Check and Remove Hidden Device Administrators On Android

You try to uninstall a suspicious app, but the Uninstall button is grayed out. You dig through Settings and find a Deactivate option that does nothing when you tap it. This is one of the most frustrating problems on Android, and it happens because the app has Device Admin privileges.

The Android Device Administration API grants apps system-level powers: enforce passwords, lock the device, wipe all data, disable the camera, and critically, remove device administrator Android users cannot bypass through normal uninstall. Apps like Google Find My Device and corporate MDM tools use this legitimately. But malware like banking trojans (Cerberus, SpyNote) and stalkerware exploit it to resist removal.

This guide covers 7 methods, starting with the simplest Settings path and escalating to Safe Mode, ADB commands, and scanner-based detection for hidden admins.

Step 1: Check Which Apps Have Device Admin Rights

Before you remove anything, find out exactly which apps hold Device Admin privileges on your phone. The path to this screen varies by manufacturer.

How to find Device Admin Apps on your phone:

  • Samsung (One UI): Settings > Security and Privacy > Other security settings > Device admin apps
  • Pixel (stock Android): Settings > Security & privacy > More security settings > Device admin apps
  • Xiaomi / Redmi / POCO (MIUI / HyperOS): Settings > Privacy protection > Special permissions > Device admin apps
  • OnePlus: Settings > Security and Privacy > More Security and Privacy > Device admin apps
  • Universal shortcut: Open Settings, type “device admin” in the search bar, and select the result

You will see a list of every app with admin privileges on your device. Legitimate entries include Google Find My Device, Samsung SmartThings Find, and your company’s MDM app (like Microsoft Intune or Hexnode). Anything else deserves scrutiny, especially apps with generic names like “System Service,” “Phone Monitor,” or “Device Health.”

Red flags that something is wrong:

  • The app appeared without your consent
  • Wi-Fi or Bluetooth turns itself on
  • Unusual battery drain or data spikes
  • Other apps close unexpectedly in the background

If any of these match, the suspicious admin app is likely the cause.

Step 2: Deactivate Device Admin via Settings

For most apps, deactivation is a simple toggle in Settings.

  1. Navigate to the Device Admin Apps screen using the paths from Step 1 (or the Settings search shortcut)
  2. Tap the suspicious app
  3. Tap Deactivate or Deactivate this device admin app
  4. The app loses its admin shield immediately
  5. Go to Settings > Apps, find the same app, and tap Uninstall
  How to Remove Malware from Android

Deactivating alone does NOT remove the app. It only strips admin privileges. You must still uninstall it separately through the Apps menu.

If this worked, skip ahead to Step 6 for a post-removal safety check.

If the Deactivate button is grayed out, unresponsive, or the app immediately re-enables itself, move to Step 3.

Step 3: Fix a Grayed-Out Deactivate Button

A grayed-out or unresponsive Deactivate button means the app is actively blocking you. This is the single most common complaint from users dealing with malicious device admin apps.

Why this happens: Four technical causes. (1) The app has an active Accessibility Service that hijacks the UI. (2) An overlay attack is hiding or blocking the Deactivate button. (3) Background services restart instantly after being killed. (4) The app is set as Device Owner, not just Device Admin. The first three are fixable here. Device Owner requires ADB (Step 5) or a factory reset.

Fix A: Disable the Accessibility Service

  1. Go to Settings > Accessibility
  2. Look through the list of services for the suspicious app
  3. Turn OFF its accessibility toggle
  4. Go back to Device Admin Apps and try Deactivate again

With Accessibility active, the app can intercept your taps and prevent deactivation. Disabling it cuts off that defense.

Fix B: Force Stop + Race the Malware

  1. Go to Settings > Apps and find the suspicious app
  2. Tap Storage & Cache > Clear Storage, then Clear Cache
  3. Tap Force Stop to kill all running processes
  4. Immediately navigate to Device Admin Apps and tap Deactivate before the app restarts
  5. Speed matters. The app will attempt to relaunch within seconds

If neither fix works, move to Step 4.

Step 4: Boot into Safe Mode and Remove the App

Safe Mode loads Android with only the core operating system. No third-party apps run, which means the malicious app’s defenses are completely inactive.

How to boot into Safe Mode:

  1. Hold the Power button until the power menu appears
  2. Long-press “Power Off” or “Restart” until the “Reboot to Safe Mode” prompt appears
  3. Tap OK. The phone restarts with a “Safe Mode” watermark in the bottom corner

Samsung alternative: Power off the phone completely. Hold the Power button. When the Samsung logo appears, press and hold Volume Down until Safe Mode appears.

  Do I have a Virus on My Phone?

Remove the app while in Safe Mode:

  1. Navigate to Settings > Security > Device Admin Apps
  2. The malicious app is listed but NOT running. Tap Deactivate. It will respond normally
  3. Go to Settings > Apps, find the app, tap Uninstall
  4. Restart your phone normally to exit Safe Mode

This works because the app’s background services, accessibility hooks, and overlay attacks are all inactive in Safe Mode. The Deactivate button becomes fully functional.

