Signs of Android Malware and How to Remove It

Before you change anything, it helps to be sure you have a real problem and not a coincidence. Any single one of these can have an innocent cause. Two or three together is a much stronger signal.

• Ads pop up when no app is open. Full-screen ads on your home screen, or ads in the notification shade tied to no app you recognize, are a classic sign of adware.
• Battery and heat are suddenly worse. A phone that drains fast and runs warm while idle may be running a hidden background process. Check Settings > Battery for an app you do not remember using near the top of the list.
• Mobile data climbs for no reason. Malware often sends data out. Look at Settings > Network & internet > Internet > (gear icon) > App data usage on a Pixel, or Settings > Connections > Data usage > Mobile data usage on Samsung.
• Apps you never installed. Open your app drawer and scroll. An icon you do not recognize, or a blank/generic icon, is worth investigating.
• Redirects and a slow, crashy phone. Your browser keeps jumping to pages you did not ask for, or apps close on their own.

One note: a real Android virus that spreads on its own is rare. What people call a virus is almost always an aggressive app that someone installed, which is reassuring, because the fix is usually to find that one app and remove it. Vendors like McAfee list the same handful of symptoms, so trust the pattern over any single clue.

Before you start poking around, disconnect the phone. This stops a misbehaving app from sending your data out or receiving new commands while you work, and you can turn things back on in a minute.

1. Swipe down from the top of the screen to open quick settings.
2. Tap Airplane mode (the little plane icon). That switches off mobile data, Wi-Fi, and Bluetooth in one go.
3. If you would rather keep Wi-Fi for downloading a scanner later, that is fine; just be aware the app stays connected until you are ready to clean it.

If you think the infection arrived through a banking or shopping session, this is also a good moment, on a different trusted device, to change that account password. Do not type sensitive passwords into the suspect phone until it is clean.

Safe Mode is the single most useful trick here. It tells Android to load only the apps that came with the phone and leave every app you installed switched off, so the malicious app cannot run, show overlays, or block its own removal while you work. You are not deleting anything; you are just booting with the third-party stuff paused.

On a Pixel (and most stock Android phones):

1. Press and hold the power button until the power menu appears. On newer Pixels you may need to hold power and volume up together.
2. Touch and hold Power off on screen until a Safe mode prompt appears.
3. Tap OK. The phone restarts and shows Safe mode in the bottom corner.

On a Samsung Galaxy (One UI):

1. Press and hold the power (side) button and choose Power off to turn the phone off completely.
2. Press and hold the power button to turn it back on. The instant the Samsung logo appears, press and hold Volume down until the lock screen loads.
3. You should see Safe mode in the bottom-left corner.

If you do not see the Safe mode label, you booted normally; just power off and try again. To leave Safe Mode later, simply restart the phone the usual way.

Here is the step most guides skip, and the one that explains why some apps refuse to uninstall. Malware often grabs two powerful permissions: device admin (which can block deletion and even lock or wipe the phone) and accessibility (a feature meant to help people with disabilities, which a bad app misuses to read your screen, capture what you type, and draw fake login boxes over real apps). If you tap Uninstall and the button is greyed out, one of these is the reason. Strip them in Safe Mode, where the app cannot fight back.

Revoke device admin:

• Pixel: Settings > Security & privacy > More security & privacy > Device admin apps. Turn off anything you do not recognize and confirm.
• Samsung: Settings > Security and privacy > More security settings > Device admin apps. Toggle off the suspect entry.

Revoke accessibility access:

• Pixel: Settings > Accessibility > Downloaded apps (or Installed services). Open each unfamiliar item and switch it off.
• Samsung: Settings > Accessibility > Installed apps. Turn off anything you did not deliberately set up.

A quick gut check: a wallpaper, flashlight, or simple game has no honest reason to need device admin or accessibility. Reading the screen is exactly what banking trojans want. Security analyses such as this Pradeo breakdown of accessibility abuse show how central these permissions are to modern Android attacks. Once you are clean, our guide to app lock tools is a sensible follow-up.

With the special powers gone, the app should remove cleanly. Still in Safe Mode:

1. Go to Settings > Apps (on Samsung it is Settings > Apps too; tap See all apps or the list).
2. Sort or scroll to find the suspect. Tap it to open App info.
3. Tap Force stop first. This kills any lingering process.
4. Tap Uninstall and confirm.

Not sure which app is the bad one? Sort the app list by install date if your phone offers it, and look at anything added right before the trouble started. Tap a suspect, open its Permissions, and ask whether they make sense: a small utility asking for SMS, call logs, and accessibility is a red flag. When in doubt, an app you do not remember installing and do not use is safe to remove, since legitimate apps can always be reinstalled from the Play Store. A tidy file manager can also help you spot stray APK files in your Downloads folder.

