Hey everyone, so I got a new job at a logistics company three months ago. My manager handed me a company Android phone for work use. Lately I noticed my phone battery draining super fast, random overheating, and some apps I never installed showing up. A friend told me it might be a keylogger. Now I am not pointing fingers but I just want to know what is on my device.
Would love input from people who actually know this stuff. Drop everything you know below.
Alright, let me walk you through this properly. There are several ways to check and here is a full process you can follow right now.
Step 1: Check installed apps
Go to Settings > Apps > See all apps. Look for anything you do not recognize. Keyloggers often disguise themselves as system utilities with names like “System Service” or “Device Health Monitor.”
Step 2: Review app permissions
Go to Settings > Privacy > Permission Manager. Check which apps have access to:
Any app with Accessibility access that you did not install yourself is a red flag. Keyloggers use Accessibility APIs to record keystrokes.
Step 3: Check Accessibility Services directly
Settings > Accessibility > Installed Services or Downloaded Apps. If anything unfamiliar is listed here with “on” status, that is suspicious.
Step 4: Monitor data usage
Settings > Network > Data Usage. Look for unknown apps sending data in the background. A keylogger has to send recorded data somewhere, so it will show outgoing data usage even when you are not actively using it.
Step 5: Check running processes
Download an app like CPU Monitor or use ADB if you have developer access. Run the command:
adb shell ps
This lists all running processes. Cross reference anything you do not recognize with a Google search.
Step 6: Battery and performance
Settings > Battery > Battery Usage. If a process you do not know is consuming battery at the top of the list, flag it.
Do all six steps before assuming anything. That gives you a real picture.
So I had something similar happen on a shared family tablet and let me tell you, it was annoying to figure out at first. What ended up helping me was a mix of the steps above and a few extra confirmation tricks.
After you run through the basic checks, here is how you confirm your suspicions:
Confirmation Trick 1: Use a network monitoring app
Install NetGuard or PCAPdroid from the Play Store. These let you see exactly which app is connecting to which server and when. A keylogger will make periodic outbound connections to an external IP. If you see an unknown app doing this while your screen is off, that is a strong sign.
Confirmation Trick 2: Check Google Play Protect logs
Go to Play Store > Profile icon > Play Protect > Scan. It will flag known malicious apps. Not foolproof, but a useful second check.
Confirmation Trick 3: Use Wireshark via USB
If you want to go deeper, connect your phone to a PC running Wireshark and enable USB tethering. You can see all outbound traffic from your phone in real time.
One process nobody mentioned yet: Check your keyboard app itself.
Go to Settings > General Management > Keyboard List and Default. If there is a keyboard you did not set as default, or one you do not recognize, remove it immediately. Third party keyboards can function as keyloggers at the input level without needing Accessibility access at all.
That last one gets missed a lot.
Jumping in here because I think the legal side of this matters a lot for your situation specifically.
Since this is a company issued phone, the legal picture is different from a personal device. In most countries, including the US, UK, and many parts of Asia and Europe, employers are legally allowed to monitor activity on company owned devices as long as:
So before you do anything, check your employment contract and any IT policy documents you signed at onboarding. There is a real chance the monitoring software, if it exists, was disclosed somewhere in the fine print.
What employers generally cannot do:
What this means for you practically:
Removing software from a company device without permission could also be a policy violation, so tread carefully here. Talk to HR first if you can.
CoreBuilds makes a solid point. Let me add the employer angle more specifically because this comes up all the time in corporate IT.
Most mid to large companies use MDM, which stands for Mobile Device Management. Common platforms include:
These are not technically keyloggers but they can:
How to tell if your phone has MDM installed:
If you see your company name or an MDM platform name listed there, that is the monitoring tool. It is standard practice and almost certainly disclosed in your employment agreement.
The difference between legitimate MDM and actual malware is important. MDM is managed by your IT department and typically does not record keystrokes in real time. Actual keyloggers are third party installs that send data to unknown servers.
So run the network checks Byteforge44 mentioned alongside the Device Admin check. If you see an unknown admin app AND unknown outbound traffic, that is a different situation from a standard corporate MDM setup.
Good discussion going on here. I want to add the preventative side because detection is only half the battle.
Preventative Measures to Avoid Keyloggers on Android
Keep your OS updated
Go to Settings > Software Update. Android security patches close vulnerabilities that keyloggers use to install themselves silently. Running an outdated version is one of the biggest risk factors.