If Safe Mode still does not work (rare), the app may be set as Device Owner or embedded at the system level. Move to Step 5.

Step 5: Use ADB to Force-Remove Device Admin (Advanced)

If Safe Mode did not help, or the app is set as Device Owner, ADB (Android Debug Bridge) lets you force-remove admin rights from a computer.

Prerequisites:

  • A Windows, Mac, or Linux computer with ADB installed
  • A USB cable
  • Developer Options enabled: go to Settings > About Phone and tap Build Number 7 times
  • USB Debugging enabled: Settings > Developer Options > USB Debugging
  • Enable USB Debugging BEFORE the malware blocks access to Developer Options

Commands:

  1. Connect your phone via USB and authorize the USB debugging prompt on the phone screen
  2. Verify the connection: adb devices
  3. Find the package name: adb shell pm list packages (look for the suspicious app’s package name)
  4. Revoke admin rights: adb shell dpm remove-active-admin com.package.name/.AdminReceiver
  5. Uninstall the app: adb uninstall com.package.name

The .AdminReceiver component name varies per app. You may need to check the app’s manifest or search online for the correct receiver class name.

Step 6: Scan for Hidden Device Admins with MalwareFox

Some malware hides from the Device Admin Apps list entirely. It holds admin privileges but does not appear in Settings at all. No built-in Android tool can detect these hidden device administrators.

How to find hidden admin apps:

  • Install MalwareFox for Android
  • Run a full scan. MalwareFox detects hidden admin apps, stalkerware, banking trojans, and RATs that manual inspection misses
  • Use the Application Privacy Audit feature to flag apps abusing data access permissions
  • This also serves as post-removal verification after completing any earlier steps

Post-removal verification checklist:

  • Device Admin Apps list shows no unexpected entries
  • Accessibility services have no unknown apps active
  • Settings > Apps confirms the suspicious app is gone
  • Monitor for 24-48 hours: battery drain normalizes, no data spikes, Wi-Fi and Bluetooth stay off when disabled
  How to Detect Spyware on Android Phone

Step 7: Remove Device Admin on a Work or MDM-Managed Phone

If your phone is managed by an employer or school, the Device Admin restriction is an MDM (Mobile Device Management) policy, not malware. The removal process is different.

Self-removal (if your organization’s policy allows it):

  1. Open your MDM app (Microsoft Intune Company Portal, Hexnode, ManageEngine, or similar)
  2. Sign in > Devices > select your device
  3. Tap the menu (three dots) > Remove Device > Confirm

Alternatively: Settings > Accounts > Work tab > Remove Work Profile.

When self-removal is blocked: The IT administrator controls the policy. Contact your IT department to request unenrollment. There is no workaround you can perform on your own.
Critical warning for Zero-Touch enrolled devices: A factory reset will NOT help. The MDM profile automatically reinstalls on first internet connection after the reset. Factory reset also triggers Factory Reset Protection (FRP), which requires the original Google account credentials to set up the phone again.

Frequently Asked Questions

What can a Device Admin app do to my phone?

It can enforce password policies, lock your device, wipe all data without confirmation, disable the camera, require storage encryption, and block its own uninstallation. If multiple admin apps exist on a device, the strictest policy among all of them is enforced.

Are all Device Admin apps dangerous?

Google Find My Device, Samsung SmartThings Find, and corporate MDM agents use Device Admin privileges legitimately. Only apps that obtained admin status without your explicit consent are suspicious.

Will a factory reset remove a Device Admin app?

Yes, but with caveats. A factory reset wipes everything, including malicious admin apps. However, Factory Reset Protection (FRP) requires your original Google account credentials afterward. If the device uses Zero-Touch Enrollment (corporate), the MDM profile will automatically reinstall on first internet connection.

How do I know if a hidden app has Device Admin on my phone?

Hidden admin apps do not appear in the Device Admin Apps list in Settings. Symptoms include unexplained battery drain, data usage spikes, Wi-Fi or Bluetooth toggling on by themselves, and inability to install apps from the Play Store. MalwareFox for Android detects hidden admin apps that manual inspection misses.

31 thoughts on “Check and Remove Hidden Device Administrators On Android”

  1. I have had issues with apps running in the background, closing other apps & accessing permissions and unrestricted data usage. My Wi-Fi & Bluetooth also turn themselves on. After reading everything you have discussed, I now know where to begin to fix this issue. Just one question,please: There are system apps with permissions and app links that are frozen. They can neither be turned on or off. Can you advise me on how to tackle this. Again thanks for all your help.

    Reply

  3. I can not load any apps from Google play store.
    “Administer has not given me permission”
    So I unable to load any apps from Google play

    Reply

  5. I find it difficult to restore factory in my phone because of security plugin and if I want to deactivate it the deactivate button is not clear it shows that I can’t deactivate.
    Please help me how can I disable it when appears like that ? Is there any other way?
    Please you let me know.Thanks

    Reply

Leave a Comment