Hey everyone, so I have been noticing some weird stuff on my phone lately. Battery draining super fast, phone getting warm even when I am not using it, and some apps I never downloaded showing up. A friend told me it might be a keylogger. I want to know how to actually detect one, remove it, and make sure it does not happen again. Any help would be great. Thanks!
Just want to add a couple of things that did not come up yet. One is DNS-level blocking. Apps like NextDNS or AdGuard DNS work at the network layer, which means even if something shady is on your phone, it may not be able to send data anywhere if the destination domain is on a blocklist. It is not a replacement for removing the malware but it adds a useful layer of protection.
The other thing is Google Play Protect, which a surprising number of people have turned off or never checked. Go to Settings > Security > Google Play Protect and make sure it is active. It runs background scans on your installed apps and flags anything that starts behaving oddly. Not perfect but it catches a lot of common stuff passively without you doing anything.
And just as a final note, I want to echo what TechLiftPro said about the human side of this. If you are asking this question because you have a specific reason to think someone in your life did this to you on purpose, please do not just stop at the technical fix. Get your accounts secured, yes. But also take care of yourself in the broader sense. Digital safety and personal safety are connected and both matter. Stay safe everyone. 
WesleyHunter hope you get it all sorted out. This thread has everything you need!
On Android, keyloggers usually come as malicious APKs, modified system apps, or apps that abuse Accessibility Services. On iOS, it is harder because of the sandboxed environment, but jailbroken devices are very much at risk. On Windows, they often come bundled with freeware or phishing downloads. Here’s how you can detect it dependig on your device.
Detecting on Android
Step 1: Check Accessibility Services
Go to Settings > Accessibility > Installed Services or Downloaded Apps. If you see an app there that you do not recognize, that is a red flag. Keyloggers commonly abuse Accessibility to read screen content.
Step 2: Review Device Admin Apps
Go to Settings > Security > Device Admin Apps. No third-party app should have admin access unless it is a legitimate MDM tool from your employer.
Step 3: Check Battery Usage
Settings > Battery > Battery Usage. Look for unknown apps that are constantly consuming battery in the background.
Step 4: Check Data Usage
Settings > Network > Data Usage. A keylogger needs to send your data somewhere, so unexpected data use by an unknown app is suspicious.
Step 5: Review App Permissions
Go to Settings > Privacy > Permission Manager. Look for apps that have access to Microphone, Camera, or Accessibility that you did not authorize.
Step 6: Use a Security Scanner
Run Malwarebytes for Android or Bitdefender. These can flag known keylogger signatures.
Detecting on iOS
iOS is generally more locked down, but there are still risks. If your device is jailbroken, a keylogger can be installed via Cydia. On a non-jailbroken device, MDM profiles are the main concern.
- Go to Settings > General > VPN and Device Management. Any unknown profile here is suspicious.
- Check for unknown apps with Screen Time or Accessibility access.
Detecting on Windows
- Open Task Manager and look for unfamiliar processes under the Processes tab.
- Check Startup apps via Task Manager > Startup or msconfig.
- Run Windows Defender or Malwarebytes full scan.
- Check installed programs via Control Panel > Programs and Features for anything you did not install.
Removal
- Android: Uninstall the suspicious app, revoke Accessibility and Admin access first, then factory reset if still unsure.
- iOS: Remove the MDM profile, or restore via iTunes if jailbroken.
- Windows: Use Malwarebytes to quarantine, then uninstall via Programs and Features.
Prevention
- Never install APKs from outside the Play Store.
- Keep your OS and apps updated.
- Use a strong screen lock.
- Regularly audit app permissions.
- Do not connect to untrusted public Wi-Fi without a VPN.
Hope this gives you a full technical breakdown WesleyHunter. The Accessibility Services check is the first thing I always do on Android. 
Let me explain it you a little bit so you can understand the full picture. Most Android keyloggers do not behave like the ones you hear about on desktops. Android sandboxes each app, so a keylogger cannot just hook into kernel-level keypress handlers unless the device is rooted or a vulnerability is being exploited. The most practical attack vector is abusing the Accessibility Services API, which was built to help users with disabilities but also gives any app that uses it the ability to read every element on screen, including text fields and password inputs.
