the situation, and destroys evidence. Consult a domestic-violence advocate before any conversation if there is any history of controlling or violent behavior.

Closing Note

The painful truth in 2026 is that the price floor for high-capability mobile surveillance has dropped from "nation-state budget" to "two thousand dollars on Telegram." That is a meaningful shift. It does not mean every stalkerware investigation needs to assume ZeroDayRAT-level capability — most cases I have seen still come down to a commercial app installed during a few unlocked minutes — but the upper bound of what an unusually motivated operator can do has changed. The detection steps above are calibrated for both ends of that spectrum, and the safety-planning step is non-negotiable for anyone whose adversary may be the person they live with.

This article is for educational purposes only. If you are in immediate physical danger, call your local emergency number. In the United States, that is 911. The National Domestic Violence Hotline is 1-800-799-7233.