Your Android phone may have stalkerware, here’s how to remove it • TechCrunch
A security vulnerability in one of the largest consumer-based spyware operations today, putting the private phone data of some 400,000 people at risk, a number that is growing daily. The operation, identified by TechCrunch, is run by a small crew of developers in Vietnam, but has yet to fix the security issue.
In this case, it’s not just a problematic spyware app. There is a whole fleet of apps – Copy9, MxSpy, TheTruthSpy, iSpyoo, SecondClone, TheSpyApp, ExactSpy, FoneTracker and GuestSpy – that share the same security vulnerability.
But without a fix in place, TechCrunch can’t disclose specific details about the vulnerability because of the risk it poses to hundreds of thousands of people whose phones have been unknowingly compromised.
With no expectation that the security issue will be resolved anytime soon, this guide can help you remove these specific spyware apps from your Android phone – if you think it’s safe to do so.
Consumer-grade spyware apps are often sold under the guise of child tracking software, but are also known as “stalkerware” for their ability to track and monitor partners or spouses without their consent. These apps are downloaded from outside the Google Play app store, are planted on a phone without a person’s permission, and are designed to disappear from the home screen to avoid detection. You may notice that your phone is behaving strangely, or running hotter or slower than usual, even when you’re not actively using it.
Because this fleet of stalkerware apps relies on abusing built-in Android features that are more commonly used by employers to remotely manage employees’ work phones, checking if your Android device is compromised can be done quickly and easily.
Before proceeding, have a safety plan in place. The Coalition Against Stalkerware offers advice and guidance to victims and survivors of stalkerware. Spyware is designed to be hidden, but remember that removing spyware from your phone will likely alert the person who planted it, which can create an unsafe situation.
Note that this guide only removes the spyware app, it does not delete the data that was already collected and uploaded to the servers. Some versions of Android may also have slightly different menu options. Follow these steps at your own risk.
Check your Google Play Protect settings
Make sure Google Play Protect, a security feature on Android phones, is enabled. Image credit: TechCrunch
Google Play Protect is one of the best security measures to protect against malicious Android apps, both third-party and in the app store. However, when turned off, these protections stop and stalkerware or malware can be installed on the device outside of Google Play. That’s why this stalkerware network asks the person planting the spyware to disable Google Play Protect before it works.
Check your Google Play Protect settings through the Google Play app and make sure it’s enabled and a recent scan has been completed.
Check if accessibility services have been tampered with
Stalkerware relies on deep access to your device and its data, and it often abuses the accessibility feature of Android, which by design must have broad access to the operating system and data for the screen reader and other accessibility features to work. If you don’t recognize a downloaded service in the accessibility options, you may want to remove it. Many of the stalkerware apps are disguised as regular apps called “Accessibility” or “Device Health.”
Android spyware often abuses built-in accessibility features. Image credit: TechCrunch
Check if a device manager app is installed
Device management options have similar but even broader access to Android as the accessibility features. These device management options are designed to be used by companies to remotely manage their employees’ phones, disable features and wipe data to prevent data loss. But they also allow stalkerware apps to record your screen and snoop on your device owner.
An unknown item in your device’s admin app settings is a common indicator of phone compromise. Image credit: TechCrunch
Most people don’t want a device manager app on their personal phone, so be aware that if you see an app you don’t recognize, called something like “System Services,” “Device Health,” or “Device Manager.”
Check apps to uninstall
You may not see a home screen icon for some of these stalkerware apps, but they may still appear in the app list of your Android device. Go to your Android settings, then see your apps. Look for an app with an innocent name like “Device Health” or “System Service”, with generic icons. These apps will have broad access to your calendar, call logs, camera, contacts and location.
Spyware programs often have generic icons. Image credit: TechCrunch
If you see an app here that you don’t recognize or haven’t installed, tap Uninstall. Note that this will likely notify the person who planted the stalkerware that the app is no longer installed.
Secure your phone
If stalkerware was planted on your phone, there’s a good chance your phone was unlocked, unprotected, or the screen lock was guessed or learned. A stronger lock screen password can be helpful in protecting your phone from potential stalkers. You should also protect email and other online accounts by using two-factor authentication where possible.
If you or someone you know needs help, the National Domestic Violence Hotline (1-800-799-7233) provides free, confidential support 24/7 for victims of domestic abuse and violence. If you’re in an emergency, call 911. The Coalition Against Stalkerware also has resources if you think your phone has been compromised by spyware. You can contact this reporter on Signal and WhatsApp at +1 646-755-8849 or [email protected] via email.
