How to find and remove spyware from your phone

Surveillance isn't just the purview of nation-states and government agencies -- it's often closer to home.

Our digital selves are now an established part of our identity. The emails we send, the conversations we have over social media -- both private and public -- as well as photos we share, the videos we watch, the apps we download, and the websites we visit all contribute to our digital personas.

ZDNet Recommends

Best VPN service 2021

Every remote worker should consider a virtual private network to stay safe online.

Read More

There are ways to prevent a government agency, country, or cybercriminals from peeking into our digital lives. Virtual private networks (VPNs), end-to-end encryption, and using browsers that do not track user activity are all common methods.

Sometimes, however, surveillance is more difficult to detect -- and is far closer to home.

Also: Best ethical hacking certifications 

This guide will run through what spyware is, what the warning signs of infection are, and how to remove such pestilence from your mobile devices, if it is possible to do so.

For those with little time, check out the abridged version below:

What is nuisanceware?

At the bottom of the pile, you have nuisanceware, which often comes in software bundles together with legitimate, free programs. Also known as Potentially Unwanted Programs (PUP), this sort of software may interrupt your web browsing with pop-ups, change your homepage settings by force, and may also gather your browsing data in order to sell it off to advertising agencies and networks.

Although considered malvertising, nuisanceware is generally not dangerous or a threat to your core privacy and security.

What are spyware and stalkerware?

Spyware and stalkerware are types of software, often considered unethical and sometimes dangerous, that can result in the theft of data including images, video, call logs, contact lists, and more.  

These types of software are sometimes found on desktop systems but are now most commonly implanted in mobile handsets across all operating systems. 

Operators -- whether fully-fledged cybercriminals or your nearest and dearest -- may be able to harness the software to monitor emails, SMS and MMS messages sent and received, intercept live calls for the purpose of eavesdropping across standard telephone lines or Voice over IP (VoIP) applications, covertly record environmental noise or take photos, track GPS locations, and compromise commonly-used social media apps including Facebook and WhatsApp. 

Stalkerware is the next step up from spyware and has become an established term in its own right, coined after a series of investigations conducted by Motherboard. The difference between them is that spyware can be more generic in purpose: stealing OS and clipboard data and anything of potential value such as cryptocurrency wallet data or account credentials, whereas stalkerware is downloaded for a specific purpose.

Both terms, spyware and stalkerware, relate to similar malicious software functions. However, the latter is deemed more personal in use.

This can include monitoring who a partner interacts with, what your children are doing online, or spying on an employee's activities.

Whereas spyware rarely singles out individuals, unless it is in the hands of law enforcement or unscrupulous government agencies trying to target particular people of interest -- such as political opponents, civil rights group members, lawyers, or journalists -- stalkerware is software that anyone can buy in order to spy on partners, children, or employees.

In order to avoid potential legal issues and alienating clients, many spyware solutions providers will market their offerings as services for parents seeking a way to monitor their child's mobile device usage or for business owners to keep an eye on their staff's online activities during work hours. 

However, anyone willing to pay for the software can acquire it.

Retina-X, makers of PhoneSheriff, marketed their spyware software solution, for example, as "parental control for mobile."

PhoneSheriff, developed for the Google Android operating system, permitted location monitoring via GPS, recorded calls, enabled access to text messages, and logged websites visited. The spyware was also able to block contacts, websites, and apps.

The company, which also developed TeenShield, SniperSpy, and Mobile Spy, closed its doors after a hacktivist said they would "burn them to the ground." Retina-X stopped taking orders for the software and offered pro-rated refunds to contracted users.

Other forms of spyware are offered by NSO Group, an Israel-based company that markets itself as a provider of solutions to "help government agencies prevent and investigate terrorism and crime to save thousands of lives around the globe." In July, reports claimed that the firm's spyware, Pegasus, is being used to target government officials, civil rights activists, and journalists worldwide. NSO Group has denied these accusations. 

When these types of software are used at home, there are few reasons which do not lean towards toxic relationships. With the evolution of technology, so too, has domestic abuse changed. Sometimes, stalkerware is used to monitor partners and spouses covertly, or occasionally with the full knowledge of the victim.

Spyware and stalkerware are found less commonly in the enterprise although some software solutions are marketed for companies to keep track of employee mobile devices and their activities.

