Consumer-grade phone surveillance apps aren’t only intended to stay stealthy; some of these apps are also making it increasingly difficult to remove them.
TechCrunch has identified a stealthy phone monitoring app for Android that requires a password to uninstall, effectively blocking Android device owners from being able to remove the app.
The spyware app, which we’re not naming so as to not give it any publicity, relies on whoever is planting the app to enable a built-in feature in Android that allows apps to “overlay” content on top of all other apps. Once granted this permission, the spyware app uses this overlay access to forcibly display a password prompt whenever the user tries to uninstall or deactivate the app through Android’s settings.
Worse, the password to uninstall this spyware is set by whoever planted it.
There is a solution. TechCrunch’s own testing found that rebooting an affected Android device into “safe mode” temporarily prevents third-party apps from loading, including the spyware, allowing affected individuals to remove the app without the password prompt appearing.
This consumer-grade spyware app is part of a growing ecosystem of phone monitoring offerings, which promote and sell their apps under the guise of allowing parents to monitor their children’s phone activities or companies to track their employees. But these apps also go by the term “stalkerware” (or “spouseware”), as many also explicitly promote their apps as a way to snoop on their spouse or romantic partner without their consent, which is illegal.
These spyware apps are typically downloaded from outside the official Android app store and planted by a person with physical access to a person’s phone, usually with knowledge of their passcode.
Once installed, these apps deliberately hide their app icons from the victims’ home screen to stay stealthy, all while continually uploading the person’s phone contents — including their text messages, photos, and real-time location — to a web dashboard that the abuser can access.
Often, the only way to identify the app is by looking through certain Android device settings that are commonly configured for facilitating covert device monitoring, and then identifying the specific app to remove.
But in the case of this particular spyware app, the password pop-up blocks the ability to uninstall unless the correct password is entered.
How to identify and remove Android password-enabled spyware
It’s quick and easy to check to see if your Android device is compromised by consumer-grade spyware. Remember that it’s important to have a safety plan in place before proceeding, as removing spyware will likely alert the person who planted it.
TechCrunch has a general Android spyware removal guide that can help to identify and remove common types of phone spyware and stalkerware, and switch on the correct settings to secure your Android device.
This particular spyware may not appear as a home screen icon, but it will still appear in your list of installed apps as a nondescript app called “System Settings,” featuring a default Android icon, likely in an effort to blend in with Android’s built-in apps.
The spyware app also takes advantage of another built-in Android feature called “device admin,” which allows companies to remotely manage their employees’ phones, but is also frequently abused by spyware apps to allow broad access to a victim’s device and data. If you see a device admin app enabled on your device that you don’t recognize, it may be a spyware app. Attempting to uninstall the app may also present a password prompt.
However, rebooting an Android device into “safe mode” permits only Android core system apps to run by default, allowing for users to troubleshoot or remove buggy or problematic apps. (A thread on Stack Exchange from 2016 confirms this technique.)
TechCrunch tested and checked this process on several virtual Android devices, which we planted with the spyware. The virtual devices allow us to run the apps in a protected sandbox without having to give any real-world data, such as our location.
Before you proceed: Note that entering safe mode, and the following steps to identify and remove spyware apps, may vary by Android device model and software version.
Generally, you can hold down the Android device’s power button until a set of options appear on your screen, then touch and hold the “power off” button, which will then display a prompt asking if you want to “reboot to safe mode.” Select OK, then wait until your device restarts.
Your Android device will display “safe mode” in the corner of your screen when your device successfully boots into safe mode.
From here, you can find the offending spyware app by looking in your Android settings for any installed “device admin” apps. If you have a device admin app that you don’t recognize, you can toggle the switch off, and then select “deactivate & uninstall” from the device admin app settings.
Once the spyware app is removed as a device admin, you can then uninstall the app completely from your device. You can do this by opening your Android settings and then “Apps.”
From here, you will be able to identify the named spyware app from the list of installed apps on your device. While looking at the app info screen in safe mode, you should be able to select “uninstall,” then hit “OK” once you are prompted to remove the app.
(As an aside, Android will not let you uninstall from this screen any system app that is critical to your device’s functioning.)
At this point, the spyware is now removed. Forcibly stopping and removing a spyware app will likely alert the person who planted the app that it no longer works.
To exit Android safe mode and return your device to its normal state, you can restart your device by holding down the power button and selecting “restart.”
You should also make immediate steps to secure your device, such as by setting a longer, unique passcode, or an alphanumeric password, to prevent physical access in the future. You may also want to secure any web accounts that you have on your device, including your Google account, to prevent any further misuse.
—
If you or someone you know needs help, the National Domestic Violence Hotline (1-800-799-7233) provides 24/7 free, confidential support to victims of domestic abuse and violence. If you are in an emergency situation, call 911. The Coalition Against Stalkerware has resources if you think your phone has been compromised by spyware.
