The short answer
To remove malware from an Android device, boot into Safe Mode to disable third-party apps, uninstall any suspicious applications, run a reputable mobile security scanner, and clear your browser cache and storage. If the infection persists, a factory reset is the most reliable fix — but you can often resolve it without going that far.
Why this matters for NZ users specifically
New Zealand sits inside the Five Eyes intelligence alliance, which means domestic surveillance frameworks are more permissive than many people assume. Under the Privacy Act 2020, organisations must take reasonable steps to protect personal information — but that obligation falls on them, not on attackers. If malware exfiltrates your banking credentials, your NZ bank account details, or your IRD number, the legal remedies available to you are slow and limited. Prevention is the only practical defence.
The threat landscape here is not abstract. CERT NZ (now folded into the NCSC under the Government Communications Security Bureau) consistently reports that phishing and malicious apps are among the top incident categories affecting New Zealanders. Android is the dominant mobile platform in NZ, and because it allows sideloading — installing apps from outside the Google Play Store — the attack surface is larger than on iOS.
NZ-specific risks include fake toll-road payment SMS messages (NZTA impersonation), spoofed Inland Revenue refund notifications, and counterfeit banking apps mimicking ANZ, ASB, BNZ, and Westpac NZ interfaces. These are not generic global threats repurposed for NZ; they are campaigns that use NZ branding, NZ phone number formats, and NZ seasonal events (tax season, public holidays) to increase click rates.
There is also a practical infrastructure angle. On a fast Chorus fibre or Hyperfibre connection — common in Auckland, Wellington, and Christchurch — a compromised device can exfiltrate large volumes of data very quickly. A device quietly running spyware on a 900 Mbps symmetrical line is a far more capable data leak than the same device on a congested mobile connection. Speed is not just a convenience; it is a risk multiplier when your device is compromised.
How to tell if your Android device has malware
Not every slow phone is infected, but the following patterns warrant investigation:
- Unexplained mobile data usage — check Settings > Network > Data Usage. If an app you rarely use is consuming gigabytes in the background, that is a red flag, especially relevant if you are on a capped Spark, One NZ, or 2degrees mobile plan.
- Battery draining faster than usual without a change in your usage habits.
- Overheating at idle — background processes running cryptominers or data harvesters generate heat.
- New apps you did not install, or apps that cannot be uninstalled through normal means.
- Intrusive ads appearing outside of apps, including on the home screen or lock screen.
- Browser redirects — your default search engine has changed, or pages redirect to unfamiliar sites.
- Unusual account activity — password reset emails you did not request, or logins from unfamiliar locations appearing in your Google account.
If you are seeing two or more of these simultaneously, treat it as a probable infection and work through the steps below.
Step-by-step: how to remove malware from Android
Step 1 — Boot into Safe Mode
Safe Mode loads Android with only the core operating system and pre-installed system apps. Third-party apps, including malware, are disabled. The method varies slightly by manufacturer:
- Press and hold the Power button until the power menu appears.
- Press and hold the Power Off option on screen until a prompt asks if you want to reboot into Safe Mode.
- Tap OK. The device will restart and display “Safe Mode” in the bottom-left corner.
On some Samsung devices (common in NZ retail), you may need to hold the Volume Down button during restart instead. Consult your device model if the above does not work. Once in Safe Mode, if the symptoms disappear — ads stop, battery drain slows — you have confirmed a third-party app is responsible.
Step 2 — Identify and uninstall suspicious apps
Go to Settings > Apps (or Application Manager on older Android versions). Sort by install date and look for anything installed around the time your problems started. Warning signs include:
- Apps with generic names like “System Service”, “Phone Manager”, or “Battery Optimizer” that you do not recall installing.
- Apps with no icon or a blank name.
- Apps requesting permissions wildly disproportionate to their stated function — a torch app asking for contact access, for example.
Tap the suspicious app and select Uninstall. If the Uninstall button is greyed out, the app has granted itself Device Administrator privileges. Go to Settings > Security > Device Admin Apps (the exact path varies by Android version and manufacturer skin), deactivate the app there, then return to Apps and uninstall it.
Step 3 — Run a mobile security scan
With the suspicious app removed, reboot normally and run a full scan using a reputable security application. Do not rely solely on manual removal — some malware installs secondary payloads or modifies system settings that a scanner will catch. See the Recommended Tools section below for specific options with NZD pricing.
Step 4 — Clear browser data
Many Android infections arrive via the browser and leave behind malicious bookmarks, rogue extensions (on Chrome for Android), or cached scripts. In Chrome, go to Settings > Privacy and Security > Clear Browsing Data. Select All Time as the time range and tick Cookies, Cached Images, and Site Data. Also check your default search engine under Settings > Search Engine and reset it if it has changed.
