Full App Inventory
Every installed application is catalogued, including hidden and sideloaded packages that do not appear in the normal app drawer. Stalkerware frequently hides itself from the device launcher.
Spyware Detection
Think Your Phone Has Spyware? We Will Find It.
Since 2006. CISSP, ISSAP and ISSMP certified. Forensic spyware analysis for Android and iPhone with court-ready documentation.
Sherlock Forensics provides professional spyware and stalkerware detection for Android and iPhone devices. Forensic analysis identifies hidden surveillance apps including mSpy, FlexiSpy, Cocospy and Hoverwatch using logical acquisition. Over 90% of commercial stalkerware is detectable without physical extraction. Court-ready forensic reports document findings for legal proceedings.
Free initial consultation | Results in 2-3 business days | Court-ready reports
Warning Signs
Signs Your Phone May Have Spyware
You may have noticed something off about your phone. Maybe the battery dies faster than it used to. Maybe someone seems to know things they should not. These are the indicators we hear most often from clients who contact us.
- Battery draining faster than normal. Spyware runs background processes that consume power continuously. A phone that once lasted all day now dies by mid-afternoon.
- Unexpected data usage spikes. Surveillance apps upload captured data (messages, call recordings, photos) to remote servers. This creates data usage that does not match your activity.
- Phone running hot when idle. A phone sitting untouched on a desk should not generate heat. Persistent background recording or location tracking causes abnormal heat output.
- Apps you did not install appearing on the device. Some stalkerware installs companion apps or modifies system settings. New apps you do not recognize may be part of a surveillance package.
- Someone knowing things they should not. This is the most common reason clients contact us. If someone knows the content of your messages, your location history or details of private conversations, surveillance software may be the source.
- Screen lighting up randomly without notifications. Some spyware activates the screen briefly during data transmission or when executing remote commands from the operator.
- Unusual background noise on calls. Older stalkerware and poorly coded surveillance apps can interfere with the audio subsystem, producing clicks or echo during voice calls.
- Device performance degradation over time. Spyware consumes CPU cycles and memory. A phone that has become noticeably slower without a software update may be running hidden processes.
These signs can also have innocent explanations. An aging battery, a misbehaving app or a pending system update can produce identical symptoms. Professional forensic analysis determines whether surveillance software is actually present. Do not factory reset your phone before analysis. Resetting destroys the evidence we need to identify the spyware and document it for legal proceedings.
Forensic Analysis
What We Check During Analysis
Permissions Audit
We examine which apps have been granted accessibility services, device administrator privileges and camera/microphone access. Stalkerware requires these permissions to function.
Background Services
Persistent processes and background services are analyzed for surveillance behavior. Legitimate apps do not need to run continuously in the background monitoring calls and messages.
Custom CA Certificates
We check for custom Certificate Authority certificates installed on the device. These are indicators of man-in-the-middle interception, allowing an attacker to read encrypted web traffic.
Network Connection Logs
Cached DNS lookups and network connection logs reveal which servers your device has been communicating with. Known stalkerware command-and-control domains are flagged immediately.
Battery and Data Anomalies
Per-app battery consumption and data usage are analyzed. Apps consuming disproportionate resources relative to their stated function are investigated further.
Installation Source
We determine whether each app was installed from the Play Store, App Store or sideloaded as an APK. Stalkerware is almost always sideloaded because Google and Apple remove it from their stores.
Device Admin Registration
Device administrator registrations grant apps elevated privileges including the ability to prevent their own uninstallation. Stalkerware commonly registers as a device administrator to resist removal.
Over 90% of consumer spyware (mSpy, FlexiSpy, Cocospy, Hoverwatch and similar) is detectable via logical acquisition. No physical extraction needed. The forensic acquisition process is non-destructive and does not modify any data on your device. Refer to NIST SP 800-101 Rev 1 for guidelines on mobile device forensic acquisition methods.
Known Threats
Common Spyware We Detect
These are commercial stalkerware applications available for purchase online. They are marketed as "parental monitoring" or "employee tracking" tools but are frequently used for unauthorized surveillance of partners and spouses. Our forensic analysis identifies their presence, installation date and the data they have been accessing.
- mSpy — one of the most widely deployed consumer stalkerware applications. Monitors messages, calls, GPS location, social media and browsing history.
- FlexiSpy — advanced stalkerware with call recording, ambient microphone activation and camera access. Requires more sophisticated installation than most competitors.
- Cocospy / Spyic — marketed as phone monitoring solutions. These share a common codebase and infrastructure despite being sold under different brand names.
- Hoverwatch — consumer stalkerware that captures screenshots, records calls and logs keystrokes. Hides from the app drawer after installation.
- eyeZy — newer entrant to the stalkerware market. Monitors messaging apps, social media, location and screen activity with a web-based dashboard.
- XNSPY — monitors calls, messages, location and media files. Operates in stealth mode and transmits data to a remote monitoring portal.
- KidsGuard Pro — despite the name, frequently used for partner surveillance. Captures messages, call logs, photos and real-time location.
- TheTruthSpy — known stalkerware with a history of data breaches affecting both the targets and the people who installed it.
State-level surveillance tools (Pegasus, Predator) require specialized analysis beyond standard forensic methods. If you believe you may be targeted by a government-level adversary, inform us during consultation. We can advise on additional measures and refer you to organizations equipped for that level of analysis, including The Citizen Lab at the University of Toronto.
Transparency
What Logical Acquisition Cannot Detect
We believe honesty about limitations builds more trust than vague promises. Our logical acquisition method detects the vast majority of consumer stalkerware. But there are categories of surveillance that require different approaches.
Limitations
- Zero-click exploits that exist only in volatile memory. Pegasus-class attacks are designed to leave no persistent traces on the file system. They operate entirely in RAM and disappear on reboot. Detecting these requires memory forensics or network traffic analysis.
