What are the telltale signs of stalkerware on an iPhone?

Configuration profiles you did not install, especially with vague names like Apple Business or iOS Settings, are a primary indicator. Also look for iCloud backup activity from devices you do not recognize at appleid.apple.com, unusual battery drain on idle, an Apple ID password recently changed by someone else, the Apple ID logged in on more devices than yours, and two-factor authentication codes arriving when you did not request them. None of these by themselves prove monitoring. Together they form a pattern a forensic examiner can confirm or rule out.

Can an antivirus app on iPhone find stalkerware?

No. Apple does not allow consumer antivirus apps full access to other apps' data on iPhone, so the iPhone scanner apps in the App Store cannot detect stalkerware that lives in iCloud, in a configuration profile, or in a jailbreak. They will tell you everything is fine, and they will be wrong. Real detection requires a forensic image and parsing tools that are not available to consumer apps, paired with known indicators of compromise from the major commercial stalkerware vendors.

What does a forensic phone scan actually do that I cannot do myself?

It uses tools that do not exist on the consumer market, including Cellebrite, Magnet Axiom, and the open-source Mobile Verification Toolkit, to image the device, parse system artifacts, and check for indicators of compromise from commercial stalkerware vendors like Pegasus, FlexiSPY, mSpy, Hoverwatch, Cocospy, Spyzie, and Cerberus. It also checks for jailbreak indicators, unauthorized configuration profiles, and iCloud account anomalies. The output is a written report admissible in a protective-order filing, custody dispute, or domestic-violence matter.

Should I factory-reset my phone if I suspect stalkerware?

Not yet. A factory reset destroys the forensic evidence you may need later for a protective order, custody filing, or criminal complaint. Before resetting, get the device imaged by a forensic examiner so the evidence is preserved in a court-admissible format. Once preservation is complete, removal can be straightforward, sometimes through a reset, sometimes through profile removal or iCloud lockdown depending on what was found. Removal versus preservation is the key choice, and preservation comes first when there is any chance of legal action.

Will the person watching me know if I check my phone?

Possibly. Toggling settings, removing a configuration profile, or signing out of iCloud can alert the person who installed monitoring software because some commercial stalkerware reports configuration changes to its operator. The safer path is to leave the suspect device untouched, move to a separate device, change your Apple ID password from that other device, and contact a forensic investigator. Working from a clean device prevents tipping off the watcher and preserves the evidence needed for a protective order.

How does stalkerware get onto an iPhone in the first place?

Three primary paths. Physical access for a few minutes is enough to install a configuration profile or sign in to iCloud as the user, especially when the watcher knows the passcode. iCloud credential theft, often through a phishing page or a recovered password, lets the watcher mirror the target's iCloud account without ever touching the device. Nation-state-tier tools like Pegasus use zero-click exploits that require no interaction at all, but those are rare in domestic cases. Most cases we run trace back to the first two.

What should I do if a forensic scan confirms stalkerware?

Do not tip off the watcher. Work with counsel before any device cleanup. Once the forensic report is in hand, the typical sequence is a protective-order filing or custody motion supported by the report, then coordinated cleanup that includes a new device on a new Apple ID, MFA on a phone number the watcher does not know, and review of every account the compromised iCloud could reach. For domestic-violence matters, the order of operations is determined with the safety planner and counsel, not with the device.

How to Find Stalkerware on iPhone | Forensic Detection Guide

All articles·7 min read·April 27, 2026

Read this first if you are in immediate danger

If you suspect a current partner or someone with physical access has installed monitoring software on your phone, do not change settings on the device yet. The act of toggling settings can alert the person watching. Move to a safe location with a different device first, then read on.

What stalkerware actually is

Commercial stalkerware is sold openly under marketing terms like "parental control" or "employee monitoring" — Pegasus, FlexiSPY, mSpy, Hoverwatch, Cocospy, Spyzie, Cerberus. The same products are used overwhelmingly in domestic surveillance and intimate-partner violence cases. They install via physical access, iCloud credential theft, or — in the case of Pegasus-tier nation-state tools — zero-click exploits.

Forensic indicators consumer apps will not show you

Configuration profiles. Settings → General → VPN & Device Management. Any profile you did not install yourself, especially one with vague names like "Apple Business" or "iOS Settings," is suspicious.
iCloud backup activity from unfamiliar devices. appleid.apple.com → Devices. Anything you do not recognize is a serious indicator.
Unusual battery drain on idle. Check Settings → Battery for processes you do not recognize. Stalkerware exfiltrates data continuously.
iCloud password recently changed by someone else. Check the email associated with your Apple ID for a "your password was changed" notice you did not trigger.
Apple ID logged in on more devices than yours. Many stalkerware tools on iPhone work by mirroring iCloud, not by installing on the device.
Two-factor authentication codes you did not request. Indicates an attacker has your password and is trying to bypass 2FA.

What an antivirus app will not catch

Apple does not allow consumer antivirus apps full access to other apps' data. The "iPhone scanner" apps in the App Store cannot detect stalkerware that lives in iCloud, in a configuration profile, or in a jailbreak. They will tell you everything is fine. They are wrong.

What a forensic phone scan actually does

A forensic phone scan uses tools that do not exist on the consumer market — Cellebrite, Magnet Axiom, mobile verification toolkits like MVT — to image the device, parse system artifacts, and check for knownindicators of compromise (IOCs) from the major commercial stalkerware vendors. It also checks for jailbreak indicators, unauthorized configuration profiles, and iCloud account anomalies. The output is a written report you can use in a protective-order filing orcustody dispute.

Steps to take right now if you cannot get to a forensic investigator yet

From a different device (not the suspected phone), change your Apple ID password.
Sign out of all other devices in iCloud → Devices.
Re-enroll in two-factor authentication and use a phone number the watcher does not know.
Do not factory-reset the suspect device — it destroys forensic evidence you may need later.

We work many of these cases under attorney-client privilege when there is a custody, divorce, or protective-order matter pending. See domestic violence digital forensics for the protected workflow.