Stalkerware—mobile software that enables covert surveillance, especially in intimate partner relationships—persists as a significant threat on the Android ecosystem despite platform-level policy and security enhancements. We present the first multi-application longitudinal analysis of the stalkerware ecosystem. We analyse 82 APKs from four prominent stalkerware brands sourced from official, third-party, and modded marketplaces, mapping their technical evolution against key policy and OS updates from 2012 to 2025. We find a strategic dichotomy in developer behaviour based on distribution channels. Applications distributed on third-party channels, away from Google Play, consistently target older, less-secure APIs to preserve invasive functionality, effectively ignoring platform policies. In contrast, developers on the Google Play platform respond reluctantly, often employing malicious compliance (e.g., obfuscated notifications) or strategic re-architecting (e.g., ‘split-app’ models) to circumvent rules while maintaining a market presence. Our findings suggest that platform policies displace rather than eliminate abusive functionality. By systematically documenting how stalkerware developers navigate and subvert platform governance, we provide a nuanced understanding of their adaptive capabilities, offering critical insights for developing more robust, future-proof detection and mitigation strategies.