One thing that does not work: trying to uninstall while the app is actively running in normal mode. That is the usual reason people give up and assume the phone is broken. Safe Mode is what makes the Uninstall button cooperate.

Once the obvious app is gone, let Google's built-in scanner sweep the whole phone. Play Protect is free, already on every certified Android device, and per Google's own support page it checks apps as you install them and scans the device on a schedule, including apps that did not come from the Play Store. You can also trigger a scan yourself.

1. Restart the phone normally to leave Safe Mode (Play Protect needs the Play Store running).
2. Open the Google Play Store app.
3. Tap your profile picture in the top-right corner.
4. Tap Play Protect, then Scan.
5. If it flags anything, tap the warning and follow the prompt to remove it. Google removes the most dangerous apps for you and disables less severe ones.

Play Protect catches a lot, but it is not perfect against brand-new threats. If symptoms linger, a second opinion from a reputable scanner is reasonable. Pick one from a known security company rather than the first result in a search; our roundup of Android antivirus apps lists names worth trusting, and most offer a free on-demand scan that is plenty for a one-off cleanup. Run the scan, remove what it finds, then feel free to uninstall the scanner if you do not want it resident.

Removing the app is most of the battle. A few finishing touches keep it from coming back.

• Clear your browser data. In Chrome, tap the three-dot menu > Delete browsing data > choose Cookies and site data and Cached images and files, then delete. This clears redirect tricks and dodgy site permissions.
• Check which sites can send notifications. Chrome menu > Settings > Notifications > Site settings, and revoke any site you did not knowingly allow. A lot of fake "ads" are actually spammy web notifications, not malware at all.
• Review app notification access. Pixel: Settings > Notifications > App settings. Samsung: Settings > Notifications. Mute anything that is still nagging you.
• Turn airplane mode back off and watch battery and data for a day. If both look normal again, you are done.

You do not need a dedicated cleaner app for any of this; Android's own tools cover it. A reputable cleaner app can help with regular tidying, but treat the flashy "boost your phone" ones with caution, since some are the problem rather than the cure. A trustworthy VPN is worth having for public Wi-Fi, but it is for privacy, not malware removal.

If you have removed every suspect app, run Play Protect, cleared your browser, and the phone still misbehaves, a factory reset is the reliable last resort. It wipes the phone back to the state it left the factory in, so anything buried deep goes too. The trade-off is real: it erases everything on the device, so back up your photos, messages, and files first. Most things tied to your Google account come back when you sign in again, but local files do not.

Back up first. Settings > Google > Backup, and make sure it has run recently. Copy photos to Google Photos or a computer.

Then reset:

• Pixel: Settings > System > Reset options > Erase all data (factory reset) > Erase all data. Enter your PIN and confirm.
• Samsung: Settings > General management > Reset > Factory data reset > Reset > Erase all.

Google's official reset instructions cover the exact taps for each PIN and account prompt. One caution: after a reset the phone will ask for the Google account that was last signed in. This theft-deterrent feature, called Factory Reset Protection, means you should never reset a phone whose Google password you do not have. When you set it up again, restore from backup but reinstall apps deliberately, one by one, rather than all at once.

It helps to know where most Android malware comes from. The overwhelming majority arrives through sideloading, which means installing an app from outside the Play Store: an APK file from a website, a link in a message, or a third-party store. Google says apps installed this way carry malware at far higher rates, citing figures around 50 times more than apps from Google Play. That is why a single bad download can cause the symptoms in this guide.

This is changing in 2026. Google has begun rolling out a developer verification requirement, announced on the Android Developers Blog, that ties every installable app to an identity-checked developer, even apps you sideload. Verification opens to all developers in March 2026, with enforcement starting in a first group of countries (Brazil, Indonesia, Singapore, and Thailand) in September 2026 and expanding from there. The aim is accountability: if a malicious app is taken down, the same person cannot instantly publish ten more under a fresh anonymous name. Power users can still install their own builds through developer tools, but the casual "tap a random APK" path is being deliberately slowed down. If you want the full picture of what is shifting and how it affects the apps you already use, we cover it in detail in our explainer on the 2026 sideloading changes.

Until those protections are everywhere, the advice stays the same. Install from the Play Store whenever you can, treat APK links in texts and ads as guilty until proven innocent, and read the permission requests at install time. The moment an app asks for accessibility or device admin without a clear reason is the moment to back out.