Identifying Stalkerware? Re EFF Article

ThisOldGuy

A friend that I got interested in GOS sent me this EFF article about antivirus identifying Stalkerware. Their question was more interested in, what if someone I trusted installed it, how can I identify it especially with multiple profiles and the main one not running Play Services.

So I'm asking about antivirus or another way to identify reliably and remove Stalkerware and how to go about it with multiple profiles where most don't use Google play.
While prevention is best, sometimes the unforeseeable occurs.
Is there a better way than the standard Malwarebytes, BitDefender, ESET, Kaspersky? How would one scan profiles without play services?

EFF tested a great many apps, and only a handful did a good job at it.

https://www.eff.org/deeplinks/2025/11/eff-teams-av-comparatives-test-android-stalkerware-detection-major-antivirus-apps

raccoondad

ThisOldGuy How would one scan profiles without play services?

You don't, signature scanning isn't really useful. Just dont install software you don't trust

GrapheneOS

ThisOldGuy Start by using Auditor to make sure you're running genuine GrapheneOS and have no non-system accessibility services or device managers enabled. Next, use the permission manager to look through which apps have been granted important permissions such as Location access. Check which apps are running as foreground services. Confirm that each of the apps granted sensitive permissions is genuine. You can check the package name and install source in the Settings app. There are more advanced checks you can do but it's not really needed to do more than making sure it's a certain package name from a certain app store.

If you want to go through all the apps you've installed, that's straightforward via the Settings app, but it doesn't really matter if they haven't been granted any sensitive access.

Antivirus is a very poor way to do this and far worse than using Auditor combined with checking app permissions and making sure they're the apps you think they are rather than something malicious disguised as them including a modified variant of an actual app.

bitestring You don't need special tools. There's a built-in permission manager. If you're concerned about an app knowing your location, check which apps have been granted location access. Also, switch to using one-time permission grants for the time sensitive permissions (Camera, Microphone, Location) as a good privacy practice beyond this and you'll have less to check on an ongoing basis too. Use the GrapheneOS Contact Scopes and Storage Scopes instead of granting media and file access permissions too.

bitestring

In general, installing only essential apps and avoiding bloats will help reduce attack surface. GOS already protects you from memory exploits (which could be used to install Stalkerware) by default. In addition, turn on USB protection to block device from communicating through USB.

If you are worried about someone installing Stalkerware without your knowledge through physical access, enable PIN + 2FA Fingerprint in addition to the main device password.

You can also install the antivirus products recommended by EFF, but remember they can only detect known Stalkerware by enumerating your installed apps. If you are installing one, I recommend Malwarebytes (it works with least privilege in my test). Don't give it Storage permission or any other permission. Use it to only manually scan installed apps. This way the antivirus itself doesn't get sensitive data from your device.

bitestring

raccoondad OP's question is how would they detect Stalkerware apps which are installed by someone trusted/family. In those cases, a malware scanner could help find known malicious apps. Of course, these malware scanners cannot do much on Android, but if it can do something, then it's detecting known Stalkerware apps.

ThisOldGuy

GrapheneOS

We do have remote auditor and go through apps and permissions regularly and use rethinkdns. We don't necessarily understand how it all works.

I setup auditor on all profiles and one profile that is used for gadgets needing the most permissions constantly fails even tho initially it was fine. But all other profiles and owner have no problems. I know from a previous post that it was only necessary in one profile, but I left it since it was already there and do not understand why it keeps erroring out in a profile that has apps for gadgets from playstore that I prefer to be skeptical of.

We regularly go through permissions, even the special ones. Display over is the biggest risk but it stays limited to trusted apps.

With all this, I thought there was malicious apps that could not be seen in the app list and be hidden? Edit: found it an example app was Catwatchful. That filch data and keystrokes without the user being aware and it wouldn't be something auditor would detect. I can't recall the name but it was from another popular article.

We had less concerns until realizing apps could be installed by a trusted person and hidden and not impact the OS. How can those be found if they exist in a profile without play services?

Maybe I call it Stalkerware but I mean spyware, realistic I mean anything unknown or unwanted.

Thank you.

bitestring

Agree to what GrapheneOS here recommended. Periodic review of built-in permission manager is also one of the best solutions for the Stalkerware problem. I never thought Auditor could help with this. Maybe it needs better marketing.

GrapheneOS

bitestring Auditor helps with it by verifying that it's genuine hardware running genuine GrapheneOS combined with being able to detect accessibility services even if they're fully controlling the display. Auditor does not require that the device is providing trustworthy information about itself through the OS and user interface because the results are provided on another Android device or through https://attestation.app/. It receives a secure element signed response with the verified boot state, verified boot key hash, OS version, OS patch level, etc. and uses that to make sure it's genuine GrapheneOS (or the stock OS). You can check to make sure you're on a recent release via the reported patch level. It chains trust from the verified OS to the app through the OS providing the app package name, version code and signing key fingerprint(s) to the secure element for inclusion in the signed response. That means the app can perform checks through the OS which can't be spoofed by a malicious app. It shows whether any accessibility service or device manager is active which is helpful in regards to detecting an accessibility service hiding itself. We plan to significantly expand the information it provides from the OS. It's a very good initial starting point followed by using the OS permission and app management features.

Watermelon

You can still use an antivirus app to quickly scan and remove what it finds, just don't rely on it, and don't give it any permission other than Network and maybe Notifications. Google Play Protect comes built-in in the popular Google Play Store and it only takes a few seconds to scan. I don't see the disadvantage of quickly using it, and then doing what @GrapheneOS suggested by verifying the device and the GrapheneOS installation with Auditor, and then going over the permissions list.

I have a few criticisms of their reply though:

This is unlikely to be a risk in this case, but it's impossible to guarantee that a device hasn't been tampered with, even with the Auditor app. Sure there is some protections, for example the GrapheneOS project has said in the past that the communications between the secure element (which provides the attestation info) and the CPU is encrypted and authenticated. But, as a simple counterexample, someone could plant an independent GPS+antenna module inside your phone's shell, and no software would ever be able to detect this.
There's some dangerous permissions that the Auditor app currently doesn't report, for example the Display over other apps permission, which might be used to spoof the permissions you see on the screen. After using the Auditor app as @GrapheneOS suggested, I recommend booting the device into Safe Mode and checking the permissions list there to eliminate the possibility of spoofing. Don't open the power menu from the UI, instead long-press the physical power button to open it. I think you could also check which apps have been granted the Display over other apps permission.