Most of the time, a phone acting strange is just a tired battery or an app that needs an update. But once in a while the cause is something nastier: a hidden app quietly showing ads, reading your screen, or trying to get at your bank login. The good news is that you almost never need a repair shop or paid software to fix this. Android gives you everything required to find the bad app and pull it out by hand, and the built-in scanner catches most of the rest. This walkthrough goes step by step, with the exact menu paths for Pixel phones and for Samsung's One UI, since those two differ more than people expect. Take it slowly. Nothing here will damage your phone, and you can stop once things feel normal again.
Before you change anything, it helps to be sure you have a real problem and not a coincidence. Any single one of these can have an innocent cause. Two or three together is a much stronger signal.
One note: a real Android virus that spreads on its own is rare. What people call a virus is almost always an aggressive app that someone installed, which is reassuring, because the fix is usually to find that one app and remove it. Vendors like McAfee list the same handful of symptoms, so trust the pattern over any single clue.
Before you start poking around, disconnect the phone. This stops a misbehaving app from sending your data out or receiving new commands while you work, and you can turn things back on in a minute.
If you think the infection arrived through a banking or shopping session, this is also a good moment, on a different trusted device, to change that account password. Do not type sensitive passwords into the suspect phone until it is clean.
Safe Mode is the single most useful trick here. It tells Android to load only the apps that came with the phone and leave every app you installed switched off, so the malicious app cannot run, show overlays, or block its own removal while you work. You are not deleting anything; you are just booting with the third-party stuff paused.
On a Pixel (and most stock Android phones):
On a Samsung Galaxy (One UI):
If you do not see the Safe mode label, you booted normally; just power off and try again. To leave Safe Mode later, simply restart the phone the usual way.
Here is the step most guides skip, and the one that explains why some apps refuse to uninstall. Malware often grabs two powerful permissions: device admin (which can block deletion and even lock or wipe the phone) and accessibility (a feature meant to help people with disabilities, which a bad app misuses to read your screen, capture what you type, and draw fake login boxes over real apps). If you tap Uninstall and the button is greyed out, one of these is the reason. Strip them in Safe Mode, where the app cannot fight back.
Revoke device admin:
Revoke accessibility access:
A quick gut check: a wallpaper, flashlight, or simple game has no honest reason to need device admin or accessibility. Reading the screen is exactly what banking trojans want. Security analyses such as this Pradeo breakdown of accessibility abuse show how central these permissions are to modern Android attacks. Once you are clean, our guide to app lock tools is a sensible follow-up.
With the special powers gone, the app should remove cleanly. Still in Safe Mode:
Not sure which app is the bad one? Sort the app list by install date if your phone offers it, and look at anything added right before the trouble started. Tap a suspect, open its Permissions, and ask whether they make sense: a small utility asking for SMS, call logs, and accessibility is a red flag. When in doubt, an app you do not remember installing and do not use is safe to remove, since legitimate apps can always be reinstalled from the Play Store. A tidy file manager can also help you spot stray APK files in your Downloads folder.
One thing that does not work: trying to uninstall while the app is actively running in normal mode. That is the usual reason people give up and assume the phone is broken. Safe Mode is what makes the Uninstall button cooperate.
Once the obvious app is gone, let Google's built-in scanner sweep the whole phone. Play Protect is free, already on every certified Android device, and per Google's own support page it checks apps as you install them and scans the device on a schedule, including apps that did not come from the Play Store. You can also trigger a scan yourself.
Play Protect catches a lot, but it is not perfect against brand-new threats. If symptoms linger, a second opinion from a reputable scanner is reasonable. Pick one from a known security company rather than the first result in a search; our roundup of Android antivirus apps lists names worth trusting, and most offer a free on-demand scan that is plenty for a one-off cleanup. Run the scan, remove what it finds, then feel free to uninstall the scanner if you do not want it resident.
Removing the app is most of the battle. A few finishing touches keep it from coming back.
You do not need a dedicated cleaner app for any of this; Android's own tools cover it. A reputable cleaner app can help with regular tidying, but treat the flashy "boost your phone" ones with caution, since some are the problem rather than the cure. A trustworthy VPN is worth having for public Wi-Fi, but it is for privacy, not malware removal.
