7 Signs Your Phone Was Hacked (And What to Do Right Now)

Your phone knows everything about you. Your passwords, your banking, your emails, your location, your photos. If someone gains access to it — even silently, in the background — the consequences can be severe.

The terrifying part: most people whose phones have been compromised don't know it. Attackers prefer it that way. But there are signs, if you know what to look for.

7 Warning Signs Your Phone May Be Compromised

1. Battery Drains Unusually Fast

Malware runs in the background constantly — monitoring your activity, transmitting data, and executing commands. All of that takes power. If your battery life has noticeably shortened without any change in how you use your phone, it could be malware running silently in the background.

On iOS, go to Settings → Battery and scroll down to see per-app battery usage over the last 24 hours and 10 days. Look for apps listed under "Background Activity" that you don't recognize or rarely use. On Android, go to Settings → Battery → Battery Usage. Android gives you a more granular breakdown, including system-level processes — if something labeled as a system service is consuming an outsized share of power, that warrants further investigation.

The key comparison point isn't a single bad day — it's a trend. If your phone used to last all day and now dies by noon without a change in usage habits, that sustained shift is the signal. Spyware like Pegasus and commercial stalkerware packages have both been documented causing accelerated battery drain because they run persistent background processes to capture audio, log keystrokes, and periodically push data back to a remote server.

2. Your Phone Gets Hot When You're Not Using It

Phones generate heat when they're working hard. If your phone feels warm when it's sitting idle on your desk, something is running in the background. Spyware, cryptomining malware, and botnet software are all known causes of unexplained device heat.

There's a meaningful difference between a phone that heats up during heavy use — navigation, video streaming, gaming — and one that feels warm when face-down on a table, screen off, doing nothing. The latter is the suspicious scenario. On iOS, unexpected heat alongside increased background activity can sometimes be traced using Screen Time's background activity data. On Android, third-party apps like CPU-Z can reveal which processes are actively running and consuming processor cycles.

Cryptomining malware is a particularly common cause. Attackers compromise phones and recruit them into mining pools, using your CPU and battery to generate cryptocurrency for someone else. The malware runs hardest when your phone is charging and idle — which is exactly when you're least likely to notice the heat. If your phone runs warm all night while plugged in, take that seriously.

3. Unexpected Charges on Your Phone Bill

Some types of malware — particularly "toll fraud" malware — silently send premium SMS messages or subscribe to paid services without your knowledge. Check your phone bill for charges you don't recognize. Even small recurring charges of a few dollars can signal a compromise.

Toll fraud malware has been a persistent problem on Android specifically, because the platform allows SMS-sending permissions that malware can abuse. Google's Play Protect and Android 13+ have added restrictions, but older devices running outdated OS versions remain vulnerable. This category of malware often works by silently subscribing you to premium SMS services controlled by the attacker, collecting small fees monthly to avoid triggering fraud alerts. On iOS, unexpected charges are more likely to show up in your App Store subscription list as in-app purchases or subscriptions you don't remember authorizing.

Make it a habit to review your full itemized phone bill every month. Pay special attention to the "Third-Party Charges" or "Premium Services" sections, which carriers are required to itemize. If you see anything unfamiliar, call your carrier immediately and request a block on all third-party charges — most carriers can do this for free.

4. Apps You Didn't Install Appear on Your Device

If you notice apps you didn't download, this is one of the clearest signs of a compromise. Some malware installs additional software to expand its capabilities or maintain persistence on your device. Check your installed apps list and remove anything you don't recognize.

On Android, the threat is more direct — malware can download and silently install APK files with the right permissions enabled. This is particularly common on devices where "Install Unknown Apps" has been enabled, even once, for a legitimate purpose like sideloading a streaming app. Once that setting is on, malware already on the device can use it to install additional tools. Go to Settings → Apps and sort by install date to see what's been added recently. Anything installed on a date you don't remember is worth investigating.

On iOS, unauthorized app installation requires either a jailbroken device or exploitation of Apple's enterprise certificate system — where attackers distribute apps outside the App Store using enterprise developer certificates. If you see apps on your iPhone with a trust prompt you don't remember approving, or apps that don't appear in the App Store at all, your device may have been compromised at a deeper level. Jailbreaking specifically removes the kernel-level protections that make iOS resistant to malware.

5. Unusual Data Usage Spikes

Spyware and surveillance malware regularly transmit data back to attackers — your messages, your contacts, your location, your photos. This background data transmission shows up in your mobile data usage. Check your data usage in Settings and look for apps consuming large amounts of data that shouldn't need it.

