Android IR · Stalkerware · Account Compromise

Android Unauthorized Access and Stalkerware Investigation

Independent forensic investigation of suspected Android compromise — stalkerware, spyware, rogue Device Admin apps, Accessibility Service abuse, Notification Listener abuse, unrecognized MDM profiles, and Google account takeover — with a defensible indicators-of-compromise report.

Quick Answer. Android compromise investigations focus on privileges rarely granted to legitimate consumer apps: Device Admin (device policy control), Accessibility Service (read every screen, tap any button), Notification Listener (read every notification), Draw over other apps, and Usage Access. Legitimate anti-theft and password managers request some of these; stalkerware requests all of them together and typically hides its launcher icon. On the account side, unexpected devices, unrecognized 2SV changes, and remote-wipe attempts are the primary indicators.

High-signal Android privileges

PrivilegeAOSP source of truthWhat it enables
Device Admindumpsys device_policy; /data/system/device_policies.xmlFull remote wipe, password reset, camera/mic control
Accessibility Service/data/system/users//settings_secure.xml — enabled_accessibility_servicesRead every screen, simulate taps, keylog effectively
Notification Listenersettings_secure.xml — enabled_notification_listenersRead every notification incl. OTPs and messages
Draw over other appsappops.xml — SYSTEM_ALERT_WINDOWOverlay legitimate UIs; phishing risk
Usage Accessappops.xml — GET_USAGE_STATSRead UsageStats — track every app used
Package installerappops.xml — REQUEST_INSTALL_PACKAGESSide-load additional payloads
Ignore battery optimizationsappops.xml + Doze whitelistRun continuously in background

The stalkerware fingerprint

Commercial stalkerware (“family-monitoring” apps repurposed against a partner) shares a distinctive fingerprint:

  • Device Admin + Accessibility + Notification Listener + Usage Access all granted to a single non-system package
  • Launcher icon hidden (PackageManager.COMPONENT_ENABLED_STATE_DISABLED)
  • Installed from an unknown installer (not com.android.vending) — e.g. com.android.packageinstaller or a browser package
  • Battery-optimization exemption
  • Persistent foreground service with a decoy notification
  • Outbound TLS to a stalkerware-vendor CN in netstats
  • SMS forwarding rules or the app requests READ_SMS/RECEIVE_SMS

We enumerate every installed package, cross-check installer and privileges, and produce an IoC report identifying suspect packages and the evidence supporting the identification.

Account-side compromise

Even without on-device malware, the Google account itself can be compromised — access via a stolen password or hijacked SIM. Indicators (via Google Takeout Access Log Activity and account audit):

  • Sign-ins from IPs geolocated far from the user’s activity
  • Unfamiliar devices in “Your devices”
  • Recovery phone/email changed shortly before the incident
  • 2SV method changes
  • Unrecognized third-party OAuth grants
  • Google Drive, Photos, or Gmail bulk downloads
  • Family Link or Google Home shares to unfamiliar accounts

Rogue configuration and MDM

Android supports Enterprise Mobility Management (EMM/MDM). A malicious profile installs a Work Profile or Device Owner state that persists across reboots and can silently install apps, read location, and enforce policy. We enumerate device owners (dumpsys device_policy), work profiles (pm list users), and configured DPCs, and compare to the user’s expected employment status.

SS7, SIM-swap, and OTP interception

Where account compromise happened without on-device malware and without a phishing sign-in, we investigate SIM-swap (carrier records: IMSI/ICCID change), SS7 message interception (rare but real), and OTP-forwarding rules on the account (Gmail filters, SMS forwarding). Carrier subpoenas obtained through counsel are frequently decisive.

Deliverables

We produce a written IoC report identifying:

  1. Every suspicious package with evidence (installer, privileges, timing)
  2. Account-side indicators from Takeout Access Log
  3. A remediation roadmap (safe removal, credential rotation, 2SV migration, hardening)
  4. Preservation guidance and chain-of-custody for any litigation

How Elite Digital Forensics helps

Elite Digital Forensics is an independent, defense-aligned Android forensics practice. We are retained by attorneys, in-house counsel, and, where appropriate, individuals and businesses directly. Every engagement begins with a scoped acquisition plan, hash-verified evidence, and a written report suitable for attorney review, negotiation, or court. When retained through counsel, our work product is protected. See the Android Forensics hub for the full analytical framework we bring to every matter.

Related Android forensics pages

Frequently asked questions

Can stalkerware be detected reliably?

Commercial stalkerware leaves a distinctive privilege and network fingerprint; detection is highly reliable when we have logical access to the device. Nation-state-grade spyware (Pegasus/Predator) is much harder and requires network-level analysis of iOS-equivalent tools plus specialized indicators-of-compromise scans.

Should I just factory-reset the phone?

A factory reset removes most consumer stalkerware, but destroys evidence. If the matter is or may become litigious, preserve first (forensic image) and reset later.

How do I know if my Google account is still compromised after a password change?

Rotate password, revoke every session (“Sign out of all sessions”), rotate 2SV to hardware keys or an authenticator app (not SMS), audit third-party OAuth, and check Access Log for any post-reset foreign sign-ins.

Can I safely confront the person I suspect installed the app?

Not without a safety plan. Confronting an abuser before evidence is preserved often escalates the situation. Consult counsel and, where applicable, domestic-violence advocates before acting.

Ready to move on your android unauthorized access and stalkerware investigation matter?

Tell us about the device, the accounts, and the timeframe. We will tell you what is recoverable, what is not, and what it will cost.

Request Confidential Consultation Call (833) 292-3733

Primary sources and references

  1. Android Open Source Project — Security and Storage. source.android.com
  2. Google Takeout — export account data. takeout.google.com
  3. NIST SP 800-101 Rev.1 — Guidelines on Mobile Device Forensics. csrc.nist.gov
  4. Federal Rule of Evidence 702. www.rulesofevidence.org

This content is for educational and informational purposes only and does not constitute legal advice. Elite Digital Forensics provides independent digital forensic services and expert witness testimony; we do not provide legal representation. Every case is fact-specific; outcomes depend on the evidence, jurisdiction, and counsel. Retain qualified legal counsel for advice about your matter.

#AndroidForensics #MobileForensics #DFIR #EliteDigitalForensics #Stalkerware #Spyware #AccountCompromise

Assistant Icon Elite Digital Forensics Assistant
👋 Live Chat Now!
Free Virtual Consultation 24/7
Chat Now!

By submitting this form, you consent to be contacted by email, text, or phone. Your information is kept secure and confidential. Reply Stop to opt out at anytime. 

IMPORTANT: Please remember to check your spam or junk folder