Gen Archives

Stalkerware cases stabilize, but remain concerningly high

How online creeping and cyber stalking differ, the most common cyber stalking tactics, and where we are with stalkerware today
Kevin Alejandro Roundy
Technical Director, Norton Labs
February 9, 2022
Read time
10 Minutes
Stalkerware cases stabilize, but remain concerningly high
Written by
Kevin Alejandro Roundy
Technical Director, Norton Labs
February 9, 2022
Read time
10 Minutes
Stalkerware cases stabilize, but remain concerningly high
In this article
    Share this article

    Online creeping is extremely widespread nowadays—whether it’s checking a new colleagues’ LinkedIn, scrolling through a new love interest’s Facebook, or even perusing friends’ latest Venmo transactions out of curiosity—it can feel as though the access we have to each other’s day-to-day lives has no bounds. However, this level of access to personal details and whereabouts can quickly cross over into concerning territory.

    For our third annual Norton Cyber Safety Insights Report: Special Release for Online Creeping, The Harris Poll surveyed over 10,000 adults across 10 countries to understand people’s attitudes and behaviors when it comes to online creeping and stalking—and we took a look at how that compares to the latest stalkerware cases.

    Online creeping versus cyber stalking

    While the majority of people agree there is at least some harm involved in stalking a current or former partner online, more than one in three adults globally who have been in a romantic relationship admit to checking in on their current or former partner without their knowledge or consent—and 22% say they would be more likely to stalk a current or former partner online if they knew they would not get caught.

    This behavior, which we call “online creeping,” isn’t necessarily harmful. For example, when asked why they creeped on their partner online, 37% of those who have, said they were “just curious.”  

    But some had more charged reasons for poring over their partner’s digital life, including these: 

    • 40% said they didn't trust their significant other or suspected they were up to no good. 
    • 36% said they wanted to know where their partner was or who they were with.  
    • Further, 26% of all adults said online stalking is OK if one or both partners have cheated or are even just suspected of cheating. 

    Online creeping behavior crosses over into concerning territory—or cyber stalking—when it becomes a pattern or evolves to include the use of technology and tactics to discreetly track someone’s personal activity or information in an invasive, often illegal, way.

    Among adults globally who have been in a romantic relationship, the most common stalking behaviors were checking on their partner’s phone to view information like text message, phone calls, emails, or photos (17%), reviewing their significant other’s search history on one of their devices (13%), using knowledge of their partner’s passwords to access their device or online accounts, like social media profiles (10%), and tracking their location via a location sharing app (9%).

    Alarmingly, 7%  admit to using an app – i.e. stalkerware – to monitor their partner’s text messages, phone calls, direct messages, emails, or photos.

    This data is in line with what we’ve seen at Norton Labs in examining stalkerware apps detected by Norton Mobile Security for Android, which uses a combination of reputation and machine-learning algorithms to flag apps that can be used for spying. As it stands, our research team has found that  1 in 13 Android devices globally were infected with stalkerware in the past year.

    What is stalkerware?

    The use of stalkerware apps is one manifestation of malicious cyber stalking. Stalkerware is best described as software that enables someone to monitor the activities on another person’s device without their knowledge or consent. 

    When someone installs stalkerware on another’s phone, they can gain access to that person’s personal device activity—such as location, text messages, phone calls, social media, and more. In most cases, the information is sent to an email address or synced to a cloud account they can access.

    While other applications might have some of these capabilities—like location-sharing with friends and family on Google Maps or Apple’s Find My—these provide routine notifications and warnings that your device’s location is being tracked, which makes them difficult to use in secret. What differentiates stalkerware is that it’s installed by a third party without the consent or awareness of the device’s owner, often camouflaged by icons that falsely indicate a benign purpose like “Battery Saver” or “System Services” and without providing notifications of their presence on the device. Making matters worse, app launchers can be configured to hide the presence of the stalkerware app, rendering them invisible except in settings menus.

    Stalkerware by the numbers 

    Figure 2: Daily number of Android devices reporting stalkerware from September 2020 through December 2021. Detections climbed by 42%  from September to December 2021 and have since stabilized.
    Figure 2: Daily number of Android devices reporting stalkerware from September 2020 through December 2021. Detections climbed by 42% from September to December 2021 and have since stabilized.

    Our Norton Labs team has continued to monitor the number of devices reporting stalkerware samples on a daily basis using Norton’s stalkerware blacklist. While we saw a dramatic uptick in the number of devices infected with stalkerware in late 2020 and early 2021, numbers have held steady since March 2021. We hypothesize a few reasons that are at least partially responsible for this stabilization:

    • We saw an upward trend in stalkerware as people went into lockdown, which forced many to spend more time at home, where personal belongings are easily within arm’s reach, likely creating more opportunities for perpetrators of tech-enabled abuse to install stalkerware on their partner’s devices. As lockdowns have subsided, it seems as though stalkerware installations have ceased to increase, though they remain at concerningly high levels.
    • Following pressure from our Norton Labs team and other organizations, major app stores have banned apps that openly encourage prospective users to spy on their significant others’ phone and blocked overt search terms (e.g. “catch my cheating girlfriend” and “hidden call recorder”), curtailing ease of access to malicious apps.

