A security breach in one of the largest consumer spyware operations today puts the private phone data of around 400,000 people at risk, a number that is growing every day. The operation, identified by TechCrunch, is led by a small team of developers in Vietnam but has yet to fix the security issue.

In this case, it is not just a problematic spyware application. It’s a whole fleet of apps – Copy9, MxSpy, TheTruthSpy, iSpyoo, SecondClone, TheSpyApp, ExactSpy, FoneTracker and GuestSpy – that share the same security vulnerability.

But without a patch in place, TechCrunch cannot reveal specific details about the vulnerability due to the risk it poses to the hundreds of thousands of people whose phones have been unknowingly compromised.

Without expecting the vulnerability to be patched anytime soon, this guide may help you remove these specific spyware apps from your Android phone – if you think it’s safe to do so.

Consumer spyware apps are often sold under the guise of child tracking software, but are also known as “stalkerware” for their ability to track and monitor partners or spouses without their consent. These apps are downloaded from outside the Google Play App Store, installed on a phone without someone’s permission, and are designed to disappear from the home screen to avoid detection. You may notice that your phone is performing abnormally, or getting warmer or slower than usual, even when you’re not actively using it.

Since this fleet of stalkerware apps relies on the abuse of built-in Android features that are more commonly used by employers to remotely manage their employees’ work phones, it is possible to quickly and easily check whether your Android device is compromised.

Before proceeding, have a safety plan in place. The Coalition Against Stalkerware offers tips and advice for victims and survivors of stalkerware. Spyware is designed to be hidden, but keep in mind that removing spyware from your phone will likely alert the person who installed it, which could create a dangerous situation.

Note that this guide only removes the spyware application, it does not remove data that has already been collected and uploaded to its servers. Also, some versions of Android may have slightly different menu options. Follow these steps at your own risk.

Check your Google Play Protect settings

Make sure that Google Play Protect, a security feature of Android phones, is enabled. Picture credits: Tech Crunch

Google Play Protect is one of the best safeguards to protect against malicious Android apps, both third-party and in the App Store. But when disabled, these protections stop and malicious or malicious software can be installed on the device outside of Google Play. That’s why this stalkerware network asks the person installing the spyware to disable Google Play Protect before it works.

Check your Google Play Protect settings through the Google Play app and make sure it’s turned on and a scan was recently performed.

Check if accessibility services have been tampered with

Stalkerware relies on deep access to your device and its data, and it often abuses Android’s accessibility feature which, by design, must have broad access to the operating system and its data. for the screen reader and other accessibility features to work. . If you don’t recognize a downloaded service in Accessibility Options, you can remove it. Many stalkerware apps are disguised as simple apps called “Accessibility” or “Device Health”.

A screenshot of Android's accessibility settings.

Android spyware often abuses built-in accessibility features. Picture credits: Tech Crunch

Check if a device administration app has been installed

Device administration options have similar but even broader access to Android as accessibility features. These device administration options are designed to be used by companies to remotely manage their employees’ phones, disable features, and wipe data to prevent data loss. But they also allow stalkerware apps to record the screen and spy on the device owner.

Screenshots showing the Android device admin app panel.

An unrecognized item in your device admin app settings is a common indicator of phone compromise. Picture credits: Tech Crunch

Most people won’t have a device admin app on their personal phone, so be careful if you see an app you don’t recognize named something like “System Service”, “Device Health” or “DeviceAdmin”.

Check the apps to uninstall

You may not see a home screen icon for any of these stalkerware apps, but they may still appear in your Android device’s app list. Go to your Android settings, then view your apps. Look for an app with an innocuous name like “Device Health” or “System Service”, with generic-looking icons. These apps will have wide access to your calendar, call logs, camera, contacts, and location.

Three screenshots of spyware applications, named "Device Health" and "System service."

Spyware applications often have generic looking icons. Picture credits: Tech Crunch

If you see an app here that you don’t recognize or haven’t installed, you can tap Uninstall. Note that this will likely alert the person who planted the stalkerware that the app is no longer installed.

Secure your phone

If stalkerware has been planted on your phone, chances are your phone was unlocked, unprotected, or your screen lock was guessed or learned. A stronger lock screen password can be helpful in protecting your phone from potential stalkers. You should also protect email and other online accounts using two-factor authentication whenever possible.

If you or someone you know needs help, the National Domestic Violence Hotline (1-800-799-7233) provides free, confidential 24/7 support for victims of abuse and domestic violence. If you are in an emergency, call 911. The Coalition Against Stalkerware also has resources if you suspect your phone has been compromised by spyware. You can reach this reporter on Signal and WhatsApp at +1 646-755-8849 or email [email protected]chcrunch.com.