If your phone is behaving strangely, the short version of how to remove android malware is this: boot into safe mode so nothing third-party can run, work out which app is the culprit, strip its device-admin and accessibility privileges, uninstall it, then reboot and verify. If you cannot find it, or the phone will not let you remove it, a factory reset from a clean backup is the reliable cure. Most “infections” turn out to be aggressive adware or a dodgy sideloaded app, not something exotic. This is the Android malware removal guide of The Apkcort.
First, Work Out Whether You Actually Have Malware
A surprising share of suspected infections are not infections. Before you start tearing your phone apart, rule out the boring explanations, because the fix is completely different.
A phone that has become slow and hot after an update is usually just re-indexing, re-downloading app data and rebuilding caches. Give it a day on charge. A phone with sudden battery drain often has one badly behaved but entirely legitimate app — a social media app with a background sync bug, or a fitness app holding a wake lock. A phone showing ads inside a free app is showing you the free app’s business model, not malware.
The signs that genuinely point at something malicious are more specific:
Symptoms worth taking seriously
Ads appearing outside any app. Full-screen adverts on your home screen, on the lock screen, or over other apps. Legitimate apps cannot generally do this. This is the classic signature of adware, and it is by far the most common real infection people encounter.
Apps you did not install. Particularly ones with generic names and generic icons, or ones that do not appear in the app drawer but do appear in Settings.
Settings that will not stay changed. You disable something, and it re-enables itself. You uninstall something, and it comes back. That indicates a second component reinstalling the first, or an app holding device-admin rights.
Unexplained data usage or SMS charges. Premium-rate SMS fraud is old but not extinct. Check your mobile data usage per app in Settings.
Your browser homepage or search engine has changed and will not change back.
Accounts being accessed from places you have never been. This is the serious one, and it changes your priorities: if credentials may be compromised, securing your accounts from a different, trusted device comes before cleaning the phone.
A “virus detected” pop-up in your browser. This one is always fake. Always. No web page can scan your phone. It is a scare-ware advert trying to get you to install the actual malware. Close the tab. Do not tap anything inside it.
Before You Touch Anything: Contain the Damage
If there is any chance an app has been reading your screen or your messages, the order of operations matters. Cleaning the phone first and changing passwords afterwards is fine. Changing passwords on the infected phone first is not, because you may simply be handing the new ones over.
So: if you suspect credential theft, use a different device — a laptop, a family member’s phone — to change the password on your primary email account first, then on your banking and financial accounts, then on anything else that matters. Sign out all other sessions where the service offers that option. Enable two-factor authentication if you have not already. Only then come back and deal with the phone.
If you have banking apps installed and you are genuinely worried, it is not paranoid to ring your bank and tell them. They would rather have a false alarm than a fraud claim.
Step One: Boot Into Safe Mode
Safe mode starts Android with only the system apps running. Every third-party app — including anything malicious — is disabled. This is enormously useful for two reasons. First, it tells you immediately whether the problem is a downloaded app at all: if the pop-up ads stop in safe mode, you have your answer. Second, it stops the malicious app from interfering with you while you try to remove it, which some of them actively do.
On most Android phones, you get there by holding the power button until the power menu appears, then pressing and holding the “Power off” option until you are offered “Reboot to safe mode”. Confirm, and the phone restarts with “Safe mode” displayed in the corner of the screen. The exact gesture varies slightly by manufacturer, so if that does not work, search for the method for your specific model.
Spend a few minutes in safe mode. Do the ads stop? Does the battery drain calm down? Does the phone stop rebooting? If yes, a downloaded app is responsible and you can go and find it. If the symptoms persist even in safe mode, the cause is either a system-level problem, a hardware fault, or something pre-installed — and your realistic options narrow to a factory reset or a trip to a repair centre.
Step Two: Revoke the Privileges That Block Removal
This is the step most people miss, and it is the reason they end up saying “it won’t let me uninstall it”.
