How to Detect and Remove Spyware from Your Android Phone in 2025

And they can send all of this to third parties (without your consent).

The question is: What can someone do with complete access to your digital life?

What are the different types of spyware and what can they do?

When spyware gains entry, it can invade your privacy through an arsenal of capabilities, such as:

• Keyloggers that record your keystrokes to steal your passwords
• Stalkerware that monitors your location, calls, emails, texts, photos, and internet browsing activity
• Adware that floods your browser and sells your data to advertisers
• Rootkits that maintain persistence on your device to spy on everything pertaining to your Android, including files, network traffic, and system activity
• Banking trojans that spy on your logins to steal your credentials

One of the most dangerous types of stalkerware is TheTruthSpy, which has exposed photographs of children the app took on the internet. The app has also been weaponized by abusive romantic partners to spy on their victims.

In 2022, TechCrunch uncovered massive amounts of data found in TheTruthSpy’s core database, which contained records of every Android device compromised.

Just from six weeks of data, TechCrunch found 1.2 million text messages, 473,211 video & photo records, and 4.42 million call logs, some of which came from children’s phones. All were obtained without consent.

Meanwhile, spyware such as Hermit, Predator, and Pegasus are being weaponized for cyber espionage as we speak.

Hermit, for instance, can read notifications, upload files, take screenshots, and even re-route calls.

Alarmingly, Google found that repressive governments in Kazakhstan and Syria have used Hermit to target activists, journalists, and political opponents.

Meanwhile, mercenary spyware like Predator and Pegasus have been weaponized by the world’s most repressive regimes. And their use is spreading to the private sector. Predator, for instance, has recently targeted executives in private sector firms in finance, real estate, and logistics & transportation.  

If you’re doing business in 2025, you can block unauthorized SaaS apps that are common entry points for spyware with LastPass SaaS monitoring + SaaS Protect. Try it today with a free trial of Business Max (no credit card required). 

Why is spyware a threat to Android devices?

Despite security improvements by manufacturers, spyware remains a persistent threat. This year, spyware rose 147% on Android devices, with a notable spike in February and March. 

Even more alarming, April and May saw a 692% spike in SMS-based malware.

Remember Slavisa Milanov?

After getting his phone back, he discovered that his data and Wi-Fi settings had been turned off. He turned to Amnesty International’s forensic team, who launched an investigation. 

Their findings? Milanov’s phone was infected with not one, but two pieces of malware.

• Cellebrite: to unlock his Android with Universal Forensic Extraction Device (UFED) technology
• NoviSpy (spyware): to access his messages, contacts, location, camera, and microphone

Forensic evidence showed that Milanov’s phone was infected while he was in custody.

According to Amnesty’s 87-page report on surveillance, the Serbian Security Intelligence Agency has been weaponizing spyware like NoviSpy, Predator, and Pegasus since at least 2014. This and similar assaults on privacy and freedom of speech by other rogue nations have led sixteen (16) countries, including the United States, to call for international spyware regulations.

Sadly, Milanov remains a targeted figure today. He insists that "safety is at stake. Whatever happens to me, or anyone close to me, I will hold the state responsible for it.”

Milanov isn’t the only one at risk.

In 2025, the global cost of cyber-attacks is expected to reach US $10.5 trillion (that’s roughly $20 million lost every single minute).

And a significant portion of that comes from Android spyware.

Think about what’s on your phone right now:

• Photos of your driver’s license
• Images of your passport and Social Security card
• Tax documents you downloaded to review
• Medical records from your healthcare portal
• Banking, ecommerce, and subscription service passwords

With this information, attackers can:

• Open credit cards in your name
• Take out loans you’ll be liable for
• Commit financial fraud with your identity 
• File fraudulent tax returns and steal your refund 
• Access your health insurance info to get treatments and prescriptions you’re billed for

Depending on the type of identity theft, it can take weeks or months to resolve. Synthetic identity – the fastest growing and most expensive type of identity theft - is the most damaging and can take years to recover.

If you own a business, the risks multiply. In December 2024, mobile security firm iVerify found 11 new Pegasus infections on 18,000 devices. And in May of that year, the firm democratized mobile threat hunting by launching a $1 app that allowed consumers to scan their devices for spyware like Pegasus.

Around 3,000 people scanned their devices, and 2.5 Pegasus infections were found for every 1000 phones scanned.

Why target businesses? 

Because spyware on corporate or BYOD phones mean attackers have access to:

• Merger and acquisition discussions
• Trade secrets and intellectual property
• Your client lists and information
• Confidential business proposals
• Proprietary research data
• Competitive pricing strategies

The result is disrupted operations, legal liabilities (from failure to protect sensitive data), and reputational damage. And the loss of trust can bring your business to its knees.

Doing nothing can cost you everything: Get effortless security with LastPass SaaS Monitoring + SaaS Protect with a free trial of Business Max (no credit card required).

How did spyware get on my Android and how can I prevent it from happening?

Now that you know what’s at risk, here’s what most people ask next, “How did spyware get on my Android in the first place?”

Understanding how it arrives is the first step in preventing spyware on your Android.

