- Nationwide Digital Forensic & Cyber Services
- BOOK A FREE CONSULTATION TODAY!
Independent forensic investigation of suspected Android compromise — stalkerware, spyware, rogue Device Admin apps, Accessibility Service abuse, Notification Listener abuse, unrecognized MDM profiles, and Google account takeover — with a defensible indicators-of-compromise report.
Quick Answer. Android compromise investigations focus on privileges rarely granted to legitimate consumer apps: Device Admin (device policy control), Accessibility Service (read every screen, tap any button), Notification Listener (read every notification), Draw over other apps, and Usage Access. Legitimate anti-theft and password managers request some of these; stalkerware requests all of them together and typically hides its launcher icon. On the account side, unexpected devices, unrecognized 2SV changes, and remote-wipe attempts are the primary indicators.
| Privilege | AOSP source of truth | What it enables |
|---|---|---|
| Device Admin | dumpsys device_policy; /data/system/device_policies.xml | Full remote wipe, password reset, camera/mic control |
| Accessibility Service | /data/system/users/ | Read every screen, simulate taps, keylog effectively |
| Notification Listener | settings_secure.xml — enabled_notification_listeners | Read every notification incl. OTPs and messages |
| Draw over other apps | appops.xml — SYSTEM_ALERT_WINDOW | Overlay legitimate UIs; phishing risk |
| Usage Access | appops.xml — GET_USAGE_STATS | Read UsageStats — track every app used |
| Package installer | appops.xml — REQUEST_INSTALL_PACKAGES | Side-load additional payloads |
| Ignore battery optimizations | appops.xml + Doze whitelist | Run continuously in background |
Commercial stalkerware (“family-monitoring” apps repurposed against a partner) shares a distinctive fingerprint:
PackageManager.COMPONENT_ENABLED_STATE_DISABLED)com.android.vending) — e.g. com.android.packageinstaller or a browser packageREAD_SMS/RECEIVE_SMSWe enumerate every installed package, cross-check installer and privileges, and produce an IoC report identifying suspect packages and the evidence supporting the identification.
Even without on-device malware, the Google account itself can be compromised — access via a stolen password or hijacked SIM. Indicators (via Google Takeout Access Log Activity and account audit):
Android supports Enterprise Mobility Management (EMM/MDM). A malicious profile installs a Work Profile or Device Owner state that persists across reboots and can silently install apps, read location, and enforce policy. We enumerate device owners (dumpsys device_policy), work profiles (pm list users), and configured DPCs, and compare to the user’s expected employment status.
Where account compromise happened without on-device malware and without a phishing sign-in, we investigate SIM-swap (carrier records: IMSI/ICCID change), SS7 message interception (rare but real), and OTP-forwarding rules on the account (Gmail filters, SMS forwarding). Carrier subpoenas obtained through counsel are frequently decisive.
We produce a written IoC report identifying:
Elite Digital Forensics is an independent, defense-aligned Android forensics practice. We are retained by attorneys, in-house counsel, and, where appropriate, individuals and businesses directly. Every engagement begins with a scoped acquisition plan, hash-verified evidence, and a written report suitable for attorney review, negotiation, or court. When retained through counsel, our work product is protected. See the Android Forensics hub for the full analytical framework we bring to every matter.
Commercial stalkerware leaves a distinctive privilege and network fingerprint; detection is highly reliable when we have logical access to the device. Nation-state-grade spyware (Pegasus/Predator) is much harder and requires network-level analysis of iOS-equivalent tools plus specialized indicators-of-compromise scans.
A factory reset removes most consumer stalkerware, but destroys evidence. If the matter is or may become litigious, preserve first (forensic image) and reset later.
Rotate password, revoke every session (“Sign out of all sessions”), rotate 2SV to hardware keys or an authenticator app (not SMS), audit third-party OAuth, and check Access Log for any post-reset foreign sign-ins.
Not without a safety plan. Confronting an abuser before evidence is preserved often escalates the situation. Consult counsel and, where applicable, domestic-violence advocates before acting.
Tell us about the device, the accounts, and the timeframe. We will tell you what is recoverable, what is not, and what it will cost.
Request Confidential Consultation Call (833) 292-3733This content is for educational and informational purposes only and does not constitute legal advice. Elite Digital Forensics provides independent digital forensic services and expert witness testimony; we do not provide legal representation. Every case is fact-specific; outcomes depend on the evidence, jurisdiction, and counsel. Retain qualified legal counsel for advice about your matter.
Elite Digital Forensics Assistant