If you have removed every suspect app, run Play Protect, cleared your browser, and the phone still misbehaves, a factory reset is the reliable last resort. It wipes the phone back to the state it left the factory in, so anything buried deep goes too. The trade-off is real: it erases everything on the device, so back up your photos, messages, and files first. Most things tied to your Google account come back when you sign in again, but local files do not.
Back up first. Settings > Google > Backup, and make sure it has run recently. Copy photos to Google Photos or a computer.
Then reset:
Google's official reset instructions cover the exact taps for each PIN and account prompt. One caution: after a reset the phone will ask for the Google account that was last signed in. This theft-deterrent feature, called Factory Reset Protection, means you should never reset a phone whose Google password you do not have. When you set it up again, restore from backup but reinstall apps deliberately, one by one, rather than all at once.
It helps to know where most Android malware comes from. The overwhelming majority arrives through sideloading, which means installing an app from outside the Play Store: an APK file from a website, a link in a message, or a third-party store. Google says apps installed this way carry malware at far higher rates, citing figures around 50 times more than apps from Google Play. That is why a single bad download can cause the symptoms in this guide.
This is changing in 2026. Google has begun rolling out a developer verification requirement, announced on the Android Developers Blog, that ties every installable app to an identity-checked developer, even apps you sideload. Verification opens to all developers in March 2026, with enforcement starting in a first group of countries (Brazil, Indonesia, Singapore, and Thailand) in September 2026 and expanding from there. The aim is accountability: if a malicious app is taken down, the same person cannot instantly publish ten more under a fresh anonymous name. Power users can still install their own builds through developer tools, but the casual "tap a random APK" path is being deliberately slowed down. If you want the full picture of what is shifting and how it affects the apps you already use, we cover it in detail in our explainer on the 2026 sideloading changes.
Until those protections are everywhere, the advice stays the same. Install from the Play Store whenever you can, treat APK links in texts and ads as guilty until proven innocent, and read the permission requests at install time. The moment an app asks for accessibility or device admin without a clear reason is the moment to back out.
No. For a one-off cleanup, Safe Mode plus a manual uninstall plus a free Google Play Protect scan handles the large majority of cases at zero cost. A paid app adds ongoing monitoring and extra detection, which is nice to have but not required to remove an infection you have already found. If you want a second scan, most reputable antivirus apps offer a free on-demand check.
That means the app holds device admin rights, which block deletion. Go to Settings and revoke device admin for that app first (Pixel: Security & privacy > More security & privacy > Device admin apps; Samsung: Security and privacy > More security settings > Device admin apps). Also turn off any accessibility access it has. Do this in Safe Mode so the app cannot re-enable itself, then the Uninstall button will work.
For nearly every consumer case, yes. A factory reset wipes installed apps and their data, so a malicious app cannot survive it. The rare exception is malware in the system partition of a rooted device, which is unusual for an ordinary phone. The bigger risk is to you: it erases your photos and files too, so back them up first and make sure you know the Google account password the phone will ask for afterward.
Both platforms can be targeted, but the mechanics differ. The kind of infection in this guide, where you install a bad app from outside the official store, is far more common on Android precisely because Android lets you sideload. iPhones restrict installs to the App Store by default, which closes that path. That same openness is what Android's 2026 developer-verification rules are trying to make safer without removing it entirely.
Almost always no. A web page or notification that screams your phone has a virus and tells you to tap to clean it is itself the scam, usually trying to get you to install something harmful or pay for fake software. Real malware stays quiet. Close the tab, and revoke notification permission for that site in Chrome under Settings > Notifications > Site settings. Never tap the button inside one of these alerts.
Stick to the Play Store, and be wary of APK files sent by message or offered by random websites. Read permission requests at install time and refuse anything asking for accessibility or device admin without a genuine reason. Keep your phone updated, since security patches close the holes malware uses, and run a Play Protect scan now and then. These few habits prevent the vast majority of repeat infections.