Step 5 — Revoke unnecessary permissions and review Google account access
Go to Settings > Privacy > Permission Manager and audit which apps have access to your location, microphone, camera, contacts, and SMS. Revoke anything that looks out of place. Then visit myaccount.google.com on a clean device and check Security > Third-party apps with account access. Remove any authorisations you do not recognise.
Step 6 — Update Android and all apps
Many infections exploit known vulnerabilities that have already been patched. Go to Settings > Software Update and install any pending system updates. Then open the Play Store and update all apps. If your device is no longer receiving security patches — common with budget handsets sold through NZ retailers that are two or more years old — consider whether it is time to replace it.
Step 7 — Factory reset (last resort)
If the infection persists after the above steps, a factory reset is the most reliable resolution. Go to Settings > General Management > Reset > Factory Data Reset. Back up photos and documents to Google Drive or a computer first — but do not restore app data backups, as these can reintroduce the infection. Reinstall apps manually from the Play Store rather than restoring from a full backup snapshot.
Key takeaway: Safe Mode plus manual uninstall resolves the majority of Android malware infections. Reserve the factory reset for cases where the malware has embedded itself deeply enough to survive the earlier steps — rootkits and some banking trojans fall into this category.
Common mistakes to avoid
Installing a “cleaner” app from an ad. This is one of the most common infection vectors in NZ. If you search “remove virus from Android” and click an ad leading to an APK download outside the Play Store, you are very likely installing more malware. Only download security software from the Play Store or the vendor’s official website.
Restoring from a full cloud backup immediately after a reset. If your Google backup includes app data from the time of infection, restoring it can reintroduce the problem. Restore contacts and media; reinstall apps fresh.
Ignoring the router. Some sophisticated attacks compromise both your phone and your home router. If you are on a Chorus-provisioned fibre connection with a default-password router, check your router’s admin panel for unfamiliar DNS settings or port forwarding rules. Your ISP — Spark, One NZ, 2degrees, Voyager, or whoever provides your broadband — may have a support line that can help you verify your router configuration.
Assuming free antivirus is always worse. Several reputable vendors offer free tiers that are genuinely effective for on-demand scanning. The paid tiers add real-time protection, which is more valuable. But a free scan from a trusted vendor is far better than a paid scan from an unknown one.
Not changing passwords after removal. Removing the malware does not undo any credential theft that already occurred. After cleaning your device, change passwords for your email, banking apps, and any accounts you accessed while infected. Enable two-factor authentication where available — ANZ, ASB, BNZ, and Westpac NZ all support it.
Recommended tools (NZD pricing)
The table below covers the main options available to NZ users. Pricing is in NZD and reflects single-device annual plans as of mid-2025; multi-device plans are generally better value if you are protecting a household.
| Product | Free tier | Paid plan (NZD/year, 1 device) | Real-time protection | VPN included | Notable for NZ users |
|---|---|---|---|---|---|
| Malwarebytes for Android | Yes (30-day trial of Premium, then on-demand scan only) | ~NZ$60–70 | Premium only | Separate subscription | Strong adware and PUP detection; lightweight |
| Bitdefender Mobile Security | No | ~NZ$25–35 | Yes | 200 MB/day limit | Very low performance overhead; good for older devices |
| Norton Mobile Security | No | ~NZ$55–75 | Yes | Yes (unlimited on higher tiers) | App Advisor scans Play Store links before install |
| Kaspersky for Android | Yes (limited) | ~NZ$40–55 | Premium only | 300 MB/day on free | Effective scanner; note Five Eyes / geopolitical considerations for some users |
| ESET Mobile Security | 30-day trial | ~NZ$30–45 | Yes | No | Low false-positive rate; good for banking app environments |
| Google Play Protect | Free (built-in) | Free | Yes | No | Baseline protection; misses some threats that dedicated scanners catch |
Google Play Protect is enabled by default on all GMS-certified Android devices sold in NZ and provides a useful baseline. Independent testing by AV-TEST and AV-Comparatives consistently shows it lags behind dedicated security products in detection rates, particularly for newer malware families. It is a floor, not a ceiling.
If you are also considering a VPN for broader privacy — relevant given NZ’s Five Eyes membership and the data-retention provisions in the Telecommunications (Interception Capability and Security) Act — our best VPN guide covers the leading options tested against NZ infrastructure. Be cautious about bundled VPNs inside security suites; they are often limited in server choice and do not replace a dedicated VPN service. If cost is a constraint, our free VPN guide outlines which free options are trustworthy and which to avoid.