    In examining the 10 countries surveyed for our Special Report on Online Creeping, we found the following infection rates by country:

    Combatting stalkerware through partnerships

    Familiarity with stalkerware remains low—our Special Release for Online Creeping found that 83% are unfamiliar with stalkerware, with 13% somewhat familiar, and just 4% very familiar. This may seem alarming—if people aren’t familiar with stalkerware, how can they identify it or know what to do if they find it on their device?—however, we believe meaningful progress in protecting people from stalkerware comes from raising awareness with customer advocacy groups, lawmakers, law enforcement, and major platform providers, so they can hold developers accountable.

    At NortonLifeLock, we have teamed up with organizations working in domestic violence survivor support and perpetrator intervention, digital rights advocacy, IT security and academic research as a founding member of the Coalition Against Stalkerware

    In 2020, Norton Labs reported more than 800 stalkerware apps on the official Android Play Store, leading Google to remove the apps and update its policy.

    We have seen the Federal Trade Commission begin to take action against stalkerware, most recently, banning SpyFone and its CEO from the surveillance business.

    But despite industry-wide efforts, we’re still seeing stalkerware in major app stores in more covert and disguised forms.

    Why stalkerware still exists on major app stores

    While it’s easier for major platform providers to identify and take down overt stalkerware that spies on many device’s sensors and communications channels, more obscure, single-use apps slip by. Just last year, our Norton Labs team found that 82% of the apps that can be used for covert surveillance only monitor a single type of device sensor or communication channel—consequently, these apps are more successful in positioning themselves for benign use cases.

    One of the most prevalent use cases can be found in the form of recorder apps. These are harmless when the app can only be initiated by the device owner on a call-by-call basis—but many of the most widely used call recorders are automatic, silently recording every single phone conversation and syncing recordings to the cloud. What’s worse, these apps typically provide no notifications to the user and can be hidden. While the developers have argued their apps are harmless, we must wonder why they lack such simple yet critical safety features to preventing tech-enabled abuse.

    Even when it comes to parental control apps, our Norton Labs team firmly believes those that monitor device behavior in a hidden or secret way without the child’s knowledge or consent are problematic. While parental supervision apps can be useful tools for protecting children, it’s best for parents to have open conversations with their children about online safety and the precautions they plan to take.

    It ultimately comes down to the notifications and ensuring device users of all ages are aware of any apps that could be monitoring their device behavior and communication—and it’s the responsibility of major platform providers to establish and enforce this policy for developers.

    How to protect against stalkerware

    If you’re looking to take further steps to protect against stalkerware, it’s always a good idea to install a security app like Norton Mobile Security for Android to monitor your device. This will scan for the presence of potentially unwanted apps and flag them to you so that you can make an informed decision about what’s on your phone. To learn more about Norton Mobile Security, visit

    If you or anyone you know is a victim of domestic violence, including tech-enabled abuse, the National Domestic Violence Hotline also provides confidential and anonymous support 24/7 by phone at 1-800-799-7233, and Loveisrespect provides teens and young adults with confidential and anonymous support by phone at 1-866-331-9474.

    About the 2022 Norton Cyber Safety Insights Report: Special Release – Online Creeping

    The research was conducted online by The Harris Poll on behalf of NortonLifeLock among 10,003 adults aged 18+. The survey was conducted November 15 through December 7, 2021 in Australia (n=1002), Brazil (n=1000), France (n=1001), Germany (n=1000), India (n=1000), Italy (n=1000), Japan (n=1000), New Zealand (n=1000), the United Kingdom (n=1000), and the United States (n=1000). Data are weighted where necessary by age, gender, race/ethnicity, region, education, marital status, household size, and household income to bring them in line with their actual proportions in the population. No estimates of theoretical sampling error can be calculated.

    All sample surveys and polls, whether or not they use probability sampling, are subject to multiple sources of error which are most often not possible to quantify or estimate, including sampling error, coverage error, error associated with nonresponse, error associated with question wording and response options, and post-survey weighting and adjustments. Therefore, The Harris Poll avoids the words “margin of error” as they are misleading. All that can be calculated are different possible sampling errors with different probabilities for pure, unweighted, random samples with 100% response rates. These are only theoretical because no published polls come close to this ideal.

    Editorial note: Our articles provide educational information for you. NortonLifeLock offerings may not cover or protect against every type of crime, fraud, or threat we write about. Our goal is to increase awareness about cyber safety. Please review complete Terms during enrollment or setup. Remember that no one can prevent all identity theft or cybercrime, and that LifeLock does not monitor all transactions at all businesses.

    Copyright © 2022 NortonLifeLock Inc. All rights reserved. NortonLifeLock, the NortonLifeLock Logo, the Checkmark Logo, Norton, LifeLock, and the LockMan Logo are trademarks or registered trademarks of NortonLifeLock Inc. or its affiliates in the United States and other countries. Other names may be trademarks of their respective owners.

    Kevin Alejandro Roundy
    Technical Director, Norton Labs
    Dr. Kevin Alejandro Roundy has been a Researcher for NortonLifeLock since completing his Ph.D. in 2012, where his research has centered on the creation of new malware analysis and detection algorithms, several of which are featured in products today.
    Follow us for more