Never sideload APKs from unknown sources
Settings > Apps > Special App Access > Install Unknown Apps. Make sure this is off for every app. Keyloggers very commonly come bundled with cracked APKs from unofficial sites.
Use Google Play Protect actively
Do not just rely on passive scans. Run a manual scan monthly from Play Store > Profile > Play Protect.
Review Accessibility permissions regularly
Every 2 to 3 weeks go back to Settings > Accessibility > Downloaded Apps. This is the permission most commonly abused by keyloggers. Audit it the same way you audit your bank statement.
Use a VPN with DNS filtering
A DNS level filter like NextDNS or Cloudflare 1.1.1.1 with filtering enabled can block known malware domains. Even if a keylogger installs itself, it cannot send data home if its domain is blocked.
Factory reset as a nuclear option
If you are on a personal device and genuinely cannot identify the source, a full factory reset and fresh install is the cleanest solution. Backup contacts and photos to a separate account first.
Separate work and personal phones
If your company gives you a work phone, do not use it for anything personal. Keep all sensitive accounts on your personal device only.
I want to add a few more detection methods that have not come up yet in this thread because the ones listed so far are solid but not complete.
More Ways to Detect a Keylogger on Android
Method 1: USSD code check
Dial ##4636## on your dialer. This opens a hidden testing menu. Go to “Usage Statistics” and look at the app usage list. Anything running frequently that you do not recognize is worth flagging.
Method 2: Check /proc directory via Termux
If you are comfortable with terminal commands, install Termux from F-Droid and run:
ls /proc
Then cross reference running process IDs. This gives you a raw system level view of what is actually executing on the device.
Method 3: Use Malwarebytes for Android
It is free, available on Play Store, and specifically scans for stalkerware and keylogger type software. It uses a definition database updated regularly. Run a full scan and check the detailed report.
Method 4: Check for rooted device
Run an app called Root Checker. If your device has been rooted without your knowledge, that is a major red flag because keyloggers with root access can operate at a much deeper level and are harder to detect.
Method 5: Examine startup apps
Install an app called Startup Manager. It shows every app and service that launches on boot. Legitimate apps are easy to identify. Unknown services that auto start are suspicious.
Method 6: Check your SMS logs
Some older keylogger variants exfiltrate data via SMS. Check your sent messages folder for anything you did not send. Also check your data bill for unusual SMS activity.
Let me share what actually happened to me because I think it puts this whole thing in context 
I bought a second hand Android phone from an online marketplace. Seemed fine at first. But about two weeks in I noticed my Gmail password got changed, which I had only ever typed on that phone. I went through all the basic checks and could not find anything obvious in the app list.
What eventually got me was the keyboard app check that Byteforge44 mentioned. There was a third party keyboard I had never installed sitting there, listed as the secondary input method. The name looked like a legit keyboard app but when I searched it, zero results on the Play Store. That was a dead giveaway.
I also ran Malwarebytes like Fluxstellar suggested and it flagged a service running in the background tied to that keyboard package.
What I did after finding it:
The biggest thing I want people to take from this is that step about changing passwords from a different device first. A lot of people remove the keylogger and then change passwords on the same phone, which defeats the whole point if there is residual malware still sitting somewhere.
This whole thread is actually really helpful. The OP asked the right question.
I want to add one confirmation method that ties together a few things mentioned here and also adds something new.
If you want a high confidence result, combine these three checks together:
Check 1: ADB logcat output
Connect your phone to a PC with USB debugging enabled (Settings > Developer Options > USB Debugging) and run:
adb logcat | grep -i “keylog|input|accessibility|logger”
This filters the system log for any process referencing those terms. Legitimate apps rarely reference these in live logs. If something shows up consistently, note the package name.
Check 2: Cross reference package name
Take whatever package name you found and run:
adb shell dumpsys package [packagename]
This gives you the full install details including where the APK came from and what permissions it declared at install time.
Check 3: Scan with Hybrid Analysis
Export the APK using a file manager that can access the app directory, upload it to hybrid-analysis.com which is a free malware sandbox. It runs the file in a sandboxed environment and gives you a full behavioral report including network calls, file writes, and input hooks.
New process not mentioned yet: Check your Google account for unknown device sign ins
Go to myaccount.google.com > Security > Your Devices. If any unfamiliar device is listed as having accessed your account, that tells you data has already left your phone. Revoke access immediately and rotate credentials from a clean machine.
That Google account check takes 30 seconds and can tell you a lot fast.