Worried Your Device Is Infected?
If you've had a strange login alert, found software you didn't install, or your security tools have switched themselves off, your phone or computer may be running infostealer malware — quietly lifting every saved password and session cookie in your browser. This is a calm, step-by-step UK guide to confirming it, stopping it, and undoing the damage.
This guide is for anyone who fears their device is already infected. For background on what this malware is and how it works, see our explainer on infostealer malware. General information, not professional incident-response advice; UK contacts were reviewed in June 2026 — the linked official sources take precedence. New to this? Read what infostealers are first.
Signs Your Device May Be Infected
Infostealers are built to stay invisible, so there's rarely one obvious symptom. Treat several of these together as a strong warning.
Logins from places you've never been
Sign-in alerts or new-device notifications from a city or country you don't recognise — classic when a criminal replays a stolen session from their own machine.
Active sessions you didn't start
Your account's security page lists devices or browsers that aren't yours, or you're mysteriously signed in somewhere you never logged in.
Passwords or recovery details changed
You're locked out, or your recovery email and phone number were altered without you touching them — a sign someone is already inside.
Antivirus or updates switched off
Your security software is disabled, won't turn back on, or system updates are mysteriously blocked. Many stealers kill protection as their first move.
You installed cracked or pirated software
A 'free' version of paid software, a game cheat, a key generator or a cracked plugin is one of the most common ways infostealers get on a device.
Browser or OS security warnings
Your browser flags a malicious download, a new extension you didn't add appears, or your home page and search engine have been changed.
Friends are getting spam from you
Contacts receive messages, emails or social posts you never sent — your accounts are being used to spread scams or more malware.
Do This Now
Work through these in order. The order matters: clean the device before you trust it again, or every fix you make is stolen straight back.
Device first, password second. If the malware is still running, a brand-new password is captured the instant you type it. Get the suspect device offline before you change anything.
Don't panic and don't wipe everything in a rush. Back up important files first, and if this is a work device, stop and follow step seven before you do anything else.
1.Disconnect the device from the internet
Turn off Wi-Fi and unplug any network cable, or switch to aeroplane mode. This stops the malware sending more of your data out and cuts off remote control while you sort everything else from a clean device.
2.From a different, clean device, change your passwords
Use a phone or computer you trust — never the suspect one. Change your email password first: it's the master key that resets everything else. Then banking, then anything that shared a password. A password manager makes this far quicker.
3.Sign out everywhere and revoke active sessions
In each important account's security settings, choose 'sign out of all devices' or revoke active sessions. This invalidates stolen session cookies that would otherwise keep an attacker logged in even after you change the password.
4.Turn on or upgrade your two-factor — ideally passkeys
Add 2FA to email, banking and social accounts, preferring an authenticator app or hardware key over SMS. Better still, switch to passkeys where offered — there's no password left to steal. Our two-factor guide walks you through it. /en/guides/how-to-set-up-2fa
5.Run a reputable malware scan
Once the important passwords are secured from your clean device, run a full scan with built-in protection (such as Microsoft Defender) or a well-reviewed security product, and install every pending update. A scan can remove known threats, but a clean result does not guarantee the device is safe.
6.When in doubt, back up and reinstall the operating system
A factory reset or clean reinstall of the OS is the only way to be sure a stealer is gone. Back up your documents and photos first (not programs), then wipe and reinstall. Change your passwords again afterwards, from the freshly rebuilt device.
7.Watch for fraud and SIM-swap attempts
Expect targeted scams using details the criminals now hold. Check bank and card statements, and report anything unfamiliar immediately. If your mobile suddenly loses signal for no reason, suspect a SIM-swap and contact your network at once — your bank will never ask for full passwords or one-time codes.
Why Changing Your Password Isn't Enough
This is the single most important thing to understand — and the reason most people stay exposed after they think they're safe.
Stolen session cookies bypass your password
When you log in, the site gives your browser a session cookie — a token that says 'this person is already signed in'. Infostealers grab these cookies. A criminal can load your cookie into their own browser and walk straight into your account without ever needing your password.