ADB-Based Detection
If you have Android Debug Bridge set up on your PC, connect your phone and run: adb shell dumpsys accessibility
This outputs every service currently using Accessibility on the device. Cross-reference the results against your installed apps. Anything unfamiliar is worth a deep look. You can also run: adb shell pm list packages
This lists every installed package and its APK path. Hidden malware sometimes shows up here even when it does not appear in the app drawer.
Running Services
Enable Developer Options by tapping Build Number seven times in About Phone. Then go to Developer Options > Running Services. Every active background service will be visible. A keylogger almost always runs a persistent service to capture and queue data for transmission.
Network Traffic Analysis
If your router supports traffic logging, you can review outbound connections from your phone. Alternatively, apps like NetGuard or PCAPdroid let you capture and inspect network packets directly on the device. Regular outbound connections from an unknown app to a remote IP, especially on non-standard ports, is a strong indicator of data exfiltration.
iOS MDM Profile Monitoring
For iPhones enrolled in corporate or school management, MDM profiles can technically allow administrators to monitor device activity. Check Settings > General > VPN and Device Management for any profile you did not install. If you are using a personal iPhone with a work MDM profile, check with your employer about what data is being logged.
Windows Registry Check
Keyloggers on Windows typically persist via the registry. Open regedit and check HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run and the equivalent HKLM path. Look for entries pointing to file paths in temp directories or AppData subfolders. These are common persistence locations for malware.
When to Factory Reset
The factory reset is the most reliable option when nothing else works. Back up contacts and photos first, then reset. When restoring, do not use a full system backup as it can restore the malware along with your data. Re-install apps manually from the Play Store one at a time. And change all your passwords from a separate clean device before logging into anything post-reset. 
Great breakdown from both PixelPioneer23 and NerdNode44. One thing I want to flag that most people completely overlook: the keyboard app itself can be the keylogger.
On Android your keyboard has permission to see everything you type by design. That is just how input works. So if someone swapped your default keyboard to a shady third-party one, they literally have a direct feed to every message, every password, every search you make. Go to Settings > General Management > Keyboard List and Default right now and check what is set as your default. It should be Gboard or your phone’s stock keyboard. If it is something you do not recognize, that is the problem.
I know a guy who bought a second-hand phone and the person before him had installed a custom keyboard with some logging baked in. He used that phone for two months before noticing. His email and two social accounts got into someone else’s hands during that time. He had no idea until he started getting password reset emails he never asked for. Point is, keyboard apps are the sneakiest delivery method because the system grants them input access on purpose. Always worth a quick check. 
ByteNavigator the second-hand phone thing is so real and honestly I feel like nobody talks about it enough. When phones get resold without a proper wipe, whatever was on them before stays on them. I have seen cases where the malware was sitting in the system partition, which means even doing a factory reset from the settings menu would not remove it. The only fix in those cases is flashing the original firmware directly from the manufacturer.
That said, most people reading this are probably not dealing with that level of situation. For the average person, the symptoms WesleyHunter is describing, which is the warmth, the battery drain, and the mystery apps, those usually point to something much more ordinary like a bad third-party app that got installed without much thought.
The simplest test I always recommend is booting into Safe Mode. Hold the power button, then long press the Power Off option and it should ask you if you want to restart in Safe Mode. In that mode, only the apps that came with your phone will run. If the battery drain and heat stop in Safe Mode, you know for certain it is a third-party app causing the issue, not a system-level problem. That narrows it down a lot before you go digging through settings. 
Okay I am coming at this from a completely different angle because I am a parent and this stuff keeps me up at night sometimes.
A few months back, my daughter’s phone started acting exactly like what WesleyHunter described. Hot all the time, battery dying way faster than usual. She handed it to me like it was no big deal and I immediately went into investigation mode. Turned out it was not a keylogger but an app that had somehow gotten microphone and contacts access and was running in the background constantly. She had no memory of installing it and said one of her friends may have used her phone at school for a few minutes.