- Rootkits that modify the operating system partition. If the attacker has root access and has modified the OS itself, the compromised operating system may hide evidence of its own modification from standard forensic tools.
- Baseband or modem-level implants. Surveillance at the cellular modem level operates below the Android or iOS operating system entirely. No application-level forensic tool can detect implants running in the baseband processor firmware.
- Hardware-implanted surveillance devices. Physical modifications to the phone hardware (added chips, modified antennas) require physical inspection and RF analysis, not software forensics.
If you have reason to believe you are targeted by a government-level adversary, inform us during consultation. We can advise on additional measures. For most people, however, the threat is commercial stalkerware installed by someone with physical access to the device. That is exactly what our analysis is designed to find.
How It Works
The Process
From first contact to final report, every step is documented with forensic rigor. If your findings need to be used in court, the chain of custody starts the moment you contact us.
- Free Consultation Contact us at 604.229.1994 for a free initial consultation. We will listen to your concerns, ask the right questions and determine whether forensic analysis is the appropriate next step. No judgment. No pressure.
- Device Intake Bring your device to our lab or ship it to us with tracked delivery. Chain of custody documentation begins at intake. We record device identifiers, condition and the time of receipt. Your device is stored securely throughout the examination.
- Forensic Acquisition We perform forensic acquisition using the Sherlock Forensics Android Acquirer. The process is non-destructive and read-only. No data on your device is modified or deleted during acquisition.
- Analysis Acquired data is analyzed against known spyware signatures and behavioral indicators. We examine app inventories, permissions, background services, network connections, certificate stores and installation sources to identify surveillance software.
- Forensic Report You receive a detailed forensic report documenting what was found, when it was installed and what data it accessed. The report includes SHA-256 hash verification, timestamps, app details and full chain of custody documentation. This report is suitable for use in legal proceedings.
- Removal Guidance We provide step-by-step removal instructions specific to the spyware identified on your device. We also provide prevention recommendations to protect against re-installation, including security settings, account hygiene and ongoing monitoring practices.
Who We Help
Who This Service Is For
People contact us for many different reasons. What they share is a need for answers. Our job is to examine the device, document what we find and give you the facts.
Domestic Abuse Survivors
If you suspect a current or former partner is monitoring your phone, you deserve to know for certain. Our analysis provides documented proof that can be used in protection order applications, custody proceedings and criminal complaints. We understand the sensitivity of your situation and treat every case with discretion.
Business Executives
Corporate espionage through mobile device surveillance is a real threat. If you handle sensitive business information and suspect your device has been compromised, forensic analysis can identify unauthorized monitoring software and provide evidence for internal investigations or legal action.
Attorneys
When your client alleges unauthorized surveillance, you need forensic evidence to support the claim. Our reports document spyware presence with chain of custody, SHA-256 hash verification and examiner credentials. We also provide expert witness testimony when required.
Parents
If you suspect a third party has installed monitoring software on your child's device without your knowledge or consent, forensic analysis can identify the software and document its presence. This is particularly relevant in custody disputes where one parent may have installed surveillance without the other parent's authorization.
Anyone Concerned
You do not need to fit a specific category to use this service. If something feels wrong with your phone and you want a professional answer, that is enough. We will examine the device and tell you what we find. If there is nothing there, that answer has value too.
Questions
Spyware Detection FAQ
How do I know if my phone has mobile spyware?
Battery drain, data usage spikes, overheating and unknown apps are common indicators. Professional forensic analysis is the only way to confirm whether surveillance software is installed. Do not rely on consumer "anti-spyware" apps from the app store. Most of them cannot detect commercial stalkerware that hides from the app drawer and runs as a background service.
Can mobile spyware be detected without rooting my phone?
Yes. Logical acquisition through ADB accesses app inventories, permissions, background services and network connections without modifying the device. Over 90% of commercial stalkerware is detectable this way. Your phone is returned to you in the exact same state as when you brought it in.
How much does a mobile spyware analysis cost?
Contact us for a quote based on your situation. Most analyses are completed within 2-3 business days. Call 604.229.1994 for a free consultation. We will give you an honest assessment of whether forensic analysis is likely to answer your questions before you spend anything.
What evidence will I receive from a mobile spyware analysis?
A forensic PDF report documenting all findings with SHA-256 hash verification, timestamps, app details and chain of custody documentation. This report is suitable for legal proceedings including protection orders, custody cases and criminal complaints. If nothing is found, the report documents that as well.
Can mobile spyware be removed from my phone?
We provide detailed removal guidance based on what we find. For most commercial stalkerware, removal is straightforward once identified. We also provide recommendations to prevent re-installation, including security hardening steps specific to your device and situation.
Is a mobile spyware forensic analysis court-admissible?
Our forensic reports are produced using the same methodology and documentation standards we use for court submissions. SHA-256 hashing, chain of custody and examiner credentials are documented throughout. Sherlock Forensics has provided expert witness testimony in Canadian courts since 2006.
Take the Next Step
If You Suspect Your Phone Is Compromised, Call Us.
A free consultation takes five minutes. We will listen to what you are experiencing, tell you whether forensic analysis is likely to help and explain exactly what the process involves. No commitment required. For forensic practitioners who want to perform their own spyware analysis, see the Sherlock Forensics Android Acquirer and our Android forensics guide.
Since 2006CISSP, ISSAP, ISSMP certified604.229.1994
You Deserve to Know.
If something does not feel right, trust that instinct. Call us for a confidential consultation. We will tell you what we can do and what to expect. See also: mobile forensics services, chain of custody documentation and workplace investigations.
Call 604.229.1994- Phone
- 604.229.1994
Sherlock Forensics spyware detection services are provided for lawful use. Terms of Service