Spyware covertly tracks everything you do on your device, from browsing the internet to sensitive transactions. If spyware ends up on your Android phone, you could be sending your login credentials and financial information directly to cybercriminals. Learn how to detect and remove spyware on Android devices.
Spyware is a form of malicious software which can monitor your online activity without your knowledge. It can collect sensitive information about you, such as login details, location, banking and credit card details, messages, private photos, and browsing history. Typically, hackers use this sensitive information for financial gain.
There are different types of spyware, each designed to carry out a specific task. These include:
All malware represents a threat. Spyware is especially insidious because it hides inside your device, accessing your personal information without your knowledge. Hackers use the data they uncover with spyware to commit identity theft, fraud, and other crimes.
Spyware typically involves a high level of surveillance. For example, depending on the type of spyware on your Android, it may be able to record audio or video through your device or track your browsing history or physical location. Keyloggers can even record everything you type.
Another form of spyware is ‘stalkerware’, which involves someone you know installing a spying app on your device without your permission or knowledge. These types of apps can be used by jealous partners, suspicious employers, or over-anxious parents. Stalkerware differs from other types of spyware because it doesn’t send your data to unknown cybercriminals but to someone you know personally. This is because an attacker needs physical access to a personal account, where they can see the data received from the victim’s device. Stalkerware can be used for blackmail, extortion, or as a tool in domestic violence or abuse.
There are various ways spyware can end up on your Android phone, including:
You inadvertently downloaded a malicious app
While Google has a vetting process for the apps they allow into the Play Store, sometimes malware can slip through.
You fell victim to a phishing scam
Phishing scams using email or text messages involve cybercriminals impersonating either a legitimate company or a known contact to trick the victim
into downloading a malicious file or disclosing personal information.
Someone downloaded stalkerware onto your device
Stalkerware is usually installed by someone who has physical access to your device. They may place stalkerware on your phone to track your location, monitor your online activity, record
your calls and access correspondence in instant messengers. This could also include stalkerware and keyloggers that records everything you type.
Hackers come up with new spyware all the time. Here are some recent eye-catching examples:
RatMilad, 2022
A new Android spyware named RatMilad was discovered targeting mobile devices in the Middle East, used to spy on victims and steal data. Researchers warned that the malware could be used for cyber espionage, extortion, or to eavesdrop on victims’ conversations.
The spyware was distributed through a fake virtual number generator used for activating social media accounts called ‘NumRent’. Once installed, the app requested risky permissions and then abused them to sideload the malicious RatMilad payload.
The main distribution channel for the fake app was Telegram, as NumRent, or other Trojans carrying RatMilad, aren’t available on the Google Play Store or third-party stores. The RatMilad threat actors also created a dedicated website to promote the mobile remote access trojan (RAT) to make the app appear more convincing. This website was promoted on Telegram and other social media platforms.
FurBall, 2022
A new version of the FurBall Android spyware was found targeting Iranian citizens in mobile surveillance campaigns conducted by the Domestic Kitten hacking group, also known as APT-C-50. The spyware was deployed in a mass-surveillance operation that has been underway since at least 2016.
The newest FurBall malware version was sampled and analyzed by researchers, who reported that it had many similarities with earlier versions, but with new obfuscation updates. This version of FurBall is distributed through fake websites that are visual clones of real ones, where victims end up by clicking on links in direct messages, social media posts, emails, SMS, or via unethical SEO techniques.
PhoneSpy, 2021
In 2021, researchers identified a spyware app in South Korea which affected Android devices. Called PhoneSpy, this malicious program masqueraded as a regular application so it could gain access to the infected machine to steal data and remotely control it. This spyware is estimated to have infected more than 1,000 Android devices.
PhoneSpy was found in legitimate-seeming apps such as yoga, video streaming, and messaging apps. Because these apps were not in the Google Play Store, researchers believe the malware was distributed through other third-party platforms that attackers shared via social engineering and phishing techniques.
GravityRAT, 2020
In 2018, researchers found a piece of spyware, called GravityRAT, that was designed to target the Indian armed forces. It previously mainly targeted Windows machines, but following changes in 2018, Android devices became targets as well.
In 2019, we encountered a piece of Android spyware, on VirusTotal, which was connected to GravityRAT. Cybercriminals had added a spy module onto an Android App, called Travel Mate, for people travelling to India. The attackers had used a version of the app, that was published on Github in 2018, and added malicious code while changing the name to Travel Mate Pro.
So, how to know if spyware is on your phone? Spyware is designed to remain hidden, which makes it hard to detect. However, there are signs of infection that can help you locate spyware on Android devices. These include:
Slow speed and performance
Your phone seems sluggish, even when you’re not running intensive apps. Apps freeze or take longer to load, the operating system seems buggy, and the device is slower in general.
Battery and data drain faster
Spyware software runs quietly in the background, aiming to stay hidden, but it uses a lot of extra battery and data (when you are not using Wi-Fi) in the process. This can result in a higher phone bill
or your phone battery draining noticeably faster than usual.
New or different apps or settings
You notice activities on your phone that you have no memory of – for example, apps you don’t remember installing (including hidden Android apps) or changed settings like
a new homepage.
