Spyware suspicion should be handled as a containment problem, because visible symptoms are often ambiguous.
Structured triage protects accounts and evidence first, then narrows whether the issue is compromise, misconfiguration, or normal device behavior.
Do not: install random “spyware detector” apps from ads or pop-ups. Many are scams or bundle more unwanted software.
Containment and triage
- Assume the attacker’s goal is access: to accounts, messages, photos, and authentication codes.
- Update the operating system and restart the device.
- Check critical accounts (email, cloud storage) for unusual logins and secure them with Two-Factor Authentication (2FA).
- If you are actively at risk (stalking, domestic abuse), prioritize personal safety and consider professional help before making changes that could escalate the situation.
Fast symptom triage
| Symptom | Could be normal | Could be spyware |
|---|---|---|
| Battery drains fast | Old battery, background sync | Persistent background recording or data exfiltration |
| Phone gets hot when idle | App bug, poor signal | Hidden processes running continuously |
| New admin prompts | System update | Malicious app requesting elevated permissions |
| Accounts log in from new locations | VPN use, travel | Credential theft or session hijack |
Key idea: spyware often arrives through a different compromise first: a phished password, a malicious attachment, or physical access to the device.
Containment: stop ongoing access first
Before you spend time on forensic certainty, stop the easy paths.
- Secure your email account. If your inbox is compromised, every reset can be intercepted. Use: how to check if you have been hacked.
- Rotate passwords from a clean device and sign out other sessions where possible.
- Check account recovery channels (recovery email and phone) for changes you did not make.
- Disable unknown browser extensions and remove newly installed apps you do not recognize.
Phone checks
Menu labels vary, but the checks are consistent.
- Review installed apps and remove anything you did not intentionally install.
- Check device management or configuration profiles you do not recognize, especially on iOS.
- Review accessibility permissions and admin-level permissions (Android device admin, special access) for apps that do not need them.
- Check whether backups or cloud photo sync are sharing to accounts you do not control. If your Apple ID might be at risk, see: how to secure your Apple account.
Computer checks
- Run a reputable malware scan and update it before scanning.
- Review startup items and recently installed programs.
- Check browser extensions, saved passwords, and suspicious proxy or DNS settings.
When a factory reset is the correct answer
If you have strong indicators of compromise and cannot isolate the source, a factory reset followed by careful re-setup is often the fastest safe path. The risk is restoring the same problem from a compromised backup.
- Back up only what you need (photos and documents) and avoid restoring unknown apps.
- Change passwords after the reset, from a clean device, and re-enable strong authentication.
Spyware remediation is a sequence: secure accounts, contain access, clean or reset devices, then rebuild trust slowly. If you change passwords first but keep a compromised device, the attacker can simply capture the new secrets.
If you are unsure whether you are dealing with spyware or with phishing and stolen sessions, start with the highest-leverage controls: strong authentication, session review, and removing unknown apps and extensions. Those steps reduce harm even when your diagnosis is imperfect.
The goal is a stable environment where account recovery is under your control, devices are updated and minimal, and unexpected prompts have nowhere to hide. Once you reach that state, ongoing monitoring becomes simple: alerts, logins, and a smaller surface area.