Your Android phone may have Stalkerware, here’s how to remove it – TechCrunch

Security gap In one of the largest consumer-level spyware operations today, the private phone data of nearly 400,000 people is compromised, a number that is increasing daily. The process, identified by TechCrunch, is run by a small crew of developers in Vietnam but the security issue has yet to be resolved.

In this case, it is not just one spyware application that has problems. It’s an entire fleet of apps – Copy9, MxSpy, TheTruthSpy, iSpyoo, SecondClone, TheSpyApp, ExactSpy, FoneTracker, and GuestSpy – that share the same vulnerability.

But without a solution, TechCrunch cannot reveal specific details about the vulnerability due to the risks it poses to hundreds of thousands of people whose phones have been hacked without their knowledge.

With the vulnerability not expected to be fixed any time soon, this guide can help you remove these specific spyware apps from your Android phone – if you think it’s safe to do so.

Consumer spyware apps are often sold under the guise of child tracking software, but they are also known as “Stalkerware” for their ability to track and monitor partners or spouses without their consent. These apps are downloaded from outside the Google Play App Store, are implanted on the phone without the person’s permission, and are designed to disappear from the home screen to avoid detection. You may notice that your phone behaves unusually, or is running warmer or slower than usual, even when you’re not actively using it.

Since this fleet of Stalkerware apps relies on abusing the built-in Android features that employers most commonly use to remotely manage employees’ work phones, checking to see if your Android device has been hacked can be done quickly and easily.

Before moving forward, have a safety plan in place. The Alliance Against Stalkerware provides advice and guidance to victims and survivors of Stalkerware. Spyware is designed to be confidential, but keep in mind that removing spyware from your phone will likely alert the person who planted it, which could lead to an unsafe situation.

Note that this guide only removes the spyware application, it does not delete data that has already been collected and uploaded to their servers. Also, some versions of Android may have slightly different menu options. Follow these steps at your own risk.

Check your Google Play Protect settings

Make sure Google Play Protect is enabled, which is a security feature in Android phones. Image credits: Take Crunch

Google Play Protect is one of the best security tools to protect against malicious Android apps, both from third parties and in the App Store. But when turned off, these protections stop, and stalkers or malware can be installed on the device outside of Google Play. That’s why the Stalkerware network requires the person planting the spyware to disable Google Play Protect before it can work.

Check your Google Play Protect settings through the Google Play app and make sure they are enabled and the scan completed recently.

Check if accessibility services have been tampered with

Stalkerware relies on deep access to your device and its data, and it often abuses Android’s accessibility feature which, by design, must have extensive access to the operating system and its data for a screen reader and other accessibility features to work. If you don’t recognize a downloaded service in the accessibility options, you may want to remove it. Many stalkerware apps are hidden in the form of regular apps called “Accessibility” or “Device Health”.

Screenshot of accessibility settings in Android.

Android spyware often abuses the built-in accessibility features. Image credits: Take Crunch

Check if the Device Administrator app is installed

Device Administrator Options has similar but broader access to Android as Accessibility features. These device administrator options are designed for companies to use to remotely manage their employees’ phones, disable features and wipe data to prevent data loss. But it also allows stalkerware apps to record the screen and hack the device owner.

Screenshots showing the Android Device Administrator app dashboard.

The unknown item in the device admin app settings is a common indicator of a phone hack. Image credits: Take Crunch

Most people won’t have a Device Administrator app on their personal phone, so be aware if you see an app you don’t know, called something like “System Service,” “Device Health,” or “Device Admin.”

Check apps to uninstall

You may not see the home screen icon for any of these Stalkerware apps, but they may still appear in your Android device’s app list. Go to Android settings, then view your apps. Look for an app with a harmless name like “Device Health” or “System Service”, with generic looking icons. These apps will have wide access to your calendar, call logs, camera, contacts and location.

Three screenshots of spyware apps, named "device health" And "system service."

Spyware applications often contain generic looking icons. Image credits: Take Crunch

If you see an app here that you don’t know or that isn’t installed, you can hit Uninstall. Note that this will likely alert the person who implanted the Stalkerware that the application is no longer installed.

Secure your phone

If stalkerware has been implanted on your phone, there is a good chance that your phone is unlocked, unprotected, or your screen lock has been guessed or learned. A stronger lock screen password can be useful to protect your phone from potential stalkers. You should also protect your email and other online accounts with two-factor authentication where possible.

If you or someone you know needs help, the National Domestic Violence Hotline (1-800-799-7233) provides free, confidential, 24/7 support for victims of domestic and domestic violence. If you’re in an emergency, call 911. The Alliance Against Stalkerware also has resources if you think your phone has been hacked by spyware. You can contact this reporter on Signal and WhatsApp at +1 646-755-8849 or via email.

Leave a Comment

Your email address will not be published.