Malicious apps commonly hold one of two special privileges, and both of them can prevent normal uninstallation.
Device admin apps
Device administrator is a legacy privilege intended for corporate device management — it lets an app enforce password policies and remotely wipe the phone. It also means the app cannot be uninstalled while the privilege is active. Malware abuses it purely as an anti-removal mechanism.
Go to Settings and search for “device admin” — depending on your version it lives under Security, or Security and privacy, or under a “Device admin apps” entry. You will see a list. Legitimate entries are things like Find My Device, or a genuine work profile management app if your employer issued the phone. Anything else — especially something with a name you do not recognise — should be deactivated. Once deactivated, the app becomes uninstallable.
Accessibility services
Accessibility exists so screen readers and switch-control apps can read the screen and act on your behalf. It is also the single most abused permission on Android, because it is exactly what a banking trojan needs: the ability to see what is on screen and tap things for you.
Go to Settings, Accessibility, and look at “Downloaded apps” or “Installed services”. Anything enabled there that is not obviously an accessibility tool — and that you did not deliberately turn on — should be switched off. Some malware will try to redirect you away from this screen when you open it; safe mode prevents that, which is why we are doing this in safe mode.
Notification access, usage access and “display over other apps”
Three more to check. Notification access lets an app read the contents of your notifications, including one-time codes. Usage access lets it see which apps you use and when. “Display over other apps” — sometimes called draw-over-apps or appear-on-top — is what enables the overlay ads and the fake login screens drawn on top of real apps. Each has its own list in Settings under Apps, Special app access. Revoke anything you do not recognise or cannot justify.
Step Three: Identify and Uninstall the Culprit
Now go to Settings, Apps, and choose “See all apps”. Do not rely on the home screen or the app drawer — plenty of malicious apps hide their launcher icon, which is why they seem invisible.
Sort the list and look for anything you do not recognise. Useful heuristics: generic names (“System Service”, “Device Health”, “Update Manager”), blank or default icons, apps with an install date that matches roughly when the problems started, and apps with an “installed from” source of something other than the Play Store. On most modern Android versions you can tap an app, scroll to App info, and see where it came from — Play Store, or “installed from unknown source”.
Check battery and data usage too. Settings, Battery, and Settings, Network and internet, Data usage. An app burning through battery or data while you are not using it is a strong lead.
When you have your suspect, tap Uninstall. If the button is greyed out, you missed a privilege — go back to step two. If the app is a system app that cannot be uninstalled but you did not put it there, you can usually Disable it, which is nearly as good.
The important warning: it is often not just one app
Dropper apps exist precisely so that the visible app and the harmful payload are different things. Removing the obvious adware and finding it back a day later usually means a second app is quietly reinstalling it. When you find one bad app, look hard at everything installed within a few days either side of it, and be ruthless.
Step Four: Reboot, Verify, and Run a Scan
Restart the phone normally — out of safe mode. Watch it for a while. Do the symptoms come back?
Now open the Play Store, tap your profile icon, and choose Play Protect. Run a manual scan. Make sure “Improve harmful app detection” is on, which sends unknown apps to Google for analysis. Play Protect is the built-in scanner and, for most people, it is the only scanner they need — a point we make at length in our guide to the best Android security apps.
If you want a second opinion, install a single scanner from a long-established security vendor, run it, and then decide whether to keep it. Do not install four of them. They do not stack.
Also clean up the browser
Malicious sites often leave you with unwanted notification permissions — that is why some people see “news alerts” and gambling ads sliding in from a website they visited once. In Chrome, go to Settings, Site settings, Notifications, and revoke everything you did not deliberately allow. Do the same for any other browser you use. While you are there, clear the browsing data and check that your homepage and default search engine are what you expect.
Step Five: If It Will Not Go Away, Factory Reset
There is no shame in this, and it is not a failure. A factory reset is the only method that is genuinely guaranteed to remove a userspace infection, and it takes far less time than three days of increasingly desperate troubleshooting. If you have found and removed apps twice and the symptoms keep returning, stop fiddling and reset.
