This work investigates the effectiveness of recent Android privacy protections against stalkerware and stalkerware’s adaptive evolution. We conduct a large-scale empirical study on contemporary stalkerware samples using static analysis, dynamic behavioral monitoring, permission invocation tracing, and cross-version time-series modeling. Results show that platform security updates significantly degrade certain high-risk tracking capabilities—e.g., background location access and call interception—yet attackers increasingly circumvent restrictions via legitimate API abuse, covert service persistence, and strategic permission combinations. We present the first systematic characterization of stalkerware’s novel evasion paradigm masked by regulatory compliance, challenging the conventional “detect-and-remove” defense paradigm. Our key contributions include: (1) a new proactive defense framework centered on API usage intent inference, runtime permission context modeling, and cross-app behavioral correlation; and (2) empirically grounded design principles for robust anti-stalking mechanisms.

Stalkerware is a serious threat to individuals' privacy that is receiving increased attention from the security and privacy research communities. Existing works have largely focused on studying leading stalkerware apps, dual-purpose apps, monetization of stalkerware, or the experience of survivors. However, there remains a need to understand potential defenses beyond the detection-and-removal approach, which may not necessarily be effective in the context of stalkerware. In this paper, we perform a systematic analysis of a large corpus of recent Android stalkerware apps. We combine multiple analysis techniques to quantify stalkerware behaviors and capabilities and how these evolved over time. Our primary goal is understanding: how (and whether) recent Android platform changes -- largely designed to improve user privacy -- have thwarted stalkerware functionality; how stalkerware may have adapted as a result; and what we may conclude about potential defenses. Our investigation reveals new insights into tactics used by stalkerware and may inspire alternative defense strategies.