root@mhfh:~# ./recover --target=R02 --priority=high

Recover a Hacked Android Phone — Spyware Removal & Account Lockdown

Android's openness is a double-edged sword. We use ADB-level acquisition, accessibility-service auditing and Play Protect log analysis to find what hides in plain sight, then walk you through a verified clean-state restore.

Suspected banking trojan? Disconnect SIM and pause all banking apps now.

#Android#Stalkerware#RAT#Banking Trojan#ADB

[ REQUEST ANDROID FORENSICS ][ READ THE TECHNIQUE ]

How to Tell If Your Android Phone Is Hacked

Android's threat model is fundamentally different from iOS. The dominant attack class is not zero-click exploitation but accessibility-service abuse: a malicious APK convinces you to grant Accessibility permissions, then uses those permissions to read every screen, type into every form, and approve its own elevation to Device Admin. Once that combination is in place, the attacker effectively owns the device.

The second large category is the banking trojan family — Anatsa, Hydra, Cerberus, ERMAC, SharkBot. These hide inside seemingly benign 'PDF viewer' or 'flashlight' apps on Google Play and sideloaded stores, then overlay phishing screens on top of legitimate banking apps the moment you launch them. Symptoms are usually noticed only after money has already left the account.

Stalkerware on Android is more capable than on iOS because no jailbreak is required. mSpy, Cocospy, KidsGuard Pro, and the various 'Find My Family' clones can be installed in under three minutes by anyone with physical access and your unlock code. Many vendors explicitly market a 'stealth mode' that hides the launcher icon, and the only sign you have one is unexplained battery drain plus a strange app in Settings → Apps → Show System.

Beyond the device itself, your Google account is the crown jewel. A compromised Google account exposes Gmail, Drive, Photos, Maps Timeline, Authenticator codes, saved Chrome passwords and, on most modern Android phones, a full restorable cloud backup of every app's data. The first place we always look in a recovery is myaccount.google.com → Security → Your Devices.

Battery health drops faster than expected on a phone less than 18 months old
Mobile data usage by 'Google Play Services' or 'System UI' suddenly doubles
Apps you don't remember installing appear in Settings → Apps → Show System
Accessibility services enabled for apps that have no business with them
Device Admin shows entries you can't disable without uninstalling first
Play Protect alerts that you 'turned off' but didn't
SMS confirmation codes for banking transactions you didn't make
Unfamiliar devices in your Google or Samsung account

Our Android Forensic Recovery Methodology

Android forensics is a moving target because every OEM ships a different security model. Pixel devices give us verified-boot evidence and pristine adb pull access; Samsung adds Knox attestation; Xiaomi and OPPO require unlock-bootloader workflows that themselves wipe user data. The methodology below is the lowest-common-denominator pipeline that we adapt per case.

Phase 1 — live triage over ADB. With USB debugging enabled (and only after a snapshot of current settings), we pull /data/system/packages.xml, the Accessibility settings, the Device Admin list, every installed APK, and the dumpsys output for battery, netstats and notification history. This alone identifies most consumer stalkerware in under fifteen minutes.

Phase 2 — full filesystem image where authorised and supported. On Qualcomm-based devices we can drop into EDL (Emergency Download) mode and pull the userdata partition for offline analysis without ever booting the compromised OS. On MTK silicon we use the SP Flash Tool readback path. Pixel devices unlock cleanly via fastboot for verified-boot teardown.

Phase 3 — account remediation. Even more than on iOS, the Google account is where the real damage lives. We rotate the password from a clean device, sign out every active session, revoke OAuth tokens for third-party apps (this is where attackers love to persist), enrol a hardware security key, and turn on Advanced Protection Program for high-risk clients.

tools/recover-hacked-android_methodology.sh

AES-256 SECURED

# ADB triage snapshot — run from a clean workstation
$ adb shell pm list packages -f -3 > installed_third_party.txt
$ adb shell settings get secure enabled_accessibility_services
$ adb shell dpm list-owners
$ adb shell dumpsys notification --noredact > notifications.log
$ adb shell dumpsys netstats detail > netstats.log

# Pull suspect APK for offline reversing
$ adb shell pm path com.suspect.app
$ adb pull /data/app/~~xyz==/com.suspect.app-xyz==/base.apk

# Static triage with apkanalyzer + jadx
$ apkanalyzer manifest permissions base.apk
$ jadx -d ./decompiled base.apk

Recover a Hacked Android Phone — Spyware Removal & Account Lockdown forensic workstation — // fig.2 — operator workstation during recover hacked android

Android Spyware & RAT Families We Identify

We classify infections so the response matches the threat. Sledgehammers fail against precision attacks, and vice versa.