The critical part is the order. Back up first, but back up carefully:
Back up your photos, videos, documents and contacts. Google Photos, your preferred cloud storage, or a cable to a computer.
Do not restore an app backup that includes the infected app. This is the mistake that makes people reset three times. Android’s automatic backup can restore your app list, which will happily reinstall the very thing you were trying to remove. When you set the phone up again, decline the “restore apps from backup” option, or restore only settings and reinstall your apps by hand from the Play Store.
Do not restore a full app-data backup of the suspect app either. Data alone is not usually the vector, but if the app was a dropper, its data directory may contain the payload.
The reset itself lives in Settings, System, Reset options, Erase all data (factory reset). Have your Google account password to hand — factory reset protection will ask for it on first boot, which is a good anti-theft feature and an infuriating one if you have forgotten the password.
After the reset, set up the phone deliberately. Install only the apps you actually use. This is a good moment to notice how many you were carrying that you never opened. If you want a structured approach to backing up properly so this is painless next time, see how to back up an Android phone.
What Type of Problem Do You Actually Have?
Different symptoms point at different classes of problem, and the right response varies quite a lot.
| What you are seeing | Most likely cause | Right response | Urgency |
|---|---|---|---|
| Full-screen ads outside apps, overlay ads | Adware, usually a sideloaded or recently installed free app | Safe mode, revoke “display over other apps”, uninstall | Annoying, not dangerous |
| Fake login screen appearing over your banking app | Banking trojan using accessibility and overlay permissions | Contact your bank now, then clean or reset the phone | Serious — act immediately |
| App reinstalls itself after removal | A second dropper app you have not found yet | Safe mode, audit every app installed around the same date | High — you have missed something |
| Website notifications you never agreed to | Browser notification permission granted by a dodgy site | Browser settings, revoke site notifications. Not malware. | Low |
| “Your phone is infected!” pop-up while browsing | Scareware advert. Entirely fake. | Close the tab. Install nothing it recommends. | None — unless you tapped it |
| Battery drain and heat, no ads, no odd apps | Usually a legitimate misbehaving app or a recent update | Check battery usage per app. Not a malware problem. | Low |
| Files renamed, ransom message on screen | Screen-locking ransomware | Safe mode, remove device-admin, uninstall. Never pay. | High, but usually recoverable |
| Symptoms persist even in safe mode | Pre-installed software, system issue, or hardware fault | Factory reset; if that fails, repair centre | Depends |
The Mistakes People Make While Cleaning Up
Installing a “cleaner” app to fix it. The category of “phone cleaner and virus remover” apps is one of the least trustworthy on the platform. A meaningful number of them are themselves adware. If you are already dealing with an infection, do not solve it by installing another app of exactly the kind you cannot verify.
Installing five scanners. They flag each other, they fight for background execution, and they collectively make the phone worse. One is enough. Play Protect is already running.
Tapping the pop-up. The fake “virus detected” advert is trying to get you to install something. Sometimes the something is a subscription scam and sometimes it is real malware. Either way, closing the tab costs nothing.
Restoring from the infected backup. Covered above, but it bears repeating, because it is the single most common reason a factory reset “does not work”.
Rooting the phone to “clean it properly”. Rooting will not help you here and will make you materially less safe afterwards, as well as breaking your banking apps. If you are curious why, we go through it in how to root Android — and whether you should.
Ignoring the source of the problem. If you got the infection by installing a “premium unlocked” app from a random site, cleaning the phone and then doing it again next week is not a strategy. It is a subscription. Read the risks of modded APKs, and read are APK files safe for the broader picture.
Making Sure It Does Not Happen Again
Almost every real Android infection arrives by one of three routes, and all three are avoidable.
