How to Detect and Remove Malware on Android
Step-by-step guide to detecting and removing Android malware using Play Protect, Safe Mode, ADB, and factory reset, with prevention tips and coverage of stalkerware risks.
Marcus Fielding June 1, 2026Android malware is more varied than most users expect: it ranges from aggressive adware bundled with unofficial APKs from untrusted sources to sophisticated spyware hiding behind legitimate-looking system components. The good news is that Android’s architecture - sandboxed apps, verified boot, and permission gating - gives you real tools to detect and eliminate threats at every level. This guide walks through the full process, from spotting early warning signs to the last-resort factory reset, with practical commands and links to official references throughout.
Recognising the Signs of Infection
No single symptom proves malware, but several together should prompt investigation:
| Warning sign | Likely cause | Action |
|---|---|---|
| Battery draining unusually fast | Background process running constantly | Check battery usage in Settings |
| Mobile data spike with no explanation | Ad SDK phoning home or data exfiltration | Review per-app data in Settings > Network |
| New apps you did not install | Dropper malware or PUA (potentially unwanted app) | Audit installed apps immediately |
| Random pop-up ads outside any browser | Adware with Accessibility Service abuse | Revoke Accessibility permissions |
| Device overheating at idle | Cryptominer malware running in background | CPU usage check via developer tools |
| Play Protect warning on an installed app | Known malicious signature detected | Remove the app immediately |
| Unknown device admins in Settings | Stalkerware or MDM-style persistence | Revoke and remove |
If you see two or more of these together, move to the detection steps below. For a broader baseline of Android hardening, the Android Privacy Hardening Checklist covers the permission and settings hygiene that makes these attacks harder in the first place.
Step 1 - Run a Play Protect Scan
Google Play Protect is Android’s built-in malware scanner. It scans apps at install time and periodically re-scans the device. Open the Play Store, tap your profile icon, select Play Protect, then tap Scan. If a threat is found, Play Protect will offer to remove the app or send it to Google for analysis.
Play Protect’s efficacy has been independently measured by AV-TEST (https://www.av-test.org/en/antivirus/mobile-devices/), where it typically scores above 85% for known malware detection. It is not perfect, but it is your fastest first filter.
If Play Protect is disabled - especially if you did not disable it yourself - that is a significant red flag. Some malware families disable Play Protect as part of their installation. Re-enable it, then scan.
Step 2 - Audit Permissions and Accessibility Services
Malware on Android frequently abuses two categories of elevated access: Accessibility Services and Device Administrator privileges. These grant far more power than standard app permissions and are the mechanism most spyware and adware families exploit.
Check both:
- Settings > Accessibility > Installed apps (path varies by manufacturer) - every entry here should be something you knowingly enabled. Screen readers, password managers, and input tools belong here. Unfamiliar entries do not.
- Settings > Security > Device Admin Apps - legitimate uses are corporate MDM profiles and Find My Device. Remove anything else.
Also review apps with Notification access (Settings > Notifications > Notification Access) and Usage access (Settings > Apps > Special app access > Usage access). Both are vectors for data harvesting.
Revoke any suspicious permissions under Settings > Apps, select the app, then Permissions. If an app has no legitimate reason for a permission - a flashlight app with microphone access, for example - that is a signal to remove it entirely.
Step 3 - Use Safe Mode to Isolate and Remove Malicious Apps
Safe Mode boots Android with all third-party apps disabled. This is the standard diagnostic step when you suspect an installed app is causing problems but cannot easily identify which one.
To enter Safe Mode on most Android devices:
- Press and hold the power button.
- Long-press the Power off option that appears on screen.
- A prompt appears: “Reboot to safe mode.” Confirm.
The device restarts with “Safe mode” displayed in the bottom-left corner. Third-party apps are greyed out and non-functional.
In Safe Mode, navigate to Settings > Apps and review all installed applications. Look for:
- Apps with generic or misleading names (“System Service”, “Phone Manager”, “Update”)
- Apps you do not recognise or did not install
- Apps with no icon or a blank label
Tap the suspicious app and select Uninstall. If Uninstall is greyed out, the app has Device Administrator privileges - revoke those first (Settings > Security > Device Admin Apps), then return to uninstall.
Restart normally after removing suspected apps and observe whether the symptoms persist.
Step 4 - Force-Remove Stubborn Apps with ADB
Some malware installs itself as a system app or uses admin privileges to resist normal uninstallation. Android Debug Bridge (ADB) lets you remove these from a connected computer without rooting the device.
You need:
- ADB installed on your computer (part of Android SDK Platform Tools, available at https://developer.android.com/tools/releases/platform-tools)
- USB debugging enabled on the device (Settings > Developer Options > USB debugging)
- The device connected via USB with the connection authorised
Find the package name of the suspicious app:
adb shell pm list packages | grep -i <keyword>Once you have the package name (for example com.suspicious.app), remove it for the current user without root:
adb shell pm uninstall --user 0 com.suspicious.appThe --user 0 flag removes the app for the primary user without requiring system-level permissions. This works for most pre-installed bloatware and many persistent adware packages that survive Safe Mode removal.
For a full walkthrough of ADB’s capabilities beyond malware removal, see the ADB Commands for Android Power Users guide.
If the app is installed as a system app and pm uninstall fails, you can disable it instead:
adb shell pm disable-user --user 0 com.suspicious.appDisabling prevents the app from running without actually removing it - useful when full removal is not possible without root.
Step 5 - Check for Stalkerware Specifically
Stalkerware is a category of spyware typically installed by a person with physical access to the device - an intimate partner, employer, or family member. It is designed to be invisible and to report location, messages, calls, and photos to a remote server.