That whole experience made me start doing monthly permission checks on all the family devices. On Android you go to Settings > Privacy > Permission Manager and just go through the list, microphone, camera, contacts, location, one by one. If the calculator app or some random game shows up under microphone access, something is very wrong. On iPhone the same thing is under Settings > Privacy and Security.
It only takes about ten minutes and it has already caught two sketchy apps on my kids devices in the past year. You do not need to understand all the technical stuff to do this check. You just need to know what apps you installed yourself and question anything that does not belong.
DevSyncer that parental perspective really hits different because it is a reminder that not every keylogger situation is some hacker targeting you from across the world. Sometimes it is just someone who had physical access to your phone for five minutes.
For iOS parents specifically, there is an app called Certo Mobile Security that does a nice job showing what has access to what on iPhones without needing to understand all the underlying settings. It lays things out in plain language which is helpful if you are not super technical.
For the more technically curious people in the thread, if you have Developer Mode on, you can stream your Android system logs through ADB and filter for anything that looks like keyboard or accessibility activity. It is not something a casual user needs to do but if you want to go deep it gives you a very raw look at what is happening inside the device in real time. Most legit apps will not be making suspicious calls in those logs. If something is writing or reading input in ways that do not match what the app is supposed to do, it will stick out.
I work in mobile QA so I want to gently pump the brakes here and say: battery drain and a warm phone are not automatically signs of a keylogger. I see people jump to that conclusion a lot and it stresses them out unnecessarily.
Those same symptoms can come from a poorly coded app that has a memory leak, a social media app doing aggressive background sync, a widget refreshing too often, or even just your phone getting old and the battery degrading. I have had brand new phones run warm just because of background app updates happening all at once.
The Safe Mode test that CloudKernel11 mentioned is genuinely the smartest starting point before assuming the worst. If your phone runs perfectly fine in Safe Mode, you have a third-party app issue and you can work backwards from there. If it still drains and runs hot in Safe Mode, it is more likely a system-level issue, maybe a rogue system update, a hardware problem, or in rare cases something deeper.
Start with the boring explanations first. Most of the time that is what it is. The keylogger scenario is real but it is not the most common reason your battery is dying.
NexaByte43 okay this is reassuring because I went through almost this exact panic a while back and it turned out to be way less dramatic than I feared 
My phone was hot every single morning when I woke up, battery going from like 80 percent to 20 overnight while it just sat on my nightstand. I was convinced something shady was going on. Told my roommate and she immediately said check what was installed recently.
So I went into Settings, opened Apps, and sorted by install date. There was an app sitting there from about three weeks before the problems started that I genuinely could not place. I looked it up and it was some adware thing that a website had pushed onto my phone when I visited it without me realizing. Not technically a keylogger but it was definitely running in the background doing things it had no business doing.
Deleted it, ran a quick Malwarebytes scan, cleared the cache on my other apps just to be safe, and within a day the phone was back to normal. Moral of the story: sorting your apps by install date when something feels off is such a simple trick and it does not require any tech knowledge at all. Just look for what showed up around the same time your problems started. 
I see a lot of Android focus here which makes sense given the question, but let me add more detail on the Windows side since keyloggers are actually way more common there and people often have no idea.
Windows keyloggers typically enter via:
- Phishing email attachments (fake invoice PDFs, ZIP files)
- Cracked software downloads
- Fake browser extension updates
- Bundled freeware installers
Detection steps on Windows 10 and 11:
Step 1: Open Task Manager (Ctrl+Shift+Esc) > Details tab. Sort by CPU or Memory. Right click any unknown process > Open File Location. If it is pointing to a temp folder or AppData folder, that is suspicious.
Step 2: Run netstat -ano in Command Prompt. This shows all active network connections and the PID of the process making them. Cross-reference PIDs with Task Manager to identify the app sending data out.
Step 3: Check Startup Items in Task Manager > Startup tab. Disable everything you do not recognize.
Step 4: Download and run Malwarebytes free version. Do a full scan not a quick one.
