The stalkerware problem nobody talks about
Three weeks before we launched ARK, a woman emailed us. She'd escaped an abusive relationship six months earlier, but kept finding her location shared with her ex. Not through Apple's Find My Friends. Through something hidden on her phone. She didn't know what, and she didn't know how to find it. We realised we'd built a security app that could tell her exactly what was installed on her device. But we hadn't built anything to help her understand if that device was being used against her.
Why stalkerware is almost impossible to spot yourself
Stalkerware isn't like other malware. It doesn't crash your phone or drain the battery noticeably. It doesn't trigger your antivirus alerts because it's not trying to steal your banking credentials or ransack your photos. It's designed to be invisible. Apps like Spyzie, mSpy, FlexiSPY, and dozens of others market themselves as 'parental monitoring' tools, but they're deployed by intimate partners, ex-partners, and controlling family members to track location, read messages, listen to calls, and monitor every app you open.
The cruel part is the deception. These apps hide their icons. They run with minimal permissions requests. A partner could install one while you're in the shower, and you'd have no reason to suspect it existed for months. The victim doesn't know they're being watched. The abuser gets exactly what they want: control without confrontation.
When we started building ARK's security score, we looked at what a typical person could check on their own. Permissions, background apps, breach history. But permissions alone don't tell the story. A legitimate parental control app and a stalking tool have nearly identical permission sets. That's why stalkerware detection requires a different approach.
How we built the stalkerware detector
We spent two months researching which apps are used for stalking versus legitimate purposes. We cross-referenced law enforcement warnings, domestic abuse support organisations, and security researchers. The list changes regularly. Bad actors rebrand, create shell companies, and distribute through different app stores. We integrated a living database of known stalkerware identifiers and signatures.
The detector works on-device and stays on-device. When you run a scan in ARK, the app checks every installed application against this database. If it finds a match, it flags it immediately. No data leaves your phone. We don't log what you find or send analytics back to our servers on the free tier. The point isn't for us to know; the point is for you to know.
What surprised us most was the second part of the problem: what happens after detection? Finding stalkerware is pointless if the victim doesn't know what to do next. So every flag includes a one-tap uninstall deep-link. But we also linked to resources from organisations like the National Domestic Violence Hotline and Women's Aid. If someone finds this on their phone, they need safety information, not just a delete button.
The difference between detection and responsibility
Building a stalkerware detector forced us to confront something uncomfortable. Security tools can be misused. A parent could use our detector to find out if their teenager deleted a monitoring app. An abuser could use it to ensure their partner hasn't discovered the spyware they installed. We can't prevent that misuse entirely. But we can be thoughtful about it.
That's why we kept the stalkerware detector free. Abuse victims shouldn't have to pay a subscription to find out if they're being tracked. It's also why we didn't add stalkerware installation ourselves as a feature of ARK. There's no 'parental monitoring mode'. We built the detection tool. What people do with that tool is their choice, but we're not going to make stalking easier.
The tougher decision was how honest to be publicly about what we'd built. Some security companies market 'anti-spyware' features and bury the stalkerware angle in small print. We chose to be direct, even if it meant some customers might ask why we care about a niche feature. Because it's not niche. According to the Cyber Civil Rights Initiative, 1 in 4 women experience severe intimate partner violence in their lifetime. Many of those involve technology abuse.
Why this matters beyond ARK
Since we launched, we've had messages from people in different countries, different situations, but the same basic fear: am I being watched? Some confirmed stalkerware was installed. Some found nothing and felt relieved. A few didn't reach out until months later to say they'd used the scan to rebuild trust in a relationship after working through the tracking issue with a partner.
What this taught us is that stalkerware detection isn't a competitive feature or a marketing angle. It's a responsibility that should be part of every mobile security tool. The major phone platforms have started to take this seriously. Google Play added policies against stalking apps. Apple added safety resources. But individual users still have no easy way to know what's listening to them.
On Shield tier, we expanded detection further. The dark-web monitor checks if your identity or data has been posted on forums used to trade stalkerware licenses. The phishing scanner catches fraudulent login pages designed to steal credentials from accounts that control your location data. These aren't novelty features. They're extensions of the same problem: understanding the full attack surface against you.
What we learned about building security for trust
The hardest conversation we had while building ARK wasn't about how to detect stalkerware. It was about how to present findings to someone who might be in danger. A stark red warning can feel like a gut punch. A gentle notification might downplay the severity. We settled somewhere in the middle: clear, direct, and immediately actionable.
That woman who emailed us three weeks before launch? We helped her run a scan. She found two applications she didn't recognise. One was a known tracking tool. She uninstalled both, changed her passwords, and told us it felt like getting her phone back. That email is framed on the wall beside my desk, not as a marketing moment, but as a reminder of why we built this thing.
Security isn't abstract. It's the difference between someone controlling your location and you controlling your location. It's the difference between feeling safe on your own device and feeling watched. ARK's stalkerware detector isn't the most technically sophisticated thing we've built. But it might be the most important.
If you've never thought about stalkerware, you might assume it's rare or someone else's problem. But if you have thought about it, you know it's not. What would change about how you use your phone if you knew exactly what was installed on it and what each app was seeing?