Mobile device compromise is one of the fastest-growing cybersecurity concerns for professionals, journalists, activists, and government officials — especially in Nigeria where targeted attacks against high-value individuals have been documented. These five indicators do not individually confirm infection, but each warrants immediate investigation when observed together or when the behaviour is sudden and unexplained.
- Spyware typically manifests across multiple indicators simultaneously — a single sign is worth investigating, multiple concurrent signs warrant immediate action
- Background data transmission is the most technically reliable indicator — spyware must exfiltrate captured data to a C2 server, creating measurable network traffic
- Modern iOS and Android sensor access indicators (green/orange dots) make unauthorised microphone and camera access visible — but only if users know to watch for them
- Factory reset is the most reliable remediation — but evidence preservation before reset is critical for targeted individuals (journalists, officials, activists)
1. Unusual Battery Drain
Spyware runs continuously in the background — monitoring calls, capturing screenshots, recording audio, and transmitting data. This creates abnormal battery consumption even when the phone is idle. If your battery started dying significantly faster with no change in usage patterns (no new apps, no changed settings), this warrants investigation. Check Settings → Battery → Battery Usage to identify which apps are consuming the most power at idle.
2. Unexpected Background Data Usage Spikes
Check your monthly data usage per app in Settings → Mobile Data or Data Usage. Spyware must transmit what it collects — screenshots, microphone recordings, location data, contact lists — back to a command-and-control server. This transmission creates measurable network traffic. Look for unfamiliar apps with significant background data consumption, or known apps using far more data than expected.
3. Phone Warm During Idle
Normal smartphones do not generate significant heat when sitting idle with the screen off. If your phone is physically warm to the touch after sitting face-down on a desk for an hour, something is processing in the background. Occasional warmth is normal — sustained warmth during idle periods is not.
4. Microphone or Camera Activating Unexpectedly
Modern Android and iOS devices display an indicator dot when any application accesses your microphone (orange dot on iOS, green on Android) or camera (green dot). If you observe these indicators when you are not in a call, not recording, and not using any camera application — investigate immediately. On iOS: Settings → Privacy → Microphone/Camera shows which apps have access. Revoke any you do not recognise.
5. Unfamiliar Apps or Changed Security Settings
Stalkerware often attempts to hide itself but frequently leaves traces. Audit these areas regularly:
- Device Administrator apps (Settings → Security → Device Administrators) — only known MDM software should appear here
- Accessibility Services — spyware frequently requests these for keylogging. Review any you do not recognise
- Apps with no icon on the home screen — installed but deliberately hidden from the launcher
- Changed security settings — disabled screen lock, disabled Google Play Protect, or unknown certificates installed
What to Do
If you observe multiple indicators simultaneously: do not factory reset immediately if you are a high-value target (journalist, official, activist). Evidence captured on device may be legally or investigatively valuable. Contact a digital security professional first for forensic preservation. For general users, factory reset is the most reliable remediation — but back up only clean data (contacts, photos) — do not restore apps from backup as this may restore the spyware.
If you believe you are specifically targeted (rather than broadly infected), contact a digital rights organisation such as Access Now's Digital Security Helpline or Citizen Lab before taking any action. Evidence preservation procedures differ significantly from general remediation.