How to Detect and Remove Spyware From an Android Phone
Spyware covertly tracks everything you do on your device, from browsing the internet to sensitive transactions. If spyware ends up on your Android phone, you could be sending your login credentials and financial information directly to cybercriminals. Learn how to detect and remove spyware on Android devices.
What is spyware?
Spyware is a form of malicious software which can monitor your online activity without your knowledge. It can collect sensitive information about you, such as login details, location, banking and credit card details, messages, private photos, and browsing history. Typically, hackers use this sensitive information for financial gain.
There are different types of spyware, each designed to carry out a specific task. These include:
- Password stealers
- Sound and video recording spyware
- Information stealers
- Cookie trackers
- Banking trojans
What makes spyware so dangerous?
All malware represents a threat. Spyware is especially insidious because it hides inside your device, accessing your personal information without your knowledge. Hackers use the data they uncover with spyware to commit identity theft, fraud, and other crimes.
Spyware typically involves a high level of surveillance. For example, depending on the type of spyware on your Android, it may be able to record audio or video through your device or track your browsing history or physical location. Keyloggers can even record everything you type.
Another form of spyware is ‘stalkerware’, which involves someone you know installing a spying app on your device without your permission or knowledge. These types of apps can be used by jealous partners, suspicious employers, or over-anxious parents. Stalkerware differs from other types of spyware because it doesn’t send your data to unknown cybercriminals but to someone you know personally. This is because an attacker needs physical access to a personal account, where they can see the data received from the victim’s device. Stalkerware can be used for blackmail, extortion, or as a tool in domestic violence or abuse.
Where does spyware come from?
There are various ways spyware can end up on your Android phone, including:
You inadvertently downloaded a malicious app
While Google has a vetting process for the apps they allow into the Play Store, sometimes malware can slip through.
You fell victim to a phishing scam
Phishing scams using email or text messages involve cybercriminals impersonating either a legitimate company or a known contact to trick the victim into downloading a malicious file or disclosing personal information.
Someone downloaded stalkerware onto your device
Stalkerware is usually installed by someone who has physical access to your device. They may place stalkerware on your phone to track your location, monitor your online activity, record your calls and access correspondence in instant messengers. This could also include stalkerware and keyloggers that records everything you type.
Hackers come up with new spyware all the time. Here are some recent eye-catching examples:
A new Android spyware named RatMilad was discovered targeting mobile devices in the Middle East, used to spy on victims and steal data. Researchers warned that the malware could be used for cyber espionage, extortion, or to eavesdrop on victims’ conversations.
The spyware was distributed through a fake virtual number generator used for activating social media accounts called ‘NumRent’. Once installed, the app requested risky permissions and then abused them to sideload the malicious RatMilad payload.
The main distribution channel for the fake app was Telegram, as NumRent, or other Trojans carrying RatMilad, aren’t available on the Google Play Store or third-party stores. The RatMilad threat actors also created a dedicated website to promote the mobile remote access trojan (RAT) to make the app appear more convincing. This website was promoted on Telegram and other social media platforms.
A new version of the FurBall Android spyware was found targeting Iranian citizens in mobile surveillance campaigns conducted by the Domestic Kitten hacking group, also known as APT-C-50. The spyware was deployed in a mass-surveillance operation that has been underway since at least 2016.
The newest FurBall malware version was sampled and analyzed by researchers, who reported that it had many similarities with earlier versions, but with new obfuscation updates. This version of FurBall is distributed through fake websites that are visual clones of real ones, where victims end up by clicking on links in direct messages, social media posts, emails, SMS, or via unethical SEO techniques.
In 2021, researchers identified a spyware app in South Korea which affected Android devices. Called PhoneSpy, this malicious program masqueraded as a regular application so it could gain access to the infected machine to steal data and remotely control it. This spyware is estimated to have infected more than 1,000 Android devices.
PhoneSpy was found in legitimate-seeming apps such as yoga, video streaming, and messaging apps. Because these apps were not in the Google Play Store, researchers believe the malware was distributed through other third-party platforms that attackers shared via social engineering and phishing techniques.
In 2018, researchers found a piece of spyware, called GravityRAT, that was designed to target the Indian armed forces. It previously mainly targeted Windows machines, but following changes in 2018, Android devices became targets as well.
