Written by Quinnlan Varcoe, digital forensics examiner. Updated July 2026.
Before you touch anything: removing stalkerware usually alerts the person who installed it— many apps notify their controller, and the sudden silence tells them anyway — and deleting it destroys the evidence of who did it.
If you haven’t yet decided whether removing it now is the safe move, work through found spyware on your phone: what to do first — and if the person who did this is a partner or ex, consider calling the National Domestic Violence Hotline (800-799-7233) from a safer device before changing anything.
Most stalkerware-removal guides jump straight to “scan and delete.” This one doesn’t, because the deleting is the easy part — the part that matters is the order. The steps below sequence removal so you keep your safety options and your proof. They cover both platforms, including the iPhone case most guides get wrong.
Preserve the evidence before you remove anything
Uninstalling a monitoring app erases exactly the things that prove what happened: the install date and source, the app’s configuration (including the account it reports to), and its record of what was collected. If there is any chance you will want a protective order, a police report, or a civil case, preserve first:
- Photograph what you foundwith a different device — the app entry, its permissions screens, any account or license email you can see. Don’t rearrange or explore beyond what’s visible; just capture it.
- Write down the timeline: when the phone was out of your hands, when the behavior started, what made you check.
- If the stakes justify it, have the device forensically imaged before removal. A proper image preserves the artifacts in a court-ready form and lets removal happen afterward without losing anything. That is the core of our stalkerware detection and removal service, and the reason this page keeps saying “preserve first.”
Two pages on this site go deeper: how to report digital evidence to law enforcement and the hub’s evidence-preservation guidance. The rule of thumb: you can always remove later; you can’t preserve later.
iPhone: it may not be an “implant” at all
The peer-reviewed finding that should reshape how you think about iPhone spyware: most “my iPhone is being monitored” cases involve no spyware app on the phone. They are account-level access — someone who knows your Apple ID password reading your iCloud backups, messages, photos, and location from their own device. The removal for that is completely different: no amount of app-deleting or scanning helps, because there is nothing on the phone to find.
- Run Apple’s Safety Check(Settings → Privacy & Security → Safety Check). It shows what you are sharing and with whom, which devices are signed into your Apple ID, and lets you review or reset access in one place.
- Check signed-in devices(Settings → your name): every device listed can see what your account syncs. Remove any you don’t recognize — after you have preserved a photo of the list, and after you have thought about the alert-risk above.
- Check for configuration/MDM profiles(Settings → General → VPN & Device Management). A profile you didn’t install can grant ongoing control; note it, photograph it, then remove it.
- If access was account-level, the fix is credential rotation — new Apple ID password from a clean device, review of trusted phone numbers and recovery contacts — not app removal. Our guide to what to do if someone has access to your phone walks that order of operations.
True on-device iPhone implants exist but are rarer and usually require a jailbreak or a mobile-device-management enrollment. Signs worth noting (never proof by themselves): an unfamiliar profile as above, or a device that was jailbroken without your knowledge.
Android: settings-level removal, step by step
Android stalkerware is usually a real app hiding under an innocuous name (“System Service,” “Device Health”). It survives by holding powerful permissions. Work through these four settings surfaces, in order, photographing anything suspicious before you remove it:
- Device admin apps(Settings → Security → Device admin apps, wording varies by vendor). Monitoring apps register here to resist uninstall. Anything you don’t recognize: deactivate its admin role first — you can’t uninstall it while it holds admin.
- Accessibility services(Settings → Accessibility). This is the most abused permission on Android — an accessibility service can read the screen and log keystrokes. Unfamiliar entries with full access are a red flag.
- Permission managers for camera, microphone, and location (Settings → Privacy → Permission manager). Sort by permission, not by app: look at everything holding camera, mic, or all-the-time location and confirm you know why.
- Unknown or sideloaded packages(Settings → Apps → See all apps, including system apps). Look for apps you didn’t install, with generic names and no icon, especially anything installed around a date the phone was out of your hands. The install source (“Installed from”) matters: sideloaded monitoring apps don’t come from the Play Store.
Once an app has lost its device-admin role, uninstall it normally. Then restart the phone and re-check all four surfaces — some packages reinstall companions. And a caution that cuts the other way: a clean pass through these settings is not a guarantee the phone is clean.These are signs of compromise, not a verdict — no scan or checklist can promise safety.
Factory reset: what it fixes and what it can’t
“Just factory-reset it” is the most common advice online, and it is honest to say it usually does remove on-device stalkerware. It is equally honest to say when it fails:
- It destroys the evidence completely. A reset is the single most evidence-destructive act you can take. Preserve first (or image first) if you may ever need proof.
- It does nothing about compromised credentials.If the real access is your Apple ID, Google account, or carrier account, the reset changes nothing — they are watching the account, not the device.
- Restoring your old backup can restore the problem. Set the phone up as new, or restore selectively; a backup taken while the monitoring was active can carry it (or its configuration) back.
- MDM/enrollment survives some resets.A device enrolled in a management program can re-enroll itself on first boot. If you found an MDM profile you can’t explain, get help before trusting a reset.
- A shared family plan is its own channel. Location sharing, line-level features, and account access through a carrier family plan survive anything you do to the handset.
After removal: assume they still have a way in until proven otherwise
Removing the app severs one channel. If the person who installed it knows your passwords — and if they had your unlocked phone, they should be assumed to — they have others: your email, your cloud account, your carrier login. The follow-through is a recovery pass in the right order, starting from a clean device, covered in what to do if someone has access to your phone. For hardening beyond the incident — passwords, 2FA, device hygiene — see privacy services for individuals.
And if what you found needs to hold up later — in a protective-order hearing, a custody case, or a police report — a professional examination before removal produces court-ready documentation of what was on the phone and how it got there. That’s the piece no settings walkthrough can give you: our stalkerware detection and removal service exists for exactly that case.
















