Your Android phone runs on your Google account — the master key to the whole device. Anyone signed into it from another device can read your messages, open your photos and follow your location through Google sync, with nothing installed on your phone at all. Locking that one account down is the single most important thing you can do to stop being watched.
Secure your Google account, step by step
Most of this lives in one place. Open Settings → Google → Manage your Google Account (or go to myaccount.google.com) and tap the Security tab. Work through these in order.
1. Put it on an email only you control
Your account's recovery email can reset everything, so whoever can reach that inbox controls the account. If it's an old, shared or reused address, move it to a clean, private email no one else can touch — a fresh Proton Mail address is built for exactly this. Set it under Security → How you sign in to Google → Recovery email.
2. Set a strong, unique password
Change your password to something long and unique that you use nowhere else, so an old data breach can't unlock it. A password manager like Proton Pass can generate and store it. Changing it also signs most other sessions out — a clean break if someone has quietly been signed in. Find it under Security → How you sign in to Google → Password.
3. Turn on 2-Step Verification
2-Step Verification means a stolen password alone is no longer enough. Turn it on under Security, and add an authenticator app such as Proton Authenticator rather than relying on SMS, which a SIM swap can intercept. Keep a backup method, but don't make a text message your only one.
4. Remove devices you don't recognise
Open Security → Your devices to see everything signed into your account. Tap anything you don't recognise and choose Sign out, then change your password so it can't simply sign back in.
5. Close the recovery back doors
Finally, check Security → How you sign in to Google for your recovery email, recovery phone and any backup methods. These survive a password change, so an unfamiliar one left in place is a way straight back in. Remove anything that isn't yours.
One more place to check
While you're here, open Security → Your connections to third-party apps & services and remove anything you don't use or recognise. An app with account access can keep reading your data long after a password change.
Already worried it's in place?
These steps lock the account down. To find monitoring that may already be running — forwarded messages, shared location, rogue apps — check the settings someone can abuse on the phone itself.
Where to go next
Common questions
Is my Google account really how someone watches my phone?
What's the single most important step?
Do I still need to change my password if I turn on 2-Step Verification?
Should I use text-message codes for 2-Step Verification?
Was this guide helpful?
Know someone who needs this? Send them the guide.
Written by
Jordan DicksonFounder, CyberSecurityGuides
Founder of CyberSecurityGuides, writing practical, jargon-free guides that help everyday people recover from and protect against online attacks.
Reviewed by CSG Security Engineers