Banking trojans (Anatsa, Hydra, ERMAC, SharkBot, Octo): distributed via 'dropper' apps on Play, abuse Accessibility to overlay credential prompts, often paired with an SMS-stealer to defeat 2FA. Removal must include rotating every banking credential, not just uninstalling the app.

Commercial stalkerware (mSpy, FlexiSPY, Cocospy, KidsGuard, Hoverwatch): require physical access to install, often hide their launcher icon, persist via Device Admin. The forensic interest is usually documenting them for legal proceedings, not just removing them.

Nation-state and grey-market (Predator, Reign Android variants, Hermit): rarer in consumer cases, deployed via SMS phishing or carrier-injected redirects, persist across reboots via /system modifications on rooted devices. Require full filesystem acquisition to confirm.

Adware-with-teeth (HiddenAds, Joker, Harly): the long tail. Not as dangerous individually but they exfiltrate contacts, SMS, and clipboard contents — enough to seed the next, more targeted attack.

Hands-On Tutorial: First-Hour Android Triage

Run this checklist before a factory reset, in this order. It will surface most consumer stalkerware and account compromises, and preserve evidence for a forensic handover.

Disable Wi-Fi and mobile data; leave Bluetooth off
Settings → Apps → 'Show system' → screenshot the full list, sort by 'Last used'
Settings → Accessibility → installed services → screenshot, then disable everything except TalkBack and Switch Access
Settings → Security → Device admin apps → revoke anything not from Google or your MDM
Settings → Apps → Special access → 'Display over other apps' and 'Usage access' → revoke aggressively
Open Play Protect → Scan → screenshot the result
myaccount.google.com → Security → 'Your devices' and 'Recent security activity' → sign out of unknown sessions
Rotate the Google password from a different, trusted device
Take an adb backup before factory reset so a forensic team can analyse later

tools/recover-hacked-android_diy-tutorial.sh

AES-256 SECURED

# Quick personal triage — works on any Android with USB debugging
$ adb devices
$ adb shell pm list packages -3                    # third-party packages
$ adb shell settings get secure enabled_accessibility_services
$ adb shell dpm list-owners                        # device admins
$ adb shell dumpsys package com.suspect.app | grep -E 'permission|admin'

# Preserve evidence before resetting
$ adb backup -apk -shared -all -f pre-reset-backup.ab
$ shasum -a 256 pre-reset-backup.ab > pre-reset-backup.sha256

After the Recovery: Locking Android Down

Once the device and account are clean, the goal is to make re-infection economically unattractive to the attacker. Most stalkers and opportunistic criminals will move on if the cost of re-entry exceeds a few hours of effort.

Enable Google Advanced Protection Program. It enforces hardware-key 2FA, blocks non-Google sign-ins to Workspace data, and tightens download scanning. The trade-off is that you cannot use third-party mail clients without app passwords; for at-risk users this is a feature, not a bug.

Lock the bootloader. If you unlocked it during forensics or for custom ROM work, relock it before returning to daily use. A locked bootloader plus verified boot is the difference between an attacker needing physical access for thirty seconds versus thirty minutes — and the latter is a deterrent.

Move authentication off SMS. Use Google Authenticator with cloud sync disabled, or better, a hardware FIDO2 key. SIM-swap is the single largest threat to a recovered Android user because the attacker already knows your phone number from the previous compromise.

Audit OAuth grants quarterly. myaccount.google.com → Security → 'Third-party apps with account access'. Attackers frequently install a benign-looking 'calendar sync' app during the original compromise that survives password rotation because OAuth tokens are independent.

root@mhfh:~# man recover-a-hacked-android-phone-—-spyware-removal-&-account-lockdown --faq

Frequently Asked Questions

No. The vast majority of recovery cases are solved with ADB-level access, which only requires enabling USB debugging. Rooting is reserved for advanced cases where a deep filesystem dump is necessary and the user has consented in writing.

Yes for almost all consumer stalkerware, because it lives in /data/app and is destroyed by the reset. It will not remove an attacker from your Google account, and it will not stop a re-install if the original installer still has physical access to your device.

If you have a Google Takeout export or an old adb backup, we can analyse those artefacts directly. We can also pull the cloud-side activity log for evidence of unauthorised access.

Sometimes. Many stalkerware families call home to a control panel registered to an email address, and timestamps in the install logs often correlate with periods the device was out of your possession. We document everything we find for use in legal proceedings.

$ ls -F ./related-recovery/