The truth is spyware can get on your device because of a split-second decision:

• A link you clicked absentmindedly
• An app you downloaded because someone sent you an ad on social media
• A permission you granted during a busy moment

It happens to the best of us. But the good news is this: Mindful choices are the smartest way to keep your Android secure. Below, we talk about how spyware infections happen and how you can prevent them from unleashing chaos in your world.

#1 You downloaded a “security update” that wasn’t

This is the most common way spyware is infecting Android devices in 2025. Spyware is distributed primarily through phishing links on platforms like Telegram. 

You may get a message that says your Android needs an “urgent security update” for your Signal app. Don’t fall for it.

It may be spyware in disguise. For example, the malicious ToTok app displays a welcome screen similar to the one for the real (now largely defunct) app. So, you’ll see two ToTok icons. One is real. One is stealing everything on your Android. 

And you have no idea which is spyware.  

These are models sold at outrageously low prices and pre-loaded with Triada malware. Triada has spyware, crypto mining, and data exfiltration capabilities. It's primarily focused on stealing banking and payment login credentials.

Safeguard: That “amazing deal” for a counterfeit version of the newest Android may come with an unwanted “bonus” like Triada. Only purchase Androids from official sources. 

You can also unlock credential security with a free trial of either LastPass Premium (for consumers) or LastPass Business (for organizations).

No credit card registration is required, and you get advanced MFA, military-grade encryption, and Dark Web Monitoring to ensure your email addresses are tracked 24/7.

What this means for you: 

• Advanced MFA for consumers and businesses add another layer of protection to prevent account takeovers.
• Dark Web Monitoring tracks your email addresses 24/7. If any are found on Dark Web forums, you get an immediate alert so you can update your passwords and login credentials before attackers can act.

#5 You connected to public Wi-Fi and visited the wrong website

You’re at your favorite coffee shop and connect to the free Wi-Fi while waiting for your pastries and coffee.

An ad appears, telling you that your Android needs an “urgent security update.” Sound familiar?

Public Wi-Fi at malls, coffee shops, hotels, and airports can put your Android at risk for spyware, man-in-the-middle attacks, and credential-stealing malware.

Safeguard: Public Wi-Fi can be a vector for spyware. So, be cautious about responding to “alerts" while surfing on public Wi-Fi. 

#6 You ignore the warning about “unknown sources”

Every time you try to install an app from outside Google Play, Android shows you a warning that reads something like this: “Installing apps from unknown sources can put your device and data at risk.”

But since you’ve seen it before, you decide to dismiss it. 

Don’t do it. Installing apps from unofficial sources can put you at risk for spyware.

Safeguard: Remember there’s a reason you’re seeing that warning. When you bypass it, you’re removing one of Android’s key security protections.

The pop-up is designed to make you feel cornered and panicked (or at the very least, annoyed). 

This is a classic social engineering attack designed to bait you into acting quickly and clicking anything to make the pop up go away, so the attackers can get spyware on your device.

#5 Performance lags and sudden freezes

Do you have one of the newest Android models on the market? If so, performance lags or freezes that come out of nowhere should be cause for concern. They may be signs your Android has been infected with spyware. 

But how can you tell if your Android has spyware for sure? That’s the question we answer below.

How to Detect Spyware on Android phone

You aren’t alone if you’re wondering, “How do I find spyware on my Android?” On Google, this question returns more than 10 million results.

To detect spyware on your Android phone:

• Use industry-leading anti-spyware tools
• Check settings and permissions for unusual app behavior

Use industry-recommended anti-spyware tools

As cyber-attacks increase, anti-spyware tools can be a critical resource. These products can both detect and remove spyware. 

Norton 360, for example, can scan over 600,000 files in under 10 minutes and then remove any malware it finds.

Both free and paid options are available. In the FAQ section below, we reveal the best antispyware apps for 2025.

Check for suspicious permissions

Always check app permissions. In the Apps section, look for Special Access or Advanced settings. 

Disclaimer: DIY spyware removal options come with risks. If in doubt, LastPass recommends consulting with security professionals to formulate the best solutions for your use case.

Sources

https://www.article19.org/resources/serbia-investigate-surveillance-of-journalists-and-sources-now/

https://www.amnesty.org/en/latest/news/2024/12/serbia-authorities-using-spyware-and-cellebrite-forensic-extraction-tools-to-hack-journalists-and-activists/

https://europeancorrespondent.com/en/r/the-chilling-truth-behind-serbias-surveillance-state

https://www.eset.com/us/about/newsroom/research/eset-research-new-spyware-messaging-apps-users-uae/

https://safejournalists.net/targeted-journalist-state-will-be-responsible-for-whatever-happens-to-me-or-those-around-me/

https://www.darkreading.com/endpoint-security/counterfeit-phones-infected-triada-malware

https://us.norton.com/blog/mobile/how-to-detect-spyware-on-android-phones

https://us.norton.com/blog/emerging-threats/pegasus-spyware

https://www.malwarebytes.com/blog/news/2022/06/hermit-spyware-is-deployed-with-the-help-of-a-victims-isp

https://www.fortinet.com/resources/cyberglossary/spyware

https://cybersrcc.com/2022/07/04/hermit-spyware

https://cybersecuritynews.com/pegasus-spyware-used-widely-to-target-individuals/

https://techcrunch.com/2022/10/26/inside-thetruthspy-stalkerware/