Stalkerware Crisis: Most Android Antivirus Apps Fail to Detect Hidden Surveillance
Spyware applications secretly installed on Android devices continue to pose a stealthy and insidious threat to victims of domestic abuse, intimate partner surveillance, and digital coercion. Despite the presence of built-in protection mechanisms and antivirus software, most security solutions still fail to detect such programs promptly and effectively.
A new investigation by the Electronic Frontier Foundation (EFF) has revealed extensive shortcomings in mobile defense systems—particularly in their ability to identify and properly alert users to hidden surveillance software. The analysis covered thirteen leading Android antivirus tools, and only Malwarebytes Mobile Security performed flawlessly, detecting all seventeen stalkerware samples.
By contrast, Google Play Protect produced the weakest results, identifying just over half of the samples. Nearly all other solutions showed partial success: Bitdefender, ESET, McAfee, and Kaspersky each missed one sample; Avast, Avira, and F-Secure missed two; while Norton and Sophos detected roughly 82% of threats. G Data, Trend Micro, and Google itself ranked at the very bottom.
Stalkerware applications grant perpetrators continuous access to a victim’s device—intercepting messages, photographs, location data, voice recordings, and more. Often disguised as tools for parental supervision or employee tracking, they are in reality used for covert surveillance and control.
Once installed—almost always requiring physical access to the target phone—these apps vanish from the screen and silently transmit harvested data to remote servers. Some go even further, locking key system settings or requiring passwords for removal, making them nearly impossible to delete without advanced knowledge.
The report emphasizes that, despite formal legal disclaimers, the secret use of such applications can constitute a criminal offense in many jurisdictions. Yet most developers of these tools take no meaningful steps to prevent their misuse, deliberately designing their products to remain hidden and inconspicuous even to technically adept users.
Testing also revealed that certain antivirus programs use vague threat notifications such as “malware detected” or “potentially unwanted application,” which fail to convey the gravity of the situation or make clear that a spyware app is present. None of the tested products employed robust alerting channels—like sending notifications to linked email addresses—that might have increased the likelihood of timely discovery.
The EFF report further noted that many stalkerware apps were essentially rebranded clones of one another, sharing infrastructure components such as payment gateways, server frameworks, administrative dashboards, and executable files.
According to the researchers, built-in safeguards alone are insufficient to protect vulnerable users. Combating this class of threat requires not only better detection algorithms, but also clear, user-friendly alerts, transparent explanations of risk, and secure removal tools. Only through these measures can software vendors deliver genuine protection in situations where human safety depends on swift and reliable intervention.
Support Our Threat Intelligence
If you find our technology report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
