Google Tracks and Scans Everything on Your Android Device

Every Android user has used the Google Play Store at some point, but what you might not know is that the Play Store app has a background service that is constantly running in the background. This background process is called “Google Play Services,” and it has access to everything on your phone.

It’s a Bridge

Imagine you’re developing a travel app, and you need to program a way to display weather forecasts within the app. Your first thought might be that you’d have to code this feature from scratch. Somehow build a real-time database of weather forecasts (temperature, humidity, wind speed, rain gauges, and so on). Make sure it’s updated and accurate. Use the device’s sensor data to estimate the location, then build a complex algorithm to process everything. Note that you’ll need sophisticated meteorological models to match the consistency and quality of the weather updates people are used to. That’s too much work for one developer.

The good news is, we don’t need to do all this work because someone has already done it. There are companies which already invest a lot of time and data building weather databases, sophisticated algorithms, and delivering the processed weather updates. All we have to do is send them a request for the data we want, and just display their response within the app. We’d have a system become an interface between our app and theirs. This is an Application Programming Interface, or an API. The “application” part of that is obviously the app, and the “programming interface” is an interface as opposed to a “user interface” because it’s just two programs talking to each other without user access.

That’s basically what Google Play Services is. It’s a bundle of different APIs that lets Android apps access Google features, just like we could access weather features with a weather API in our app development scenario.

You might have noticed that apps often have a button that lets you sign in with a Google account. A lot of Android games show a little Google Play Services toast with an auto-generated username that links to achievements, saved games, and leaderboards. Sometimes, you get a Play Protect warning that it detected a malicious app on your device. All those features rely on Google Play Services. Those are usually the features you get to see, but most are hidden from the user.

Just like Google login, apps can also access location, run mobile ads, process payments, and even push notifications with Google Play Services APIs.

It Works Like a System App Without Being a System App

Google Play Services doesn’t show up in the app drawer, but it is always running in the background, and it doesn’t need any permission from the user. It gets all the permissions by default, it doesn’t show up in the launcher, and you can’t remove it. It’s constantly running in the background and runs without battery optimization restrictions. All of that makes it sound like a system app, except it’s not.

I tried disabling it, and almost instantly I started getting bombarded with alerts to enable Google Play Services. I couldn't open any Google apps, and non-Google apps, like Asana, my banking apps, and even Airbnb stopped working. Google kept spamming the same notifications over and over, every 10 seconds and annoyed me into re-enabling the services.

That’s a unique position for a user-space app because no other app has system-level access. Google pushes security patches and updates via Play Services independent of the full Android OS updates.

Google Play Services is Exempt From Android’s Privacy Restrictions

With Android 10, Google introduced a security feature called “scoped storage.” In previous versions of Android, an app with storage access could access every file on the device. Scoped storage tightened access and apps could only access relevant directories in isolation, not the entire storage space.

Older versions of Android would give free access to call logs and call metadata. Any app could track who you called, when, for how long, and how often. As you can imagine, that’s an incredibly sensitive permission, so in modern versions of Android, the OS heavily restricts which apps can see the call logs. Pretty much only dialer and contact apps can access it.

The point I’m trying to make is this: Android has introduced a lot of excellent privacy features over the years, but there is one process in the user space which is exempt from those restrictions, and that’s the Play Store Services. It has absolutely no restrictions on it.

You can see the permissions section is greyed out, and the app has default access to every sensor (including my microphone, call logs, body sensors, camera, and nearby devices) and data point available. You can't revoke any of these. Location is allowed all the time and I can see that it accesses my location every couple of minutes.

The Play Store Services process has access to your precise location at all times, the motion sensors, networks, hardware identifiers (including IMEI), contacts, passwords, the entire storage space, call logs, access to other apps’ data, and more. It even constantly scans your device for malware.

It’s Why You Can’t De-google Your Phone

In tech enthusiast circles, there’s been a movement on the rise in recent years that’s all about cutting Google out of people’s lives. A big part of the movement is removing Google from Android phones—that’s what de-googling a phone means.

On paper, it sounds pretty straightforward because you could simply just remove all Google apps from the phone, YouTube, Gemini, Maps, and so on, and be done with it. In practice, however, it’s incredibly complicated. You can’t uninstall many of the Google apps because they run on elevated privileges, and you need superuser or root access to remove them. The most you can do is disable those apps with ADB tools. Even if you go through that tedious process, there is one thing that you cannot get rid of, and that is Google Play Services. Even after removing all Google apps from your device, the Play Services processes will continue running in the background.

Even if you could remove them somehow by rooting your phone, removing Play Services will most certainly break a lot of apps you use every day. Remember I mentioned how Android app developers rely on Google Play Services APIs to make their apps work. Google Ads, Firebase notifications, Google Play, Google sign-in, integrity checks for banking apps break without active Google Play Services running in the background.

The point is this: you cannot cut out Google Play Services without hamstringing your phone in a serious way. De-googled phones exist, but they’re rooted or using a custom firmware. Usually, these phones spoof Google Play Services, replacing that layer with something called MicroG.

---

Google Play Service has more access than any other app purely by design. It’s how Google constantly tracks, scans, and profiles your Android device with basically without giving you any control or visibility over that activity.