The lines here can be blurry, but if a mobile device belongs to a company and is used by a staff member in the full knowledge that it is tracked or monitored, then this may be considered acceptable. In these cases, employees should keep their private lives, social media, and emails on their own smartphone or tablet and off company property.

  • SpyPhone Android Rec ProThis £143 spyware claims to offer "full control" over a smartphone's functions, including listening in to the background noise of calls and recording them in their entirety; intercepting and sending copies of SMS and MMS messages sent from the victim's phone, sending activity reports to the user's email address, and more.
  • FlexiSpyOne of the most well-known forms of stalkerware out there is FlexiSpy, which markets itself using the slogan: "It takes complete control of the device, letting you know everything, no matter where you are." FlexiSpy is able to monitor both Android smartphones and PCs and is willing to deliver a device with the malware pre-installed to users. The spyware is able to listen in on calls, spy on apps including Facebook, Viber, and WhatsApp, turn on the infected device's microphone covertly, record Android VoIP calls, exfiltrate content such as photos, and intercept both SMS messages and emails. At the time of writing, marketing seems to be geared -- at least, publicly -- towards parents and business owners. The first image you see on the service's website shows a teenager on her handset, with a message, "My dad's not here. Meet me at 10."
screen-shot-2018-09-05-at-16-49-41.png

  • PhoneSpector: Designed for both Android and iOS handsets, PhoneSpector claims to offer a means to "get texts, call history, GPS location and more without having the phone in your possession." 

Mobile Tracker, FoneMonitor, Spyera, SpyBubble, Spyzie, Android Spy, and Mobistealth are a few more examples of stalkerware which offer similar features, among many, many more in what has become a booming business.

SpyFone is another. This company was recently ordered by the FTC to delete all of its stored data, harvested from infected devices -- and to make an effort to inform victims that their mobile devices have been compromised. SpyFone is now known as Support King.

It is also worth noting that you can be tracked by legitimate software which has been abused. Whether or not GPS is turned on, some information recovery apps and services designed to track down a handset in the case of loss or theft can be turned against victims to track their location instead.

What are the warning signs of spyware?

If you find yourself the recipient of odd or unusual social media messages or emails, this may be a warning sign and you should delete them without clicking on any links or downloading any files. The same goes for SMS content, too, which may contain links to lure you into unwittingly downloading spyware. 

To catch a victim unaware, these messages -- known as phishing attempts -- will attempt to lure you into clicking a link or executing software that hosts a spyware/stalkerware payload. 

Should operators employ this tactic, they need their victims to respond. In order to ensure this, messages may contain content designed to induce panic, such as a demand for payment, a failed delivery notice, or they could potentially use spoofed addresses from a contact you trust.

When it comes to stalkerware, initial infection messages may be more personal and tailored to the victim. 

There's no magic button to send spyware over the air; instead, physical access or the accidental installation of spyware by the victim is necessary. However, it can take less than a minute to install some variants of spyware and stalkerware, and so the required time window is short.

If your mobile goes missing and reappears with different settings or changes that you do not recognize, or perhaps has been confiscated for a time, this may be an indicator of tampering.

Surveillance software is becoming more sophisticated and can be difficult to detect. However, not all forms of spyware and stalkerware are invisible and it is possible to find out if you are being monitored.

Android: A giveaway on an Android device is a setting that allows apps to be downloaded and installed outside of the official Google Play Store. 

If enabled, this may indicate tampering and jailbreaking without consent. Not every form of spyware and stalkerware requires a jailbroken device, however. There is an app available in the Play Store called Root Checker that can check for jailbreaking on your behalf.

This setting is found in modern Android builds in Settings > Security > Allow unknown sources. (This varies depending on device and vendor.)

You can also check Apps > Menu > Special Access > Install unknown apps to see if anything appears which you do not recognize, but there is no guarantee that spyware will show up on the list.

Some forms of spyware will also use generic names to avoid detection. If a process or app comes up on the list you are not familiar with, a quick search online may help you ascertain whether it is legitimate.

iOS: iOS devices, unless jailbroken, are generally harder to install with malware. However, the presence of an app called Cydia, which is a package manager that enables users to install software packages on a jailbroken device, may indicate tampering unless you knowingly downloaded the software yourself.

