Sideloaded child monitoring apps flagged for stalkerware tactics and data risks

An in-depth comparative analysis has raised serious concerns about the growing market of sideloaded parental control applications on Android devices, revealing their overlap with stalkerware, misuse of privacy permissions, lack of encryption, and regulatory non-compliance. The study, titled "Surveillance Disguised as Protection: A Comparative Analysis of Sideloaded and In-Store Parental Control Apps," published in Proceedings on Privacy Enhancing Technologies, highlights how these seemingly protective tools pose hidden dangers to children and other vulnerable users.

How do sideloaded parental control apps compare to official store apps?

Unlike apps from the Google Play Store, sideloaded parental control tools are not bound by the platform’s regulatory and vetting mechanisms. This freedom, the research reveals, results in apps that request more permissions, engage in deeper device surveillance, and frequently disguise their presence by masking their names and icons. The 20 sideloaded apps analyzed in the study averaged 44.4 permissions and 21 dangerous permissions, compared to 34.9 and 11.8 respectively in in-store apps.

Functionally, these apps blur the line between parental control and intrusive monitoring. While in-store apps tend to include features like content filters and screen time limits, sideloaded alternatives lean heavily on advanced surveillance techniques such as keylogging, remote microphone access, and the ability to stealthily monitor adult dating platforms like Tinder and Hinge. These capabilities often exceed the requirements of legitimate parental oversight and echo the traits of stalkerware.

Furthermore, 17 out of 20 sideloaded apps used obfuscation to hide their presence on the device. This tactic, typically prohibited by app store policies, was employed under the guise of preventing children from uninstalling the apps, but also aligns with methods used in domestic abuse surveillance.

How transparent are these apps about data collection and user rights?

Transparency was found to be gravely lacking in sideloaded apps. Although all 20 apps had privacy policies available on their websites, only 10 of these actually applied to the apps themselves. Even among those, many failed to explain the types of data collected, their legal processing basis, or user rights.

In stark contrast, nearly all Play Store apps provided accessible and relevant privacy policies, including direct links from within the apps themselves. Importantly, the policies of sideloaded apps scored lower in readability and were generally vague or legally incomplete. Only one sideloaded app appointed a data protection officer, despite the fact that GDPR mandates such appointments for systems conducting large-scale monitoring of individuals.

Even more alarming was the absence of consent mechanisms. Eight sideloaded apps did not seek user consent at all, and several others offered policies that applied only to the vendor’s website - not the app monitoring a child’s phone. The study underscores that neither the children being monitored nor, often, the parents themselves were properly informed or empowered to manage data rights under applicable laws like the GDPR.

Are children’s data and privacy adequately protected in these sideloaded tools?

The technical analysis uncovered disturbing lapses in encryption and secure data handling. Three sideloaded apps transmitted sensitive data, including GPS locations and personal messages, without using standard encryption protocols like TLS. One app used a custom encryption method previously proven to be easily bypassed by attackers.

Of the sideloaded apps analyzed, 40% were confirmed to match indicators of compromise (IOCs) used to identify stalkerware, according to TinyCheck, a tool used by NGOs and researchers to flag spyware based on network traffic. An even higher percentage (80%) were flagged by Echap, a hacker collective focused on countering sexual and digital violence.

The study also found that 13 of the 20 sideloaded apps triggered security alerts from Google Play Protect, prompting them to instruct users to disable this built-in Android protection - a dangerous move that leaves devices vulnerable to malware and abuse.

The implications are wide-ranging. Not only do these apps undermine children’s privacy, but they also expose sensitive information to exploitation by malicious actors. Sideloaded apps often lack meaningful uninstallation methods, use deceptive permissions, and offer little recourse for users to exercise their legal rights over personal data.

What are the broader ethical and legal implications?

The authors warn that the sideloaded parental control market is becoming a refuge for stalkerware vendors rebranding their tools under the guise of child protection. In some cases, companies formerly associated with intimate partner surveillance have shifted their marketing strategies toward parental control, while preserving invasive functionalities.

While sideloading has legitimate use cases, such as offering monitoring tools for children who uninstall or evade protections, this workaround has opened the door to severe misuse. The researchers call on developers to adopt child-centric, safety-by-design principles and demand greater regulatory oversight to curb harmful practices. They also recommend the development of more ethical and collaborative family safety tools that promote transparency, respect autonomy, and comply with legal frameworks.

The report issues a clear warning: unless sideloaded apps are subjected to stronger regulatory scrutiny and higher design standards, they will continue to endanger the very groups they claim to protect - children, parents, and vulnerable individuals.