The first is a sideloaded app from an untrustworthy source. If you install APKs, install them from the developer’s own site or a repository with verifiable signatures, and verify the signing certificate matches what you had before. Our walkthrough on how to install an APK safely covers the checks that matter.
The second is a permission you granted without thinking. Accessibility access is the big one. Notification access is the sneaky one. If an app asks for either and it is not an accessibility tool or a notification-management tool, that is the moment to stop.
The third is a link in a message. Delivery notifications, bank alerts, prize claims, “is this you in this photo”. The payload is a page that persuades you to install something. Never install an app because a link told you to.
Beyond that: keep automatic updates on, so that the monthly security patch actually lands. Keep Play Protect on. Audit your installed apps every few months and remove what you do not use. And keep a working backup, so that the nuclear option is always available to you at low cost. A person who can factory reset without losing anything is a person who can never really be held hostage by their phone.
Quick Reference: Removing Android Malware
- Do boot into safe mode first — it disables every downloaded app, which both diagnoses the problem and stops the malware interfering while you remove it.
- Do revoke device admin and accessibility access before you try to uninstall; a greyed-out Uninstall button almost always means one of those is still active.
- Don’t install a “cleaner” or “virus remover” app to fix it — that category is a common source of the very adware you are trying to get rid of.
- Don’t restore the automatic app backup after a factory reset; it will cheerfully reinstall the infected app and you will be back where you started.
- Do change your passwords from a different, clean device first if you think credentials may have been captured, starting with your email account.
Frequently Asked Questions
Can Android malware survive a factory reset?
In the overwhelming majority of real cases, no. A factory reset wipes the userspace partitions and removes anything you installed. The exceptions are pre-installed software shipped in the firmware and, very rarely, malware that has embedded itself in the system partition on a device with a compromised or unofficial ROM. If symptoms genuinely persist after a clean reset with no backup restore, you are looking at a firmware-level problem and a repair centre or manufacturer support is your next stop.
Why can’t I uninstall the app?
Because it holds device administrator privileges, or an accessibility service is being used to close the uninstall dialog before you can confirm. Boot into safe mode, go to Settings and deactivate it as a device admin, disable any accessibility service you did not intentionally enable, then uninstall. This solves the “uninstall button is greyed out” problem in nearly every case.
Do I need to pay for an antivirus app to clean my phone?
No. Play Protect is built in, free, and does the scanning. The manual steps in this guide — safe mode, revoke privileges, uninstall, verify — will fix the vast majority of real infections without any paid software. A single reputable scanner as a second opinion is reasonable; a paid “security suite” with a VPN and a cleaner bundled in is not something you need to buy in order to remove malware.
Is the “your phone is infected” message in my browser real?
No. It is always fake. A web page has no ability to scan your device, and no legitimate security product advertises itself with a flashing red full-screen warning on a random website. It is a scareware advert designed to get you to install something you should not. Close the tab and do not interact with it.
How did I get malware if I only use the Play Store?
It is uncommon, but not impossible — apps do occasionally slip past review, particularly ones that behave well for a few weeks and then start misbehaving after an update. More often, though, the answer is that something else happened: a link in a message that led to a sideload, an app installed by someone else who borrowed the phone, or a browser notification permission that you have mistaken for an infection. Check the “installed from” source of your apps in Settings before assuming.
Final Thoughts
Removing malware from an Android phone is far less mysterious than it feels in the moment. The platform gives you a genuinely powerful tool in safe mode, and once you understand that the two privileges standing between you and a clean phone are device admin and accessibility, almost every case becomes a ten-minute job. Work methodically: confirm it is really an app, boot to safe mode, strip the privileges, uninstall, reboot, verify. If it comes back, look for the second app. If it still comes back, reset — and be disciplined about not restoring the infection along with your wallpaper. Then spend a moment on the honest post-mortem about how it got there, because the fix for that is habits rather than software, and habits are the only thing that keeps working after you put the phone down.
Explore more honest Android guides, APK explainers and app reviews across The Apkcort.