If you think your PC may have been infiltrated, check below:

Windows: On Windows machines, double-checking installed program lists -- possible through the start bar -- and running processes under "Task Manager" may help you identify suspicious programs.

Mac: On Apple Mac machines, you can do the same by clicking "Launchpad," "Other," and "Activity Monitor" to check the status of running programs. You can also reach Activity Monitor quickly through Spotlight.

An antivirus scan is also a recommended way to remove spyware and PUP.

In the cases of Android, iOS devices, and PCs, you may experience unexpected battery drain and overheating, as well as unexpected or strange behavior from the device operating system or apps -- but in the latter case, many users of stalkerware will try not to play their hand and the software is developed to be as silent as possible.

As with most things in life, trust your instincts. If you think something is wrong, it probably is -- and you should take steps to seize control of the situation.

This is where things get difficult. By design, spyware and stalkerware are hard to detect and can be just as hard to remove. It is not impossible in most cases but may take some drastic steps on your part.

When removed, especially in the case of stalkerware, some operators will receive an alert warning them that the victim's device has been cleaned up. In addition, should the flow of information suddenly cease, this is a clear indicator that the malicious software has been eradicated.

  1. Run a malware scan: On both mobile and PCs there is a variety of mobile antivirus solutions available which may be able to detect and remove basic forms of spyware. This is the easiest solution available but may not prove effective in every case.
  2. Change all of your passwords: If you suspect account compromise, change every password on every important account you have. Many of us have one or two central accounts, such as an email address, which will act as a hub for other accounts and password recovery. Begin there. It might also be an idea to remove access to any 'hub' services you use from a device you think has been compromised and only access them from another source.
  3. Enable two-factor authentication (2FA), in which account activity and logins require further consent from a mobile device, can also help protect individual accounts. However, spyware may intercept the codes sent during 2FA protocols.
  4. Consider creating a new email address, known only to you, which becomes tethered to your main accounts.
  5. Update your OS: It may seem obvious, but when an operating system releases a new version which often comes with security patches and upgrades, this can -- if you're lucky -- cause conflict and problems with spyware. In the same way as antivirus solutions, keep this updated.
  6. Protect your device physically: A PIN code, pattern, or enabling biometrics can protect your mobile device from future tampering. However, it will not help if a device has already been compromised. 
  7. If all else fails, factory reset.. or junk it: Performing a factory reset and clean install on the device you believe is compromised may help eradicate some forms of spyware and stalkerware. However, make sure you remember to back up important content first. On Android platforms, this is usually found under Settings General Management > Reset > Factory Data Reset. On iOS, go to Settings > General > Reset

Unfortunately, some stalkerware services may survive factory resets. So, failing all of that, consider restoring to factory levels and then throwing your device away.

Removal 

FlexiSpy removal: FlexiSpy may masquerade on Android devices under the name "SyncManager." If you find this app on your phone, try to uninstall it directly, and then restart your phone. However, it may also appear under another generic name, and so before deleting any apps, perform a search on the app name first.

Cybersecurity vendors including Malwarebytes, Avast, and Kaspersky all offer spyware-scanning tools. You can try downloading them and performing a scan to wipe out infections. 

So, what are Google and Apple doing about the problem?

Both Google and Apple are generally quick off the mark if spyware or other forms of malicious apps manage to circumvent the privacy and security barriers imposed for applications hosted in their respective official app stores. 

In July 2019, Google removed seven apps from the same Russian developer from the Play Store. While marketed as employee and child trackers, the tech giant took a dim view of their overreaching functions -- including GPS device tracking, access to SMS messages, the theft of contact lists, and potentially the exposure of communication taking place in messaging applications. 

When it comes to Apple, the iPad and iPhone maker began a crackdown on parental control apps in April 2019, citing privacy-invading functions as the reason for some iOS apps to be removed from the App Store. In some cases, Apple requested developers to remove functions, whereas, in others, the apps were simply removed. The company offers its own parental device control service called Screen Time for parents that want to limit their children's device usage. 

Microsoft includes Microsoft Defender with modern versions of the Windows operating system to stop, isolate, and remove malware.

Surveillance without consent is unethical and in domestic situations causes a severe imbalance in power. If your sixth sense says something is wrong, listen to it.

A physical object is not worth sacrificing your privacy for. Should your device become compromised, take back control of your right to privacy -- whether or not this means replacing your handset entirely.