Rooting Android damages my device

Detect and remove spy software on Android

It only takes an attacker a few minutes unobserved to hide a spy app on your smartphone. The malicious app could then send sensitive data to the attacker or install additional malware. With a few simple steps you can recognize an infection and stop the monitoring.

Check root access

If you suspect someone is spying on you, the first thing to do is to check that your phone is rooted. Because on a rooted cell phone, an attacker can hide a spy tool in such a way that it cannot be discovered using the methods described here - even if you have performed the root yourself for good reason.

Search your device under Settings / Apps for tools that are traditionally used for rooting. These include SuperSu, BusyBox or KingRoot. You can also use the free Root Checker app to check directly whether your mobile phone is rooted.

The spy packages mSpy and FlexiSpy we examined do not currently use any special root tricks to hide themselves. So the following measures will also remove them on rooted systems. But that can change with every update, and your attacker could have installed additional malware that is better at hiding itself. Ultimately, you can no longer trust a rooted phone.

If there is suspicion of espionage, you have two options: On the one hand, you can reset the device to the company settings, which also removes root access and puts the standard security functions back into effect. The cell phone is then clean again, but setting up the system again is tedious. Second, you can repair the rooted system. That means a lot of work, but you can find out more precisely which data the attacker stole. It is advisable to consult someone who has experience with rooted systems.

Check device administrator apps

In the following we assume that your device is not rooted and that all diagnostic information you have determined is reliable. First, check the so-called device administrator apps, because they get a lot of access rights under Android. You can find it in the settings under "Security & Location / Apps for device management", on some devices under "Device security / Other security settings" or similar.

Here you should normally only see "Find My Device" (sometimes called "Find My Device") and "Google Pay" and - depending on the purpose of the phone - also your company's mobile device management or the entry of a mail app with Exchange -Access like "E-Mail" from Nine. If you discover other entries at this point, this is a strong indication of an infection. Deactivate the suspicious device administrators - if in doubt, all of them.

However, you can only deactivate the device administrators in the menu. To delete it, you have to uninstall the associated app. But annoyingly, apps are allowed to name their entry in this list of device administrators anything, so you don't always know which app it originated from. The spy software mSpy, for example, enters here with "Update Service", FlexiSpy with "System Update". Some spy apps refuse to uninstall as long as you are registered as a device administrator.

Switch on Play Protect

Next, check the built-in security features of Android. An attacker will have tried to disable them, as these features detect most malware threats. Under the name Play Protect, Android now checks all apps on the device, even with older Android versions. The easiest way to find Play Protect is in the Play Store app in the menu with the three bars in the top left.

The option "Scan device for security threats" must be switched on and the last scan should only be a few days ago. If not, this is a clear indication of an infection. If the second option "Improve detection of malicious apps" is activated, Play Protect uploads unknown apps to Google and lets them scan them in the cloud. Although this function makes sense, it is switched off by default and therefore does not provide any indication of an infection.

Switch on Play Protect and the "Improve" function and, if Internet access is activated, use the Reload button above to carry out an immediate scan of all apps. The spy tools mSpy and FlexiSpy are recognized and can be uninstalled without leaving any residue. However, you should also carry out the following checks.

Block apps from other sources

Because Google's Play Store scanner recognizes many spy apps, they are not available there. The attacker has to download it as a file to the smartphone and install it manually. To do this, he has to switch off the lock that normally protects against apps from such external sources.

With older Android you can find this lock in the settings under "Security / Unknown origin" or similar. With the current Android, there is no longer a central lock, but individual apps such as FileManager, Browser or Dropbox, third-party apps are specifically allowed to install third-party apps. The list of apps can be found in the settings under "Apps & notifications / Special app access / Unknown" or similar; "Allowed" should not be written here for any app.

In both cases, a disabled lock means that an espionage attack may have taken place. Conversely, an activated lock is no guarantee of a clean system, because the attacker can simply reactivate it after installing the malware.

Control app permissions

In case of suspicion, do not rely on Play Protect; instead, check all installed apps. To do this, open the "App permissions" item in the settings, usually found under "Apps" or "Apps & notifications" or similar, on some devices in the three-point menu of the apps display at the top right. There you control which apps are allowed to access personal data.