They bypass MFA too
Because a session cookie represents an already-authenticated session, it sidesteps two-factor authentication entirely. Turning on MFA after the cookie is stolen doesn't lock the attacker out — they were waved through before MFA ever applied.
The only real fix: revoke sessions and clean the device
Changing your password does not invalidate cookies that were already issued. You must 'sign out of all devices' to kill those sessions — and clean or rebuild the infected device so it can't simply harvest the new ones.
Personal Device vs Work Device
Who handles the clean-up depends entirely on who owns the device.
Your own personal device
You own the response. Work through the steps above yourself: get it offline, secure your accounts from a clean device, revoke sessions, scan, and reinstall the OS if there's any doubt. Take particular care over email and banking, which unlock everything else.
A work or managed device
Stop and tell your IT or security team immediately — before you change anything. Don't try to clean it yourself: they need to preserve evidence, check whether company systems were reached, and meet legal duties. Disconnecting it from the network is usually safe, but follow their instructions from there.
How Devices Get Infected
A quick recap of the usual routes in. For the full picture, see our infostealer explainer.
Malvertising
Poisoned search results and adverts push fake download pages for popular software, delivering a stealer instead of the real thing.
Cracked & pirated software
Cracks, key generators, game cheats and 'free' premium tools are bundled with malware far more often than not.
Fake updates
A pop-up insists your browser, Flash or a video codec needs updating — the 'update' is the infostealer.
Phishing attachments
An email or message attachment, or a link to a booby-trapped file, runs the malware the moment you open it.
Stop the Next One
Once you're clean, a few habits keep you that way.
Use passkeys and strong 2FA
Passkeys replace passwords with a key held by your device and unlocked by your face or fingerprint — nothing to steal or phish. Where passkeys aren't offered, use an authenticator app or hardware key.
Never install pirated software
Cracks, key generators and cheats are the number-one infection route. Stick to official app stores and the genuine vendor's website, and be wary of sponsored download links.
Keep your OS and apps updated
Automatic updates close the security holes stealers rely on. Update your operating system, browser and apps promptly, and only ever update from inside the app itself — never a pop-up.
Use a password manager
A manager generates a unique password for every account, so one stolen login can't unlock the rest, and it only fills credentials on the genuine site — quietly defeating fake-login phishing.
Where to Get Help (UK)
Official UK sources for reporting and advice.
Frequently Asked Questions
The questions people ask most when they fear their device is infected.
Will antivirus remove an infostealer?
Sometimes. A reputable, up-to-date scanner can detect and remove many known stealers, but new and customised variants slip past detection, and some disable your security before they run. Treat a clean scan as reassuring, not conclusive — if there's real doubt, reinstall the operating system.
Is a factory reset or OS reinstall enough to get rid of it?
A full factory reset or clean reinstall of the operating system is the most reliable way to remove an infostealer, because it wipes the malware along with everything else. Back up your documents first — but not programs, which could carry the infection back. Crucially, also change your passwords and sign out of all sessions, because anything stolen before the reset is already gone.
Can my phone get infected, not just my computer?
Yes. Mobile infostealers exist, usually arriving via apps installed from outside the official store ('sideloading') or malicious links. Stick to the App Store or Google Play, avoid sideloaded apps, keep the phone updated, and remove anything you don't recognise or remember installing.
They only got my password, not my 2FA code — am I safe?
Not necessarily. Infostealers usually take session cookies as well as passwords, and a stolen cookie bypasses both your password and your two-factor authentication. Change the password, then use 'sign out of all devices' to invalidate active sessions, and clean the device so the cookies can't simply be taken again.
How did the malware get on my device?
Most infections come from cracked or pirated software, fake software updates, poisoned adverts and search results (malvertising), or malicious email and message attachments. Often a single careless download is all it takes. Our infostealer explainer covers the routes in detail.
Should I tell my employer?
If the device is owned or managed by your employer, or you use it for work accounts, yes — tell your IT or security team straight away and let them lead the response. They may have legal reporting duties and need to check whether company systems were reached. Don't try to quietly clean a work device yourself.
Find Out What's Already Exposed
If a device of yours has been infected, your credentials may already be circulating. DarkStrata monitors infostealer logs, breaches and criminal marketplaces — so you can act before attackers do.