Is it illegal to track someone down?

Detect and eliminate surveillance apps in cell phones

Are you worried that your smartphone is infected? We will help you track down and eliminate any pests.

First of all, you should check whether your phone is rooted, because you can no longer trust a rooted device - even if you did the root yourself at some point for good reason. On rooted devices, attackers can hide a spy tool so well that you cannot discover it in a few simple steps.

Discover Root

Therefore, search your device under “Settings / Apps” for tools that are traditionally used for rooting. These include SuperSu, BusyBox or KingRoot. You can also use the RootChecker app to check directly whether your mobile phone is rooted.

With rooted devices, you have two options: Either you reset your smartphone to the factory settings, or you repair the rooted system, which, however, involves a lot of effort. You should consult someone who has experience with rooted systems. The c't article Android Trojans dissected gives an insight into possible approaches.

Protect Android Phones - Checklist

In the following we assume that your Android phone is not rooted.

Disable unknown device administrators

Device administrator apps have a particularly high number of access rights under Android, so you should check these apps. In the settings under "Security & Location / Apps for device management" (Warning: the menus for the device administrators on some smartphones are slightly different) you will normally only see "Find my device" and "Google Pay", possibly also the Mobile Device Management Your company or a mail app. However, if you find other apps here, this could indicate an infection of your device.

In this case, deactivate these unknown device administrators and uninstall the associated app. Unfortunately, it is not always possible to clearly determine which this is, because an app can name its entry in the device administrator list as desired.

Scan the phone with Play Protect

You should also take a closer look at the Android security features. Play Protect checks all apps on the smartphone and also works with older Android versions. The easiest way to find Play Protect is in the app Play Store in the hamburger menu (the three horizontal lines in the top left).

The option "Scan device for security threats" must be activated. The "Improve detection of malicious apps" should also be switched on. Here you should definitely check how long ago it was the last scan from Play Protect: If it was more than a few days ago, this could indicate a spy attack.

Now run a scan of all apps; Internet access must be activated for this. For example, Play Protect recognizes the spy tools mSpy and FlexiSpy, which can then be completely uninstalled.

Spy software from outside sources track down

Attackers generally have to manually install the spy tools on your device because Google's virus scanner would detect them, which is why the apps in the Play Store are by and large free from malware. For manual installation, the attacker must first deactivate the lock that protects your device from apps from third-party sources. This lock can be found on older devices in the settings under "Security / Unknown origin".

With newer smartphones there is no longer a central lock, but individual apps such as FileManager, Dropbox or browsers are allowed to install from external sources. In the settings under “Apps & notifications / Special app access / Unknown” you will find a list of apps: It should be “not allowed” for all apps. If you find an app in the list that allows third-party sources, this is an indication of a spy attack. In this case, take a closer look at the source of the app. Newer Android versions show this in the settings under "App notifications" in the app detail view. The sources “App loaded from Google Play Store” or “App loaded from Galaxy Apps” are mostly harmless, whereas an “App loaded from the package installer” is very suspicious. You should delete this app.

Check the list of all installed apps

If you want to be absolutely sure that your smartphone is not infected by any spy software, you should check all installed apps. To do this, open the list of all apps under "App permissions" in the settings and check which apps are allowed to access personal data. In addition to Contacts, SMS, Camera and Location, no apps should appear under the app permissions that you have not installed yourself. You should therefore uninstall unknown apps. Always make a note of the package name beforehand so that you can understand your work. Following this principle, you can go through the list of all installed apps in order to track down suspicious or unknown apps.

Change passwords

If you are infected by spy software, it is advisable to change the passwords of all services after cleaning the device. At https://myaccount.google.com/device-activity you can see which devices are using your Google account and when it was last accessed. Remove suspicious devices from this list and change your password. The same applies to other cloud services and banking apps that you use.

You have to be particularly careful with messenger services: some, including WhatsApp, Signal and Threema, can also be used via your browser. Even if you have never used this yourself, an attacker could have activated this option. This browser access can remain active even after the cell phone has been cleaned, which is why you have to explicitly remove it. You can find it in the apps under menu items such as “WhatsApp Web” or “Threema Web” - delete the access here too. If you see access here without having set it up yourself, this is a very clear indication of an attack.

Reset to factory settings

If nothing helps or you still have doubts about the security of your smartphone, the only thing that will help is a factory reset. Before doing this, you should back up your personal data (photos, addresses and appointments, etc.) and note down the important elements of your configuration. In the settings you can reset your mobile phone under “Systems / Reset options / Delete all data”, on some systems you will find the reset under “General administration / Reset / Reset to factory settings” or something similar.

You then have to set up your mobile phone again. Important: Install it as a new device and not something as a backup, otherwise your device could be infected again from the backup. And: Change your passwords only after the reset, so that a possibly installed keylogger does not find out about the new passwords.

Protect iOS Devices Checklist

iPhones are much more difficult to spy on than Android devices, but you should still investigate a possible espionage attack if you suspect it. The first step is to check whether your iPhone has been jailbroken, because jailbreaking overrides important security mechanisms. If your iPhone is using the latest iOS version, you do not need to worry about a jailbreak attack - there is currently no publicly available jailbreak from iOS 11.4. Apple documents which iOS version is currently on the security update pages.

If you are using an iPhone with an older iOS version, you should check the typical signs of a jailbreak - for example with the apps Cydia, Electra and Pangu. Some applications such as online banking apps test the device at startup and refuse to work in the event of a jailbreak. Another indication of an attack is the battery consumption, because a permanently active spy app eats up electricity and data volume.

Overall, iPhones are relatively safe from jailbreaking espionage attacks. The central key to the data is not the mobile phone itself, but the owner's Apple account. For this reason, commercial spy software gets the data from the iCloud.

Detect known spyware

If you've followed our tips and gone through the checklists for checking Android and iOS devices, your smartphone should be safe from most spy apps. The following table provides additional information about an espionage attack with known spyware.

Spyware Evidence of infection
mSpyDialing # 000 * opens the mSpy user interface
FlexiSpyFSXGAD_ \ .apk on the SD card; in / data / app / is com.mobilefonex.mobilebackup-1.apk; http://djp.cc is often left behind in the browser history; Dialing * # 900900900 opens the FlexiSpy user interface
PhoneSheriff leaves all intercepted data and settings under /data/com.studio.sp2/
MobileSpyDialing # 123456789 * opens the MobileSpy user interface
OmniRAT device administrator generates com.android.engine.Deamon

(yow)