Constant overheating
Normal phone usage causes some warmth, but malware can cause your phone to overheat much more than usual.
Unsolicited ads and pop-ups
Spyware can sometimes be bundled with adware. If you notice random pop-ups on your device, which adversely affect the user experience, it could indicate spyware.
Difficulty accessing password-protected apps and web pages
Certain types of spyware may use a spoofed browser when you attempt to log in to certain websites. It then collects your login information and sends it to a third party without
you realizing (until it’s too late).
Disabled anti-malware software
If the tools you normally use to help scan your phone for spyware suddenly aren’t working, it could mean that your device is already infected. Bundled malware can attack different aspects of your system,
and the best way to take it over is to get rid of the programs designed to stop it.
Strange text messages and emails
Targeted devices can receive text messages and emails designed to trick them into manually installing spyware. These messages may take the form of links, codes, or symbols. Such codes may masquerade
as authentication codes for gaining access to your social media accounts. Messages could also be spoofed so they appear to come from a contact you trust. If you find yourself the recipient of odd texts, social media messages or emails, this may be
a warning sign of a spyware infection attempt. You should delete them without clicking on any links or downloading any files.
Noises during phone calls
Poor signal may occasionally cause you to hear static or beeping noises on your phone calls. But it’s not always down to signal – sometimes, these sounds can be produced when your calls are tapped or from
call recordings made by spyware.
Unusual behavior
If your phone suddenly goes to sleep or wakes up, reboots randomly, or has difficulty powering off, there may be spyware or other malware on your device.
There are various options for removing spyware from Android. These include:
You can find traces of spyware activities by looking through the phone settings on your Android phone.
Checking the downloads folder can help to find any stalkerware and suspicious files that the user definitely did not download. To do this – also in safe mode:
Note that some apps may have device administrator permissions that prevent you from uninstalling them. In that case, you will need to remove the permissions. The process varies depending on the type of phone you have and your version of Android, but generally you’ll need to navigate to Settings > Security > Advanced > Device Administrators.
Hopefully, this will remove the spyware and your phone will function normally.
Using antivirus software is the fastest and probably best way to locate spyware on an Android device. Here are the relevant steps:
If nothing works to fix your phone issues, your last option is to perform a factory reset.
If none of the above options work, you can carry out a factory reset. A factory reset will delete everything on your phone, including the spyware. Ensure you have a backup of your phone before doing this to avoid losing your apps, photos, and other data. You’ll need to restore your phone to a backup from before you started experiencing the spyware issues.
To wipe your device and return it to the default factory settings:
Your phone will ask you if you want to start fresh or restore from a backup. If you use a backup, be careful to select one from before you started experiencing issues with your phone (in other words, so you don’t reinstall the spyware).
Once you have removed spyware from your Android, further steps you should take include:
With stalkerware, some operators will receive an alert warning them that the victim's device has been cleaned up. Avoid tampering with your device if you feel your physical safety may be in danger by doing this. Instead, reach out to support agencies or law enforcement if necessary.
Here are some steps you can take to protect your phone from spyware:
Stay alert to phishing attempts
If you receive a text or email message which you are unsure about, don’t open it. If you have already opened it, don’t open any attachments or follow any links in the email.
Change passwords regularly
Spyware is designed to collect sensitive information like login details for your bank apps on your phone. Changing these login details on a regular basis will ensure that even if hackers somehow access your
data, it may be outdated by the time they choose to use it (assuming that you have since removed spyware from your device).
Only browse secure websites
Carefully check website links before clicking on them. Links to safe and verified websites usually start with HTTPS – the S stands for ‘secure’ and shows the website has an up-to-date security certificate.
Ensure your phone is secure
If stalkerware was installed on your phone, there is a high chance that your device was unlocked, unprotected or that your screen lock was guessed or learned. A stronger lock screen password can be helpful
to protect your phone from potential stalkers. You should also protect your email and other online accounts using two-factor authentication wherever possible. Limit physical access to your device, include face identification or fingerprint logins to make it more difficult for others to unlock your phone,
even if it’s lost or stolen.
Keep your phone up-to-date
Regularly update your Android to the latest version. Regular updates of your phone’s operating system will ensure the device benefits from the latest security updates and make it more
difficult for attackers to infiltrate your device.
Avoid downloading suspicious apps
Pirated Android apps are not difficult to find on third party sites. Resist the temptation to download such apps, no matter how enticing they seem, since they sometimes come with spyware embedded in them.
To be safe, it’s best to restrict your downloads to the Google Play Store or official verified websites instead, but be wary as the Google Play Store is also susceptible to malware.
Avoid clicking on pop-up ads
The kind of pop-ups that promise cash or free items or other too-good-to-be-true claims can contain spyware or other forms of malware. Be careful where you click.
Use antivirus software
Antivirus software not only scans and removes spyware but can also block spyware from getting onto your Android phone in the first place. When your device is exposed to a threat, the antivirus will alert you to either leave the website or cancel an ongoing download. Alternatively, it can block harmful data from such sites or stop you from downloading suspicious files.
Related products:
Further reading:
We use cookies to make your experience of our websites better. By using and further navigating this website you accept this. Detailed information about the use of cookies on this website is available by clicking on more information.