Worried your Android has picked up some malware? This practical guide walks you through exactly what to do next: how to check your phone for malware, and how to remove it. No paid tools, no jargon, no guesswork.

Before you download a ‘virus cleaner’, read this

Your first instinct when noticing a potential sign of infection may be to search “virus cleaner” on the Google Play Store. But this in itself is a malware risk.

Malicious apps are common on the Play Store. In 2025 alone, Google blocked 1.75 million policy-violating apps(nouvelle fenêtre) from the platform and identified 27 million new malicious apps from outside the ecosystem. Fake antivirus and “cleaner” apps are among the most common disguises.

If you’ve already downloaded an unvetted virus cleaner, don’t worry: whatever malware is on your Android should be uncovered and eliminated by the five steps below.

Five steps to remove malware from Android

Screenshots in this guide are taken on a Pixel running Android 16. The steps are the same on other Android devices (10–15), but menu labels may differ slightly. 

Samsung users in particular may find some paths labelled differently. Where this applies, we’ve noted the Samsung equivalent.

Step 1: Run a Play Protect scan

Play Protect automatically scans Android devices for malware, but some users accidentally turn it off, or are advised to by dubious sources online. Before running a scan, confirm it’s actually enabled.

To check:

  • Open Google Play Store → tap your profile icon → tap Play Protect → tap the Settings icon (gear, top right) → confirm Scan apps with Play Protect is toggled on

Now run the scan:

  • Open Google Play Store → tap profile icon (top right) → Play ProtectScan

If you’ve sideloaded (i.e. downloaded apps from outside the Play Store), you can enable Improve harmful app detection on the Play Protect settings screen for a more thorough scan. 

Note: This will automatically send unrecognized apps to Google while it’s active. If you’d prefer not to share this data on an ongoing basis, turn it off again once the scan’s completed.

Step 2: Check for operating system (OS) updates

Malware often exploits vulnerabilities in outdated software. If your OS or security patches are behind, an infection you’ve just cleaned can re-establish itself through the same gap (or a new one can get in while you’re dealing with the first).

  • Pixel: SettingsSystemSoftware updates
  • Samsung: SettingsSoftware updateDownload and install
  • Other devices: look for a System or Software update option under Settings

If you see something like “Your system is up to date” (as showed below on a Samsung device), move on to step three. Otherwise, install the available update before continuing.

Step 3: Find and remove suspicious apps

Play Protect flags known threats. This step is how you catch anything it may have missed: apps submitted clean and later updated to behave maliciously, or data-harvesting apps that don’t meet the threshold for a malware classification.

Tap SettingsAppsSee all apps. (Samsung users may see all apps listed by default without a secondary tap as shown in the second screenshot.)

Look for:

  • Apps you don’t recognize
  • Apps with generic system-sounding names (e.g. “System Service”, “Phone Manager”)
  • Apps installed around the time problems started (tap each app to see its install date)

If you find something suspicious, tap the app → Uninstall.

If Uninstall is greyed out, the app may have device admin privileges. Go to SettingsSecurity & privacyMore security and privacyDevice admin apps.

Revoke its privileges, then return to uninstall it.

To revoke device admin privileges for an app on a Samsung device, open Settings Security and privacy More security settings.

Tap Device admin apps (sometimes listed as “Other security settings” → “Device admin apps”) and you’ll see a list of apps with device admin privileges.

Choose the app you want to revoke admin privileges for → Tap Deactivate (or toggle it off)

You may get a warning about what that app can no longer do (e.g., remote wipe, enforce passwords) — confirm to proceed

If an app still won’t uninstall even with admin privileges revoked, boot your device into safe mode.

In safe mode, only system apps can run; third-party apps can’t, and so can’t block their own removal.

To enter safe mode:

  • Press and hold the power button → press and hold Power off until “Reboot to safe mode” appears → tap OK

Note: the exact method varies by device. On some Samsung models, you need to tap and hold Power off on screen rather than holding the physical button as seen below.

If neither works, Google “safe mode” and your device model.

Once in safe mode, attempt the uninstall again using the same Settings → Apps → See all apps path. To exit safe mode, restart your device normally.

Step 4: Run a secondary scan with a free (and trusted) tool

If the first three steps haven’t resolved the issue, it’s time to run a secondary scan with a trusted tool.

As flagged above, many “scanner” apps are themselves malicious. We recommend Malwarebytes (which you can download from Play Store(nouvelle fenêtre)). It’s recommended by security researchers, consistently well-rated, and the free version is sufficient for a one-off scan.

Just make sure that the Malwarebytes you’ve found is authentic before installing: the developer name (which appears in blue text directly beneath the main app title and rating) should be Malwarebytes.

Check Developer contact or App support for the developer’s official contact email, physical address, and a link to their website. and the website should be malwarebytes.com(nouvelle fenêtre).

Once installed: open Malwarebytes → run a scan (this typically takes 5–20 minutes) → tap Quarantine to remove any detected threats. 

Step 5: Run a security checkup

Your device should now be clean, but the infection may have already compromised your account access by intercepting credentials, reading SMS messages, or logging keystrokes. 

To confirm that your Google account hasn’t been compromised, go to myaccount.google.com/security-checkup(nouvelle fenêtre) and work through the following:

  • Check for unfamiliar devices signed into your account
  • Revoke access for any third-party apps you don’t recognize
  • Review recent security activity for anything suspicious

Change passwords for any accounts (Google or otherwise) that may have been exposed. 

If all else fails: factory reset

A factory reset wipes your device completely and should only be attempted once you’ve worked through all five steps above. It’s effective, removing even the most deep-rooted infections, but it’s also irreversible

Everything not backed up will disappear, so before you reset, back up photos and files to cloud storage (Proton Drive or equivalent).

Once the reset is complete, do not restore from a full backup — this may reintroduce the malware you just removed. Instead, reinstall trusted apps manually from the Play Store.

Follow these instructions:

  • Pixel: SettingsSystemReset optionsErase all data (factory reset)
  • Samsung: SettingsGeneral managementResetFactory data reset

The reset options screen on a Pixel

The reset options screen on a Samsung

How to prevent malware infecting your device again

You may not be able to identify exactly how malware got onto your device. Here are some ways to stop it happening again:

  • Keep your OS and apps updated: outdated software is one of the most common entry points, as covered in step two above
  • Be careful what you install: stick to the Play Store, check developer names and reviews before installing, and be especially wary of free utility apps. Our full checklist on malicious Play Store apps covers what to look for before you tap Install
  • Use a VPN on public WiFi: unsecured networks are a common vector for credential interception. Proton VPN is a secure VPN(nouvelle fenêtre) that encrypts your connection so your traffic can’t be read in transit
  • Use unique passwords for each account: if malware exposed one password you’ve reused across accounts, every one of those accounts is now at risk. Proton Pass is a secure password manager that generates and stores unique passwords so one breach doesn’t turn into ten.