Step 5: If you find something, do not just delete it. Use Malwarebytes to quarantine it, then restart, then scan again to confirm removal.
For prevention on Windows: use a standard user account for daily tasks, not an admin account. Most keyloggers need admin rights to install properly.
CoreBuilds the invoice email thing is the one that gets the most people because it looks so normal. The email looks real, the attachment name sounds like something you would actually receive, and by the time you realize it is wrong the damage is done.
Building on the netstat point, if you run netstat -ano in Command Prompt it will show you the process ID next to each connection. You can then cross reference that ID in Task Manager to see exactly which program is making that connection. If a program you do not recognize is making regular outbound connections to some IP you have never heard of, you can look up that IP on a site like abuseipdb.com and see if it has been reported for anything malicious.
Also worth mentioning for anyone using a work phone with a company-installed management profile: those profiles can have quite a bit of monitoring capability built in depending on what your IT team configured. That is legal and normal for company-owned devices. But if you put a work MDM profile on your personal phone, you should be aware of what data that profile can access. It is not the same as malware but it is worth knowing about.
TechSphereX bringing up MDM is an important point. I have seen this confuse people so many times. They think they have a keylogger when really it is just a work profile their employer set up.
Key difference: an MDM profile will show up clearly in Settings > General > VPN and Device Management on iOS, or Settings > Accounts on Android. It is not hidden. A malicious keylogger tries to hide itself.
Now, if you are really worried and want to go scorched earth on Android, here is the full process:
- Back up your contacts and photos to Google Drive or manually to a computer.
- Go to Settings > Backup > Back Up Now (for contacts, Drive, etc.).
- Go to Settings > General Management > Reset > Factory Data Reset.
- Set up phone fresh, do not restore from a backup image as that may restore the malware.
- Re-download apps one by one from the Play Store only.
- Change all your passwords from a clean device first before logging in anywhere.
Step 6 is the one people forget. If a keylogger was running and you reset your phone but then log into your accounts with the same passwords, the attacker already has those passwords. Change them first.
ModTechLab the password reset step is something I cannot stress enough and almost nobody does it in the right order.
Think about it this way. If a keylogger was running on your phone for two weeks and recording everything you typed, the person on the other end already has your passwords. Resetting your phone removes the keylogger but it does not change the fact that your credentials are already out there. If you reset the phone and then log back into your accounts using the same passwords, you are still vulnerable.
So the order matters. Clean the device first or borrow a trusted one. Change your passwords there. Start with your email because that is the master key to everything else. Then your bank and payment apps. Then your main social accounts. Use long, unique passwords for each one and do not reuse them.
While you are at it, set up two-factor authentication using an authenticator app rather than SMS. Google Authenticator and Authy are both solid. The reason to avoid SMS is that it can be intercepted through a SIM swap attack, which is a separate issue but worth knowing about. With an authenticator app, even if someone has your password, they still cannot get into your account without the code that rotates on your phone every 30 seconds. It is an extra layer that takes about five minutes to set up and genuinely changes your security situation.
Okay real talk from someone who is actually a teenager and has watched this exact thing happen in my friend group multiple times 
Honestly the way most people our age end up with sketchy stuff on their phones is not from some sophisticated hacker. It is from one of three very avoidable situations.It is almost always from one of these three things:
- Downloading a modded game APK from a random site because you wanted free coins or unlocked features
- Someone you know (ex, “friend,” whoever) physically had your phone for a few minutes and installed something
- Clicking a link in a DM that said “you have to see this” or “claim your free gift”
For the modded APK situation: please just do not. I know it is tempting but those sites bundle all kinds of stuff in those APKs. The free gems are not worth it.
For the physical access situation: if you think someone you know put something on your phone, check the app install dates (Settings > Apps, sort by last updated or install date). Anything installed on a day when someone had your phone is a huge red flag.
For the link situation: if you already clicked it, run Malwarebytes immediately and check your Accessibility Services like PixelPioneer23 said at the top.
Also just lock your phone properly. A 6-digit PIN minimum, biometric is even better. Do not use pattern locks, those are way too easy to figure out.