by The Computing Australia Group | Most businesses use legitimate tools to understand customer behaviour—website analytics, CRM tracking, marketing pixels, and consent-based cookies. Used responsibly, these tools help improve services and personalise experiences.
Spyware is different. Spyware is software that is secretly installed (or deceptively bundled) to monitor activity and collect data without informed consent. It can capture everything from browsing habits to passwords and banking details, and it may transmit that information to a third party for profit or exploitation.
Spyware has also evolved. It’s no longer just “annoying pop-ups” or sketchy browser toolbars. Modern spyware includes:
- Credential-stealing “infostealers”
- Keyloggers
- Remote access trojans (RATs)
- Mobile stalkerware
- High-end commercial spyware used in targeted attacks
This guide explains the main spyware types, how to spot an infection, how to remove spyware safely across Windows/macOS/iOS/Android, and how to prevent reinfection—especially in a business environment.
What is spyware?
Spyware is a category of malware designed to collect information from a device or system without the user’s knowledge or consent. may record keystrokes, capture screenshots, harvest credentials, track browsing behaviour, monitor messages, or even access a device’s microphone/camera in some cases.
From a standards perspective, NIST describes spyware as software that is surreptitiously installed to gather information without the user’s knowledge, and generally as malware intended to violate privacy.
Spyware vs “tracking” and legitimate monitoring
- Legitimate tracking (e.g., analytics cookies, consent-based marketing tools) should be disclosed and controllable via privacy policies and consent banners.
- Spyware is hidden, deceptive, or installed without meaningful consent, and is used to extract data in a way the user didn’t agree to.
In workplaces, there are legitimate monitoring tools (device management, auditing, some productivity monitoring) that may overlap with spyware techniques. Even when legal, organisations should be transparent with staff, minimise collection, and follow local privacy and employment laws.
Common types of spyware (and how they work)
Spyware isn’t one single “thing.” It’s a spectrum of technologies used to track, steal, and spy.
1) Tracking cookies (and invasive tracking tech)
Cookies are small files websites store in your browser to remember sessions and preferences. Some cookies become privacy-invasive when they track users across sites for advertising or profiling. This category is often more “privacy risk” than “system compromise,” but malicious or shady ad tech can still become a delivery path for worse malware.
What it looks like:
- Your ads feel “too accurate”
- Retargeting follows you across unrelated sites
- Your browser has persistent trackers and third-party scripts
Best controls:
- Browser privacy settings and tracker blockers
- Limiting third-party cookies where possible
- Only accepting cookies on trusted sites
2) Adware (advertising-supported spyware)
Adware displays unwanted advertisements and may track your browsing to target ads. Some adware is merely aggressive and annoying; other forms cross into spyware by collecting excessive data, redirecting traffic, or installing additional components.
Cisco notes spyware’s primary purpose is gathering information without knowledge and transmitting it for gain, and highlights keyloggers as a high-severity example.
What it looks like:
- Pop-ups even when you’re not browsing
- New tabs opening to unfamiliar sites
- Homepage/search engine changed without permission
- Unwanted extensions returning after removal
3) Keyloggers (keystroke loggers)
Keyloggers record what you type—usernames, passwords, credit card numbers, internal messages—and send it to an attacker. CISA specifically notes spyware can capture keystrokes and other sensitive inputs.
Keyloggers can be software-based or hardware-based (e.g., a physical device inserted between keyboard and PC). Some keylogging tools are used legitimately (e.g., troubleshooting, explicit parental controls), but malicious keyloggers are a major identity theft risk
What it looks like:
- Compromised accounts even after password changes
- Suspicious logins, MFA prompts you didn’t initiate
- Slow system performance with no obvious cause
- Security tools disabled or tampered with
4) Trojans and Remote Access Trojans (RATs)
A trojan is malware disguised as legitimate software. It often installs a backdoor and allows attackers to remotely control a device, steal data, and deploy additional tools.
Cisco notes spyware’s primary purpose is gathering information without knowledge and transmitting it for gain, and highlights keyloggers as a high-severity example.
What it looks like:
- Unknown “remote access” apps or services installed
- Webcam/mic indicators activating unexpectedly
- Unusual outbound network traffic
- Admin tools appearing that you didn’t deploy
5) Infostealers (credential and data harvesting spyware)
Infostealers are a major modern spyware class: they target browser-stored passwords, cookies, session tokens, crypto wallets, autofill data, and authentication credentials. They often arrive via phishing, fake installers, cracked software, or malicious browser extensions.