In 2019, we encountered a piece of Android spyware, on VirusTotal, which was connected to GravityRAT. Cybercriminals had added a spy module onto an Android App, called Travel Mate, for people travelling to India. The attackers had used a version of the app, that was published on Github in 2018, and added malicious code while changing the name to Travel Mate Pro.
How to detect spyware on Android phone
So, how to know if spyware is on your phone? Spyware is designed to remain hidden, which makes it hard to detect. However, there are signs of infection that can help you locate spyware on Android devices. These include:
Slow speed and performance
Your phone seems sluggish, even when you’re not running intensive apps. Apps freeze or take longer to load, the operating system seems buggy, and the device is slower in general.
Battery and data drain faster
Spyware software runs quietly in the background, aiming to stay hidden, but it uses a lot of extra battery and data (when you are not using Wi-Fi) in the process. This can result in a higher phone bill or your phone battery draining noticeably faster than usual.
New or different apps or settings
You notice activities on your phone that you have no memory of – for example, apps you don’t remember installing (including hidden Android apps) or changed settings like a new homepage.
Normal phone usage causes some warmth, but malware can cause your phone to overheat much more than usual.
Unsolicited ads and pop-ups
Spyware can sometimes be bundled with adware. If you notice random pop-ups on your device, which adversely affect the user experience, it could indicate spyware.
Difficulty accessing password-protected apps and web pages
Certain types of spyware may use a spoofed browser when you attempt to log in to certain websites. It then collects your login information and sends it to a third party without you realizing (until it’s too late).
Disabled anti-malware software
If the tools you normally use to help scan your phone for spyware suddenly aren’t working, it could mean that your device is already infected. Bundled malware can attack different aspects of your system, and the best way to take it over is to get rid of the programs designed to stop it.
Strange text messages and emails
Targeted devices can receive text messages and emails designed to trick them into manually installing spyware. These messages may take the form of links, codes, or symbols. Such codes may masquerade as authentication codes for gaining access to your social media accounts. Messages could also be spoofed so they appear to come from a contact you trust. If you find yourself the recipient of odd texts, social media messages or emails, this may be a warning sign of a spyware infection attempt. You should delete them without clicking on any links or downloading any files.
Noises during phone calls
Poor signal may occasionally cause you to hear static or beeping noises on your phone calls. But it’s not always down to signal – sometimes, these sounds can be produced when your calls are tapped or from call recordings made by spyware.
If your phone suddenly goes to sleep or wakes up, reboots randomly, or has difficulty powering off, there may be spyware or other malware on your device.
How to remove spyware from Android
There are various options for removing spyware from Android. These include:
Option 1: Finding spyware through Android phone settings
You can find traces of spyware activities by looking through the phone settings on your Android phone.
- First, reboot your phone into safe mode. Safe mode prevents all third-party apps from running, so you will be able to verify that your phone’s strange behavior is coming from spyware rather than a different issue. To do this:
- Hold down your phone’s power button to see your power off and restart options. (Please note that some of the required buttons and indicator positions may vary depending on the device model and Android version).
- Long-press the Power off option and the Reboot to safe mode option will appear. Tap OK.
- You should be able to see that you’re in safe mode via the indication in the bottom left.
- Then, launch the Settings app.
- Click on Apps or Applications, depending on the terminology your device uses.
- Click on the burger menu or the three vertical dots at the top right corner of your screen.
- Click on Show System Processes or Show System Apps.
- Review the list of applications displayed and look for anything suspicious or unfamiliar.
- Uninstall any hidden spy phone apps on your Android device that you manage to discover.
Option 2: Finding spyware through the downloads folder
Checking the downloads folder can help to find any stalkerware and suspicious files that the user definitely did not download. To do this – also in safe mode:
- Launch the My Files or Files app.
- Click on Downloads. This folder contains all files, regardless of type or format, that have been previously downloaded on the device.
- Review the list to see whether there are suspicious-looking files or apps you don’t remember downloading. If you’re unsure, Google the name of the app to see if others have identified issues with it.
- Proceed to delete them by tapping Uninstall to remove them.
Note that some apps may have device administrator permissions that prevent you from uninstalling them. In that case, you will need to remove the permissions. The process varies depending on the type of phone you have and your version of Android, but generally you’ll need to navigate to Settings > Security > Advanced > Device Administrators.
