🤖 ADB Process Debugging
Advanced Forensic Analysis for Technical Users
Use Android Debug Bridge (ADB) to examine running processes, analyze network connections, detect hidden apps, and perform deep forensic examination of your Android device. This guide is for users comfortable with command-line tools.
⚠️ Advanced Users Only
This guide requires familiarity with command-line interfaces, basic Linux commands, and Android system architecture. If you're not comfortable with terminal commands, start with our beginner-friendly spyware detection guide instead.
What is ADB?
Android Debug Bridge (ADB) is a command-line tool that lets you communicate with an Android device from your computer. It provides access to:
- Shell access - Run commands directly on the device
- Process monitoring - See all running apps and services
- Network analysis - View active connections and open ports
- Log streaming - Real-time system logs (logcat)
- Package management - List, install, and remove apps
- File system access - Browse and extract files
- Screen capture - Take screenshots and record screen
🔧 What You'll Need
- Windows, Mac, or Linux computer
- USB cable (USB-C or Micro-USB)
- Android device with Developer Options enabled
- USB Debugging enabled on your Android
- Basic terminal/command-line knowledge
Step 1: Install ADB
1 Download Platform Tools
macOS (Homebrew)
# Install via Homebrew
brew install android-platform-tools
# Verify installation
adb versionWindows
# Download from Google:
# https://developer.android.com/tools/releases/platform-tools
# Extract ZIP and add to PATH, or run from extracted folder:
.\adb.exe versionLinux (Ubuntu/Debian)
# Install via apt
sudo apt update
sudo apt install adb
# Verify
adb version2 Enable Developer Options on Android
- Go to Settings → About Phone
- Tap Build Number 7 times rapidly
- You'll see "You are now a developer!"
- Go back to Settings → System → Developer Options
- Enable USB Debugging
🔐 Security Note
USB Debugging grants significant access to your device. Only enable it when needed and disable it when done. Never authorize USB debugging on public computers or chargers.
3 Connect and Authorize
# Connect your phone via USB, then:
adb devices
# First time: You'll see "unauthorized"
# Check your phone for the authorization prompt and tap "Allow"
# Check "Always allow from this computer" if it's your personal machine
# After authorization:
adb devices
# List of devices attached
# ABC123DEF456 deviceStep 2: Analyze Running Processes
4 List All Running Processes
# Get a shell on the device
adb shell
# List all running processes
ps -A
# Or with more detail (process tree)
ps -ef
# Filter for specific patterns
ps -A | grep -i "spy\|monitor\|track\|stealth"
# Exit shell
exitLook for processes with suspicious names or ones you don't recognize. Common legitimate processes include:
system_server- Android systemsurfaceflinger- Display compositorzygote- App process spawnercom.google.*- Google servicescom.android.*- System apps
5 Monitor Process Activity in Real-Time
# Real-time process monitor (like top on Linux)
adb shell top
# Sort by CPU usage
adb shell top -s cpu
# Sort by memory usage
adb shell top -s rss
# Show only top 20 processes
adb shell top -n 1 -m 20🔍 Red Flags in Process List
- Processes with random/gibberish names
- High CPU usage when phone is idle
- Processes running as root that shouldn't be
- Apps you don't recognize consuming resources
Step 3: Examine Installed Packages
6 List All Installed Apps
# List all packages
adb shell pm list packages
# List only third-party (user-installed) apps
adb shell pm list packages -3
# List system apps only
adb shell pm list packages -s
# List disabled apps (hidden but installed)
adb shell pm list packages -d
# Show package paths (where APK is stored)
adb shell pm list packages -f
# Search for suspicious patterns
adb shell pm list packages | grep -i "spy\|monitor\|track\|hidden\|stealth"7 Get Detailed Package Info
# Get detailed info about a specific package
adb shell dumpsys package com.suspicious.app
# Check what permissions an app has
adb shell dumpsys package com.suspicious.app | grep "permission"
# See when app was installed/updated
adb shell dumpsys package com.suspicious.app | grep "firstInstallTime\|lastUpdateTime"
# Check if app can run in background
adb shell dumpsys package com.suspicious.app | grep "background"8 Find Hidden/Disabled Apps
# List apps that are installed but hidden from launcher
adb shell pm list packages -d
# Check for apps with no launcher activity (can't be opened normally)
adb shell cmd package query-activities --brief -a android.intent.action.MAIN -c android.intent.category.LAUNCHER
# Compare against all installed packages to find hidden ones
adb shell pm list packages -3 > all_apps.txt
adb shell cmd package query-activities --brief -a android.intent.action.MAIN -c android.intent.category.LAUNCHER > launcher_apps.txt
