Blog
Privacy·July 5, 2026·7 min read

The most likely spy on your phone isn't a hacker. It's someone who knows your passcode.

We picture hackers on the other side of the world and sophisticated viruses. The reality is more mundane, and more unsettling: most spyware is installed in a few minutes, by someone close who knows the unlock code. How it works, how to spot it — and what not to do.

ME
Mohamed ESSID
Founder — Trasimène

Spyware you can buy with a subscription

The word “stalkerware” covers a family of software that looks entirely ordinary: commercial apps, sold by subscription, often marketed as “parental control” or “employee monitoring”. A bank card, ten to forty euros a month, and anyone gets an online dashboard showing a phone's life: messages, continuous GPS location, photos, browsing history, call logs. Some can even trigger the microphone.

There is no technical feat involved. No secret exploit, not a line of code to write. The product is designed to be installed by someone with no skills at all, in a few minutes, on a phone they are holding in their hands. Once in place, the app keeps a low profile: no icon, an innocuous process name, nothing on screen.

The scale is hard to measure precisely — this is software built not to be seen. The figures we have are floors, not ceilings: a single antivirus vendor detects it on tens of thousands of phones worldwide every year, and the Coalition Against Stalkerware, which brings together some forty organisations, reports that the phenomenon is not receding. And that only counts devices that carry a security app: the rest never show up in any statistic.

Who installs these apps? A partner, an ex, a parent overstepping the line, sometimes an employer. Let's be clear about one thing: in most countries, installing surveillance software on another adult's phone without their consent is a criminal offence — whatever the relationship between the two people.

Five minutes of physical access do more damage than any virus

This is the one idea we'd like you to take away, because it flips the usual picture of the threat. Hacking a phone remotely, with no interaction from the victim, is extraordinarily hard: the exploits that allow it trade for millions and are used for state espionage, not for watching a private individual. The realistic path is much shorter: knowing your passcode, and being alone with your phone for five minutes.

On Android, installation is direct: enable “unknown sources”, install the app, grant it powerful permissions (accessibility, device administration), hide the icon. On an iPhone, installing a spy app is considerably harder — so surveillance usually takes another route: the Apple account credentials. Whoever knows them can read the backups, the location, the photos, without installing anything at all.

The practical consequence is simple, and it costs nothing: your unlock code is the first lock on your digital life. A code shared “out of trust”, a date of birth, the same code for years — that is where it all starts. Changing it, and keeping it to yourself, is a basic security habit again. Just like not leaving your phone lying around unlocked.

The real signs — and the false ones

Let's clear out the false signs first, because they feed pointless worry: a warm battery, a phone that slows down, data usage that fluctuates. These symptoms have a thousand innocent causes — a badly written app, an ageing battery, a recent update. Modern surveillance software is specifically designed not to give itself away like that.

The signs that genuinely deserve your attention are elsewhere. The first one isn't technical at all: someone around you knows things they shouldn't know — where you were, what you wrote, who you talked to. That signal, repeated, is worth more than any battery symptom.

On the phone itself, look for what is structural: an app you don't recognise holding outsized permissions (accessibility, device administrator), the “unknown sources” option enabled on Android with no memory of doing it, an unfamiliar device signed in to your Google or Apple account, location sharing you never set up. These checks live in the settings, take a few minutes, and require no particular skill.

What to do — and what not to do

An understandable reflex is to delete the app immediately. That is sometimes a mistake: most of this software notifies the person who installed it the moment it stops reporting. If that person is part of your daily life and the situation worries you, abrupt removal can make things worse. In that case, document first (screenshots, dates), and get support — the Coalition Against Stalkerware's website, stopstalkerware.org, lists help organisations country by country.

If you decide to act, proceed in order:

  • Change your unlock code — not a date of birth, not a code someone close already knows.
  • From another device (a friend's phone, a trusted computer), change your email password, then your Google or Apple account password.
  • Review the devices and sessions signed in to those accounts, and remove anything you don't recognise.
  • Turn on two-factor authentication for your email and your main account.
  • As a last resort, a factory reset wipes out virtually all of this software — provided you then set the phone up with fresh passwords, not from a compromised backup.

What Trasimène does

Trasimène's app monitoring continuously compares installed applications against server-updated lists of known surveillance software, and flags the tell-tale permission combinations — an invisible app that combines accessibility, auto-start and permanent background activity almost never has a legitimate reason to exist.

Let's be honest about the limits, because that is this blog's whole point: no security app sees everything. Surveillance that runs through Apple or Google account credentials never touches the phone — it shows up in the account settings, not in a scan. That is why this article walked you through both checks, not just the one we automate.

The principle to remember: five minutes of physical access to an unlocked phone outweigh every virus you've ever been warned about. Your unlock code is your first lock — choose it, keep it.

There is no reason to live in paranoia: the surveillance this article describes doesn't fall from the sky, it comes from close by, and it is prevented with simple habits — a code of your own, a locked-down account, an occasional look at your permissions. If one day the technical side isn't enough, because the situation goes beyond the phone, organisations exist in most countries to help. The checks themselves take ten minutes. They are worth doing once — and worth redoing from time to time.

Trasimène — Mobile security

Check the apps on your phone

Download Trasimène →
Back to blog