- From the list of apps with device administrator permissions, uncheck the box next to the malicious app. This is also a good opportunity to check if any other suspicious apps have these permissions — if so, remove them as well.
- From the list that pops up, tap Deactivate this device admin app.
- Return to your list of apps. Now you can uninstall the app that you weren’t able to before, along with anything else that looks suspicious.
- Restart your phone, boot it up in normal mode, and test it out.
Hopefully, this will remove the spyware and your phone will function normally.
Option 3: Finding spyware through an Android spyware scan
Using antivirus software is the fastest and probably best way to locate spyware on an Android device. Here are the relevant steps:
- Ensure that you’re using an antivirus that is safe, legitimate, and compatible with your device.
- Run a scan of your Android device. When you scan your phone for spyware with a dedicated app, you have a much higher chance of detecting it.
- Proceed to delete the spyware. The antivirus program may automatically do this or prompt you to approve the deletion.
If nothing works to fix your phone issues, your last option is to perform a factory reset.
Option 3: Perform a factory reset
If none of the above options work, you can carry out a factory reset. A factory reset will delete everything on your phone, including the spyware. Ensure you have a backup of your phone before doing this to avoid losing your apps, photos, and other data. You’ll need to restore your phone to a backup from before you started experiencing the spyware issues.
To wipe your device and return it to the default factory settings:
- Navigate to Settings > System > Reset options.
- Depending on which phone you have, tap Factory data reset or Erase all data (factory reset).
- Confirm by tapping Reset device.
- Your phone will ask you to confirm by typing your password or PIN.
- It will take some time to delete and reset everything, and your phone will then reboot as though it’s a new device.
Your phone will ask you if you want to start fresh or restore from a backup. If you use a backup, be careful to select one from before you started experiencing issues with your phone (in other words, so you don’t reinstall the spyware).
Once you have removed spyware from your Android, further steps you should take include:
- Clear your browser cache
- Change your passwords on every important account you have
- Enable two-factor authentication (2FA) on your device and on accounts that offer it
A note about stalkerware
With stalkerware, some operators will receive an alert warning them that the victim's device has been cleaned up. Avoid tampering with your device if you feel your physical safety may be in danger by doing this. Instead, reach out to support agencies or law enforcement if necessary.
Protect your Android phone from spyware
Here are some steps you can take to protect your phone from spyware:
Stay alert to phishing attempts
If you receive a text or email message which you are unsure about, don’t open it. If you have already opened it, don’t open any attachments or follow any links in the email.
Change passwords regularly
Spyware is designed to collect sensitive information like login details for your bank apps on your phone. Changing these login details on a regular basis will ensure that even if hackers somehow access your data, it may be outdated by the time they choose to use it (assuming that you have since removed spyware from your device).
Only browse secure websites
Carefully check website links before clicking on them. Links to safe and verified websites usually start with HTTPS – the S stands for ‘secure’ and shows the website has an up-to-date security certificate.
Ensure your phone is secure
If stalkerware was installed on your phone, there is a high chance that your device was unlocked, unprotected or that your screen lock was guessed or learned. A stronger lock screen password can be helpful to protect your phone from potential stalkers. You should also protect your email and other online accounts using two-factor authentication wherever possible. Limit physical access to your device, include face identification or fingerprint logins to make it more difficult for others to unlock your phone, even if it’s lost or stolen.
Keep your phone up-to-date
Regularly update your Android to the latest version. Regular updates of your phone’s operating system will ensure the device benefits from the latest security updates and make it more difficult for attackers to infiltrate your device.
Avoid downloading suspicious apps
Pirated Android apps are not difficult to find on third party sites. Resist the temptation to download such apps, no matter how enticing they seem, since they sometimes come with spyware embedded in them. To be safe, it’s best to restrict your downloads to the Google Play Store or official verified websites instead, but be wary as the Google Play Store is also susceptible to malware.
Avoid clicking on pop-up ads
The kind of pop-ups that promise cash or free items or other too-good-to-be-true claims can contain spyware or other forms of malware. Be careful where you click.
Use antivirus software
Antivirus software not only scans and removes spyware but can also block spyware from getting onto your Android phone in the first place. When your device is exposed to a threat, the antivirus will alert you to either leave the website or cancel an ongoing download. Alternatively, it can block harmful data from such sites or stop you from downloading suspicious files.