Protecting yourself going forward
Removal is reactive. The more durable approach is reducing your attack surface so reinfection is unlikely:
- Only install apps from the Google Play Store, and even then, check the developer name, review count, and permission requests before installing.
- Disable “Install unknown apps” in Settings > Security unless you have a specific, trusted reason to sideload.
- Keep Android updated. If your device is no longer receiving security patches, it is a liability. Many budget Android phones sold through NZ carriers receive updates for only two years.
- Use a DNS-based threat blocker on your home network. Configuring your router to use a filtering DNS service (such as Cloudflare’s 1.1.1.2 for malware blocking, or NextDNS) adds a network-level layer that catches malicious domains before your device even connects to them.
- Be sceptical of SMS links. NZTA, IRD, NZ Post, and NZ banks will not ask you to click a link to verify a payment or receive a refund. If in doubt, navigate directly to the organisation’s website.
- Review app permissions periodically — every few months, spend five minutes in Permission Manager and revoke anything that has crept in.
FAQ
Can Android malware survive a factory reset?
In almost all cases, no. A factory reset wipes the user data partition and returns the device to its out-of-box state, removing virtually all malware. The rare exception is firmware-level malware (sometimes called a bootkit or pre-installed bloatware from a compromised supply chain), which survives because it lives in the system partition. This is uncommon on devices purchased through mainstream NZ retailers. If you suspect firmware-level compromise, contact the manufacturer or your retailer.
Is Google Play Protect enough, or do I need a separate app?
Play Protect is a reasonable baseline and catches a large volume of known threats. However, independent lab testing consistently shows detection rates 10–20 percentage points lower than leading dedicated security apps, particularly for zero-day and newly circulating malware. If you use mobile banking, access work email, or store sensitive documents on your phone, a dedicated scanner with real-time protection is worth the NZ$25–70 annual cost.
My phone is slow — does that mean it has malware?
Not necessarily. Slow performance is more commonly caused by a full storage partition, an aging battery, too many background apps, or a pending software update. Run a scan to rule out malware, but also check Settings > Storage and Settings > Battery to identify more mundane causes first.
Can malware on my Android affect my NZ streaming services like TVNZ+ or Neon?
Yes, indirectly. If malware captures your credentials or session cookies, an attacker could access your TVNZ+, Neon, or Sky Sport Now account. More seriously, credential-stealing malware targeting your email account can be used to reset passwords across all linked services. Change passwords for all accounts you accessed while infected, and enable two-factor authentication wherever the service supports it.
Should I be worried about Five Eyes surveillance when choosing a security app?
This is a nuanced question. Five Eyes (of which NZ is a member) primarily concerns government-level signals intelligence, not commercial security software. The more relevant consideration is the vendor’s jurisdiction and privacy policy — specifically, what telemetry the app collects and where it is processed. Some NZ users have concerns about security products headquartered in certain jurisdictions; ESET (Slovakia), Bitdefender (Romania), and Malwarebytes (US) each represent different risk profiles. Read the privacy policy before installing.
Can I remove malware without losing my data?
In most cases, yes. The Safe Mode uninstall method and a security scan will remove the majority of infections without touching your personal files. A factory reset is only necessary when the infection is deeply embedded. Back up photos, contacts, and documents to Google Drive or a PC before attempting a reset, just in case.
What should I do if I think my banking app has been compromised?
Contact your bank immediately using the number on the back of your card or the official website — not a number found in a search result or SMS. ANZ NZ, ASB, BNZ, Westpac NZ, and Kiwibank all have fraud lines available around the clock. Freeze your card through the bank’s official app from a different, clean device if possible. Then work through the malware removal steps above. Under the Banking Ombudsman Scheme, NZ banks have obligations around unauthorised transaction liability, but prompt reporting is essential.
Bottom line
Removing malware from an Android device is a methodical process, not a single-click fix. For the majority of infections — adware, browser hijackers, credential-stealing apps — Safe Mode plus manual uninstall plus a scan from a trusted tool like Malwarebytes, Bitdefender, or ESET will resolve the problem without a factory reset. The NZ-specific risks are real: local phishing campaigns impersonating NZTA, IRD, and NZ banks are active and well-crafted, and a fast Chorus fibre connection makes a compromised device a more capable exfiltration tool than most people realise. Spend the NZ$25–70 on a reputable real-time scanner, keep Android updated, and treat every unsolicited SMS link as hostile by default. That combination will handle the overwhelming majority of threats you are likely to encounter.
