Why we built a stalkerware detector into ARK

The email that changed our roadmap

I remember reading that message during a late afternoon in the office. She wasn't angry. She was methodical. She'd documented the timeline, listed the symptoms, and explained what she wished she'd known sooner. What struck me wasn't the technical detail. It was the clarity in her voice. She wasn't asking for a lot. Just a tool that would tell her, plainly, whether someone was watching her phone.

We'd built ARK to give people a security credit score from 0 to 100, then run targeted scans across device settings, network exposure, app permissions, and breach history. The whole thing was meant to be privacy-first - on-device scanning where possible, no analytics on free-tier runs. We were proud of that. But we'd built it thinking mostly about data breaches and weak passwords and overpermissioned apps.

That email made me realise we'd missed something. Stalkerware isn't abstract. It's intimate. It's someone you trusted gaining access to your texts, your location, your calls. It happens most often in relationships marked by control and isolation. The women we spoke to afterward were often the same ones who'd been in data breaches, or whose exes had reused passwords across accounts. Vulnerability compounds.

What stalkerware actually looks like

Before we started building, we spent time understanding what we were up against. Stalkerware apps often masquerade as legitimate tools - screen recorders, parental controls, fitness trackers. Some use obfuscated names or hide in system folders. The challenge isn't technical sophistication. It's deception. A determined person with device access can install something that sits quietly, sending location data or message logs to a remote server, while the victim has no idea they're being watched.

We looked at what HIBP integration taught us about breach exposure, what our permission scanner revealed about app access, and what gaps remained. Most security tools either focus on enterprise device management (overkill for a person escaping a controlling relationship) or antivirus scanning (which misses stalkerware designed to hide in plain sight). We needed something different: a detection layer that understood the specific patterns stalkerware creates.

The stalkerware detector we built runs on every ARK user's device for free. It checks for known spyware signatures, looks at permission patterns that correlate with monitoring apps, and flags suspicious system integrations. One-tap remediation links let users isolate or remove suspicious apps immediately. We made it free because access to safety shouldn't depend on whether someone can afford a subscription.

Why this sits at the centre of ARK

Our security credit score isn't really about credit, the way a bank uses the term. It's about agency. It's about knowing where you stand and what you can do about it. The score factors in device settings, app permissions, network leaks, and now stalkerware risk. It's 0 to 100 because that scale is simple. Everyone understands a score that low. It's alarming when it should be.

But stalkerware detection mattered enough to us that we built it into the free tier, alongside a basic permissions check. Everything else - dark-web monitoring, phishing scanners, password health, 2FA audits, breach history via Have I Been Pwned - lives in Shield tier, at £2.99 a month or £29.99 a year. The highest tier, Fortress, adds things like GDPR Autopilot (automated data-subject requests to brokers and services) and SDK X-Ray (showing you what third-party software development kits are embedded in your apps and what data they're reaching for).

Those features matter. They're built for people 25 to 45 who care about privacy, who've been in breaches, who manage security for family devices or small teams. But stalkerware detection felt different. It felt foundational. If you can't feel safe on your own device, nothing else we offer does much good.

What we've learned since launch

We've had users flag legitimate parental control apps, which then turned out to be genuine - parents monitoring their children's devices. We've had others identify apps they genuinely didn't install, which sparked conversations with their support networks about what might have happened. We've also had messages from people who found nothing, which for many was a relief. Just being able to ask the question clearly felt important to them.

One pattern surprised us: the overlap between users checking for stalkerware and users interested in GDPR Autopilot. People who've experienced control or surveillance often want to know exactly which brokers, advertisers, and services hold their data. They want to request it deleted, on their own terms. Data-broker exposure (in the Fortress tier) now sits alongside stalkerware detection in how people think about privacy. It's not just about what someone malicious might do. It's about what systems legitimately do with your information, and whether you have the tools to say no.

Building without overstepping

There's a line we're careful not to cross. ARK tells you what it finds. It gives you control. It doesn't make decisions for you. We don't block apps without your say-so. We don't phone anyone. We don't make assumptions about intent. A parental control app is parental control app. A phone recovering from a breach has vulnerabilities that need addressing. Your choice what to do.

That's why we put remediation links in your hands rather than behind subscription walls, at least for stalkerware. Why we've been transparent about what our scanners can and can't do. Why we chose SecureStore on iOS and EncryptedSharedPreferences on Android for any PII we store, never plain text. People who are already in situations where their privacy is threatened can't afford to trust tools halfway.

The stalkerware detector came from a specific email, a specific person's vulnerability, and a recognition that we had a responsibility to address it. It's stayed free and it stays central because safety isn't a premium feature.