6) Rootkits and stealth spyware
Rootkits are designed to hide themselves and persist. When spyware is difficult to remove, offline scanning from a trusted environment can help.
Microsoft Defender Offline is designed to scan outside the normal Windows environment to target hard-to-remove threats like rootkits.
7) Mobile spyware and stalkerware
Mobile spyware can monitor calls, messages, location, photos, and app activity. A particularly concerning subset is stalkerware-spyware installed by someone close to the victim (partner, family member, or acquaintance) to secretly track them.
Business Victoria notes spyware/stalkerware can include both legitimate and illegitimate tools, and warns it can be used for malicious monitoring-including “zero-click” style infections in sophisticated cases.
CISA also highlights tracking technologies that can access calls/messages, location, and app activity.
If you suspect stalkerware and personal safety is a concern, prioritise safety planning and seek specialist support.
Spyware can be hard to detect because it’s built to be quiet. Still, these symptoms should raise suspicion:
How spyware gets onto devices
Spyware commonly enters through:
- Phishing emails and social engineering (malicious links/attachments)
- Bundled “free” software (toolbars, cracked apps, fake installers)
- Malicious ads or redirects
- Compromised websites and drive-by downloads
- Malicious browser extensions
- Weak passwords / credential reuse(enabling follow-on compromise)
- Unpatched software vulnerabilities(especially on mobile and browsers)
How to identify a spyware infection (common warning signs)
Spyware can be hard to detect because it’s built to be quiet. Still, these symptoms should raise suspicion:
- Device suddenly slow or unstable
- Frequent crashes or random reboots
- Storage space disappearing unusually fast
- Security software disabled or won’t update
- New apps/services you don’t recognise
(FTC and Google both describe these as common malware indicators across devices.)
Browser symptoms
- Pop-ups and new tabs that won’t stop
- Homepage/search engine changed without permission
- Unwanted extensions reappearing
- Browser redirects to unfamiliar sites
- Password resets you didn’t request
- MFA prompts or “new login” alerts you didn’t initiate
- Emails/messages sent from you that you didn’t send
- Overheating, sudden battery drain, unusual shutdowns
- Unexpected data usage spikes
- Strange permissions granted to apps (SMS, Accessibility, Device Admin)
What to do first (before removal)
2) Do not enter passwords on the infected device(Wi-Fi/Ethernet/mobile data) if possible
The ACSC warns that some malware can log keystrokes and steal any sensitive information you input. If you need to change passwords, use a known-clean device.
3) Document what you’re seeing
- Screenshots of popups/alerts
- Screenshots of popups/alerts
- Times, error messages, unusual activity
4) If this is a business device, treat it like an incident
Escalate to IT/security, preserve logs where possible, and don’t “wipe everything” before you’re confident you understand scope.
How to remove spyware (step-by-step)
Windows (business and personal)
Step 1: Run a reputable security scan (EDR/antivirus)
This helps limit data exfiltration and remote control.
- Update your security tool first (if safe)
- Run a full scan, quarantine/remove detected items
Step 2: Remove suspicious programs and persistence)
- Check installed apps (Settings → Apps)
- Remove unknown toolbars and browser extensions
- Review startup items and scheduled tasks
- Check for unknown local admin accounts (business networks)
Step 3: Use an offline scan for stubborn threats
If the spyware hides, repeatedly returns, or you suspect a rootkit, run Microsoft Defender Offline, which boots into a trusted environment and scans outside the normal Windows runtime.
- Remove extensions you don’t recognise
- Reset homepage/search settings
- Clear cache/cookies/site data
- Consider creating a fresh browser profile
Once the Spyware is removed, scan the computer frequently with the latest version of antivirus software. Never install any programs from unauthorised sites or click on links from unknown sites and emails. If you are unable to remove Spyware from your system or need any assistance with cybersecurity issues, contact us or email at cybersecurity@computingaustralia.group.
Jargon Buster
Pop-up ads – A form of online advertising where a small window suddenly appears or pops up.
Safe mode – It is a diagnostic mode that starts Windows in a basic state, usually used to fix critical problems and remove malicious software.