Signs specific to stalkerware:
- Microphone or camera permissions granted to an app you do not recognise
- Unusual background data to an unfamiliar server (visible in Settings > Network > Data usage)
- Battery drain even when the phone is idle and screen is off
- The screen briefly lighting up on its own
The Coalition Against Stalkerware (https://stopstalkerware.org) maintains a list of known stalkerware package names and provides safety guidance that accounts for the risk of alerting an abuser by removing the software. If you suspect stalkerware installed by someone who may react dangerously, consult their resources before taking action.
Malwarebytes for Android (https://www.malwarebytes.com/android) has specific stalkerware detection signatures and is one of the more credible third-party options in this category.
Step 6 - Factory Reset as the Nuclear Option
If the above steps do not resolve the issue, or if you want certainty after a severe infection, a factory reset wipes all user data and returns the device to its out-of-box state. This eliminates virtually all malware, with the narrow exception of firmware-level infections (rare on mainstream devices).
Before resetting:
- Back up contacts, photos, and documents to Google Drive or a local computer - but do not back up APK files, which may carry the infection
- Note your Google account credentials - you will need them to pass Factory Reset Protection (FRP)
- Be aware that FRP requires the previously associated Google account during setup; this is a theft-deterrence feature documented by Google (https://support.google.com/android/answer/6172890)
To factory reset: Settings > General Management (or System) > Reset > Factory Data Reset > Reset Device.
After the reset, restore data selectively. Re-install apps from the Play Store or from trusted FOSS sources rather than restoring an app backup wholesale. If you were sideloading APKs from unverified sources before the infection, review the Sideloading Android Security Guide before resuming that practice - it covers how to verify APK integrity and which sources are actually trustworthy.
Prevention: Closing the Door Permanently
Removal is reactive. These measures stop most infections before they start:
- Keep Android updated. Google patches critical vulnerabilities monthly. Settings > System > System Update. The Android Security Bulletin (https://source.android.com/docs/security/bulletin) lists every CVE addressed.
- Use Play Protect and leave it on. Do not disable it to install an app - that is a major red flag about the app itself.
- Treat Accessibility permission requests with suspicion. Legitimate apps rarely need this. Granting it to an unknown app is effectively giving it full device control.
- Install from F-Droid for open-source apps. F-Droid (https://f-droid.org) distributes only free and open-source software, and each app’s source code is publicly auditable. See our F-Droid vs Play Store comparison for the trade-offs.
- Consider a privacy-focused ROM. GrapheneOS (https://grapheneos.org) on a Pixel device provides hardened memory allocator, improved permission controls, and verified boot that makes system-level compromise significantly harder. Our GrapheneOS vs LineageOS comparison breaks down which ROM suits which use case.
- Review permissions after every app install. NIST SP 800-163 (https://csrc.nist.gov/publications/detail/sp/800-163/rev-1/final) provides a framework for mobile app vetting that applies equally to personal and enterprise contexts.
The architecture of Android gives users genuine tools to fight back against malware at every level. Safe Mode, ADB, and factory reset together cover the full spectrum from nuisance adware to targeted spyware - and understanding how each works means you are never relying solely on a third-party scanner to protect you.
Frequently Asked Questions
Does Android need a third-party antivirus app? For most users, no. Google Play Protect combined with careful permission management and keeping Android updated covers the majority of real-world threats. Third-party scanners add value mainly in stalkerware detection (Malwarebytes) and for devices that cannot run a current Android version.
Can malware survive a factory reset? Almost never on mainstream consumer hardware. Firmware-level infections have been documented on a small number of low-cost Android devices with modified bootloaders, but they are rare. A factory reset removes all user data and re-installed apps, which is where virtually all malware lives.
Is sideloading APKs always dangerous? No, but the risk depends entirely on the source. F-Droid and direct developer downloads of open-source apps carry low risk when you verify the APK signature. Downloading APKs from random file-hosting sites or modded-app repositories carries high risk. The Sideloading Android Security Guide covers how to verify APK integrity before installing.
What is the difference between adware and spyware on Android? Adware generates revenue by displaying unwanted advertisements, often by abusing Accessibility Services to overlay ads on other apps. Spyware collects personal data - location, messages, photos, call logs - and sends it to a remote server without your knowledge. Both warrant immediate removal, but spyware poses a greater privacy and safety risk.
FAQ
- Does Android need a third-party antivirus app?
- For most users, no. Google Play Protect combined with careful permission management and keeping Android updated covers the majority of real-world threats. Third-party scanners add value mainly in stalkerware detection (Malwarebytes) and for devices that cannot run a current Android version.
- Can malware survive a factory reset?
- Almost never on mainstream consumer hardware. Firmware-level infections have been documented on a small number of low-cost Android devices with modified bootloaders, but they are rare. A factory reset removes all user data and re-installed apps, which is where virtually all malware lives.
- Is sideloading APKs always dangerous?
- No, but the risk depends entirely on the source. F-Droid and direct developer downloads of open-source apps carry low risk when you verify the APK signature. Downloading APKs from random file-hosting sites or modded-app repositories carries high risk. The Sideloading Android Security Guide covers how to verify APK integrity before installing.
- What is the difference between adware and spyware on Android?
- Adware generates revenue by displaying unwanted advertisements, often by abusing Accessibility Services to overlay ads on other apps. Spyware collects personal data - location, messages, photos, call logs - and sends it to a remote server without your knowledge. Both warrant immediate removal, but spyware poses a greater privacy and safety risk.