Under the items Contacts, SMS, Camera and Location, no apps should appear that you have not installed or that you do not know what they are doing. Uninstall unknown apps, but make a note of the package name beforehand (also for the following uninstallations) so that you can understand your work. If some apps appear twice with an additional lock symbol: This is a result of a non-critical function of some Samsung and Xiaomi devices, with which you can start apps with a second configuration set.

Spy Software: Checklist for Checking Android Devices

  • is the device rooted?
  • Disable unknown device administrators
  • Switch on Play Protect and scan the device
  • remove suspicious apps
  • Change passwords for all services (Google, Banking, Facebook, Evernote, Dropbox, ...)
  • Block web access from messenger apps
  • if necessary reset to factory settings

Then search the list of all installed apps for unknown or suspicious apps. A tap on the app reveals which permissions an app is requesting. From this, an experienced user can often see an initial tendency as to whether something is wrong.

However, some harmless apps also require a large number of permissions - for example because the developers use questionable libraries to display advertisements. Unpleasant, but uncritical from a spying point of view, as long as you knowingly installed the app yourself. Because it is unlikely that this particular app has a real vulnerability and that your attacker will exploit it. On the other hand, it doesn't do any harm to directly uninstall all other critical or unused apps as part of this diagnosis.

Recognize dubious sources

It is also important to take a look at the source of the app, especially if you were allowed to install it from external sources. Newer Android versions show this in this app detail view under the permissions. There it says "App loaded from Google Play Store" (generally not critical) or "App loaded from Galaxy Apps" (pre-installation from Samsung). On the other hand, an "app loaded by the package installer" is highly suspicious; it comes from a third-party source. If you didn't install the app yourself for a good reason: Get rid of it! Because not all smartphones mark third-party apps so clearly, first take a quick look at how an unsuspicious app is marked.

Spyware Evidence of infection
mSpy Dialing # 000 * opens the mSpy user interface
FlexiSpy FSXGAD_ \ .apk on the SD card; in / data / app / is com.mobilefonex.mobilebackup-1.apk; often remains in the browser history; Dialing * # 900900900 opens the FlexiSpy user interface
PhoneSheriff leaves all intercepted data and settings under /data/
MobileSpy Dialing # 123456789 * opens the MobileSpy user interface
OmniRAT device administrator generates

However, you should also get a number of false positives, because many manufacturers install apps whose meaning is not at all or at least not derived from the name. You can recognize these apps, which are not suspicious from a spy point of view, by the fact that there is no uninstall button in the app detail view and you can only deactivate them instead. They are generally harmless unless malware has been installed at the factory or by a distributor.

You should have found the usual spy apps with these measures and banned them from your system. If you suspect that more cunning attackers are after you who have installed more stubborn malware, you should perform a factory reset - or consult an expert, as there are also malware types that survive a reset or those in the firmware lurk

Protect accounts

If you suspect a successful attack, further measures are advisable after cleaning the device. You have to assume that your Google account is also compromised.

At you can find out which devices are using your Google account and when it was last accessed. You can delete suspicious devices simply by clicking on "Remove". Then change your password. We recommend that you also use this opportunity to activate two-step confirmation.

The same goes for all the other cloud services you use: Dropbox, Evernote, Facebook - and, importantly, internet banking used from your smartphone. Check the access, change the passwords in case of doubt, activate the two-factor authentication if possible and delete suspicious registered devices.

WhatsApp, Signal and some other messengers threaten an additional trap: They now offer the option of using the app via a browser and thus accessing all messages and photos. Once set up, access remains active even after your mobile phone has been cleaned. You can find this access on WhatsApp under "WhatsApp Web", on Signal under "Linked Devices", on Threema under "Threema Web". Delete them all.

Reset to factory settings

The last resort - especially if the device should be rooted - is the factory reset, i.e. a complete reset to factory settings. If you think your device is hopelessly infested and bugged, do the above password changes only after the reset or from another device, otherwise a possibly still installed keylogger will find out the new passwords. The reset deletes all data from the mobile phone, so bring everything important such as photos, addresses and appointments to a safe place beforehand and note down important elements of your configuration.

You trigger the reset in the settings in "System / Reset options / Erase all data", on some systems called "General administration / Reset / Reset to factory settings" or something similar.

When setting up the phone again, make sure to set it up as a "new device" and not install it from a backup, for example. Because your device could be infected again directly from the backup. Make sure to also block access to the device, either by fingerprint, face or password, but at least with a four- or better six-digit PIN. (yow)

Entry into Android forensics