Android · Recovery Guide

How to Detect Spyware or Stalkerware on Android

Spot the tell-tale signs of unwanted surveillance on your Android phone and learn how to confirm its presence without alerting the perpetrator.

Unusual Battery Drain and Performance Issues

Spyware often runs in the background, consuming significant resources. Keep an eye out for these indicators of increased activity.

• Rapid Battery Depletion: Go to Settings → Battery → Battery usage to see which apps are consuming the most power. Look for unfamiliar apps or legitimate apps using an unusual amount of battery.
• Sluggish Performance: If your phone is constantly slow, freezing, or crashing, even when not running demanding apps, it could be a sign. Check Settings → About phone → Build number (tap it seven times to enable Developer options) and then Developer options → Running services to see background processes.
• Overheating: Your phone getting unusually hot, even when idle, can indicate excessive background activity. This might not have a direct setting but observe your device's physical temperature over time.
• Unexpected Data Usage: Go to Settings → Network & internet → Internet → App data usage (or Settings → Connections → Data usage → Mobile data usage on Samsung) to review apps consuming significant mobile data, even when not actively in use.

Suspicious App Behaviour and Unfamiliar Apps

Spyware often tries to hide, but it might betray its presence through unusual app behaviour or the appearance of unknown applications.

• Unknown Apps Installed: Regularly check your app list via Settings → Apps → See all apps (or Settings → Apps → App list on Samsung). Look for any apps you don't recognise and didn't intentionally install.
• Frequent Pop-ups or Ads: While some apps legitimately show ads, an unusual increase in pop-ups, especially outside of app usage, could be a symptom.
• Apps Asking for Excessive Permissions: Review app permissions by going to Settings → Privacy → Permission manager. Pay close attention to apps requesting access to your camera, microphone, location, or SMS messages, especially if they don't logically need them.
• Inability to Uninstall Apps: If you find an unfamiliar app that you cannot uninstall through the normal process (long-pressing the app icon or via Settings → Apps), it might be malicious.
• Changes to Browser Homepage or Search Engine: If your web browser's homepage or search engine has changed without your consent, this can indicate malicious software.

Unusual Phone Activity and Communications

Spyware often intercepts communications or takes control of your device remotely. Watch out for these odd activities.

• Strange Messages or Calls: Be vigilant for unusual SMS messages (e.g., garbled text, messages with suspicious links) or calls from unknown numbers, particularly those that hang up immediately. These could be attempts to activate or control spyware.
• Screen Flashing on/off: If your screen occasionally flashes on or off, or if the device wakes up without any interaction, it could indicate remote access.
• Microphone or Camera Indicator: Modern Android (12+) shows a small green dot in the top-right corner when the microphone or camera is active. If you see this indicator when you're not actively using an app that requires them, it's a major red flag.
• Failed Call Forwarding Checks: Dial *#21# and press the call button. If you see 'Call forwarding' active for voice, data, or SMS when you haven't set it up, this could be a sign of interception.
• Difficulty Shutting Down: If your phone struggles to turn off or takes an unusually long time to shut down, it might be due to background processes preventing it.

Security Settings and System Anomalies

Attackers may try to disable security features or exploit system settings to maintain access. Review these areas periodically.

• Changes to Security Settings: Check Settings → Security & privacy → More security & privacy (or Settings → Biometrics and security on Samsung). Look for disabled security features like 'Google Play Protect' or 'Device admin apps' (under Other security settings on Pixel, or Other Biometrics and security settings on Samsung) where unfamiliar apps might have administrative privileges.
• Unknown Sources Enabled: Go to Settings → Apps → Special app access → Install unknown apps. Ensure that only trusted sources (like Google Play Store) are allowed to install apps.
• Developer Options Enabled: Check Settings → System → Developer options (if enabled). Look for unfamiliar settings being turned on, such as 'USB debugging' or 'Mock locations', which could facilitate spyware activity. Disable Developer options if you don't use them.
• Suspicious System Updates: Be wary of system update notifications that appear outside of your phone's usual update schedule or look inauthentic. Always verify updates come directly from your phone's manufacturer.
• Rooted Device: While harder to detect without specialised tools, if your device has been rooted (gaining full system access), it becomes much more vulnerable. Look for apps like 'SuperSU' or 'Magisk' which indicate rooting. There's no standard setting to check for this directly.