# Diff the two files to find hidden apps
Step 4: Network Analysis
9 View Active Network Connections
# Show all network connections
adb shell netstat -an
# Show connections with process IDs
adb shell netstat -anp
# Show only established connections
adb shell netstat -an | grep ESTABLISHED
# Show listening ports (services waiting for connections)
adb shell netstat -an | grep LISTEN
# Alternative: use ss command (newer)
adb shell ss -tunap🔍 Suspicious Network Activity
- Connections to unknown IP addresses
- Connections on unusual ports (not 80, 443)
- Constant outbound connections when phone is idle
- Connections to IPs in unexpected countries
10 DNS and Routing Information
# Check DNS servers being used
adb shell getprop net.dns1
adb shell getprop net.dns2
# View routing table
adb shell ip route
# Check for VPN connections
adb shell ifconfig | grep -A5 "tun\|tap\|ppp"
# List all network interfaces
adb shell ip link showStep 5: System Logs (Logcat)
11 Stream Real-Time Logs
# Stream all system logs
adb logcat
# Filter by priority (V=Verbose, D=Debug, I=Info, W=Warn, E=Error)
adb logcat *:W
# Filter by specific tag
adb logcat -s "ActivityManager"
# Search for suspicious keywords
adb logcat | grep -i "location\|gps\|microphone\|camera\|keylog"
# Save logs to file
adb logcat -d > android_logs_$(date +%Y%m%d).txt12 Analyze Specific Events
# Check for location access
adb logcat -d | grep -i "LocationManager\|requestLocationUpdates"
# Check for camera/microphone access
adb logcat -d | grep -i "CameraService\|AudioRecord\|MediaRecorder"
# Check for SMS access
adb logcat -d | grep -i "SmsManager\|SMS_RECEIVED"
# Check for contact access
adb logcat -d | grep -i "ContactsProvider"
# Check for app installations
adb logcat -d | grep -i "PACKAGE_ADDED\|PACKAGE_INSTALLED"Step 6: File System Analysis
13 Browse Device Storage
# List files in common locations
adb shell ls -la /sdcard/
adb shell ls -la /sdcard/Download/
adb shell ls -la /sdcard/DCIM/
# Find recently modified files (last 24 hours)
adb shell find /sdcard/ -mtime -1 -type f 2>/dev/null
# Find hidden files/folders (starting with .)
adb shell find /sdcard/ -name ".*" 2>/dev/null
# Check app data directories (requires root for full access)
adb shell ls -la /data/data/14 Extract Files for Analysis
# Pull a specific file to your computer
adb pull /sdcard/suspicious_file.txt ./
# Pull entire directory
adb pull /sdcard/Download/ ./android_downloads/
# Create a backup of app data (if allowed)
adb backup -apk -shared -all -f android_backup.ab
# Extract APK of a suspicious app
adb shell pm path com.suspicious.app
# Then pull the APK path shown
adb pull /data/app/com.suspicious.app-1/base.apk ./suspicious.apkQuick Reference: Essential ADB Commands
| Command | Purpose |
|---|---|
| adb devices | List connected devices |
| adb shell | Open interactive shell |
| adb shell ps -A | List all processes |
| adb shell pm list packages -3 | List user-installed apps |
| adb shell netstat -anp | Show network connections |
| adb logcat | Stream system logs |
| adb shell dumpsys battery | Battery stats (detect drain) |
| adb shell dumpsys location | Location service info |
| adb shell settings list secure | Security settings |
| adb uninstall com.package.name | Remove an app |
What to Do If You Find Something
🔴 Found Spyware or Stalkerware
- Document everything - Save logs, take screenshots
- Do NOT alert the installer - They may escalate
- Contact a domestic violence hotline if applicable: 1-800-799-7233
- Uninstall the app:
adb uninstall com.spyware.package - Consider a factory reset for complete removal
- Change all passwords from a different, secure device
🟡 Found Suspicious App You Don't Recognize
- Research the package name online
- Check when it was installed:
adb shell dumpsys package [name] | grep firstInstall - Review its permissions
- If suspicious, disable it:
adb shell pm disable-user [package] - Or uninstall:
adb uninstall [package]
🟢 Everything Looks Clean
- Great! But stay vigilant
- Run these checks periodically (monthly)
- Keep Android and apps updated
- Disable USB Debugging when not in use
- Review our other security guides
Additional Tools
| Tool | Purpose | Link |
|---|---|---|
| scrcpy | Mirror Android screen to computer | GitHub |
| PCAPdroid | Capture network traffic on-device | GitHub |
| MVT (Mobile Verification Toolkit) | Pegasus/spyware detection | GitHub |
| Wireshark | Analyze captured network traffic | Download |
| jadx | Decompile APKs for analysis | GitHub |
💡 Pro Tip: Create a Baseline
Run these commands on a freshly reset device and save the output. Then compare against your current device to spot differences. This makes it much easier to identify apps or processes that shouldn't be there.
# Save baseline
adb shell pm list packages -3 > baseline_apps.txt
adb shell ps -A > baseline_processes.txt
# Later, compare
diff baseline_apps.txt current_apps.txt