On iOS, go to Settings → Cellular and scroll down to see per-app data usage since the last reset. Pay particular attention to apps listed under "System Services" — legitimate system processes shouldn't be consuming gigabytes of data. On Android, go to Settings → Network → Data Usage → Mobile Data Usage. Android lets you see both foreground and background data consumption — spyware almost always appears in the background column because it operates without any visible interface.

A helpful benchmark: a typical spyware installation transmits compressed data packets containing screenshots, audio snippets, and location pings. These transmissions are designed to be small to avoid detection, but they still add up. If an app you barely use has consumed hundreds of megabytes of background data in a month, that's a significant red flag — especially if it's an app that has no legitimate reason to communicate over the network at all.

6. Your Accounts Have Unusual Activity

Password changes you didn't make, login notifications from unfamiliar locations, emails or messages sent from your account that you didn't send — these are signs that someone has access to your credentials. This can happen when malware captures your passwords as you type them.

Keyloggers are a particularly dangerous form of mobile malware because they capture everything typed on the keyboard — usernames, passwords, credit card numbers, search queries — and transmit that data to the attacker. On Android, malicious keyboards can be installed and set as the default input method, giving them access to every keystroke across every app. If you notice your keyboard has changed or you see an unfamiliar keyboard listed in Settings → General Management → Keyboard, investigate immediately.

Watch for secondary indicators beyond direct login alerts. Unexpected password reset emails for accounts you haven't tried to access, contacts asking why you sent them strange messages or links, and social media posts you don't remember making all suggest credential theft is already underway. Set up login alerts on your most important accounts now — before you suspect a problem — so any unauthorized access triggers an immediate notification.

7. The Device Behaves Strangely

Apps crashing unexpectedly, your phone rebooting on its own, the screen turning on when it shouldn't, or the camera or microphone activating unexpectedly — these can all be signs of unauthorized access or malware activity.

On iOS 14 and later, orange and green indicator dots appear at the top of the screen when the microphone or camera is being accessed by an app. If you see these indicators when you haven't opened any camera or voice app, something is accessing those sensors without your explicit action. Check the Privacy → Camera and Privacy → Microphone menus to see which apps have recently accessed those sensors. On Android 12 and later, a similar green indicator appears in the top-right corner. If you see it while your phone appears idle, go to Settings → Privacy → Privacy Dashboard for a log of recent sensor access.

Spontaneous reboots deserve particular attention. Sophisticated malware sometimes reboots a device to apply system-level changes or after exploiting a vulnerability that destabilizes the OS. If your phone reboots on its own — especially multiple times in a short period — without an OS update or overheating as an explanation, that's worth taking seriously. Similarly, if your screen illuminates repeatedly at night while charging with no notifications arriving, background processes are waking the device.

Less Obvious Signs You Might Miss

The seven signs above are relatively well-known. But experienced attackers design their tools to minimize obvious symptoms. Here are subtler indicators that often go unnoticed for months.

Autocomplete Suggests Websites You Never Visited

Your phone's browser maintains a history of every site you've visited, and that history feeds the autocomplete suggestions in your address bar. If autocomplete is suggesting websites — particularly banking sites, webmail providers, or financial platforms — that you've never visited yourself, someone else may have been using your browser. This can happen when a remote access tool (RAT) is giving an attacker live control of your browser session, or when a browser hijacker has been silently opening pages in the background.

On both iOS Safari and Android Chrome, you can view your full browsing history and clear it. After clearing, monitor over the next week whether unfamiliar URLs reappear in your history without your visits. Also check your browser's saved passwords and autofill data — attackers who gain brief physical access to a phone will sometimes save their own credentials in your browser's password manager to facilitate future access.

Your Contacts Report Receiving Strange Messages from You

When a friend texts you asking about a link you sent them — one you have no memory of sending — that's one of the most reliable indicators of account compromise. Malware with access to your messaging apps can send phishing links, scam messages, or malicious attachments to everyone in your contact list, spreading itself further while using your trusted identity to lower your contacts' defenses.

This is particularly common with messaging apps that have been granted broad permissions. WhatsApp, iMessage, and SMS are all potential vectors. If this happens, act immediately: change your passwords for all messaging platform accounts, revoke third-party app access to those accounts, and warn your contacts not to open any recent links they received from you. Check your sent messages folder on every platform — if messages are being sent and then deleted, that's a sign of a sophisticated attacker covering their tracks.

Your Phone Takes Longer Than Usual to Shut Down

When you power off your phone, the OS sends a shutdown signal to all running processes and waits for them to terminate gracefully before cutting power. If malware is running and attempting to maintain persistence, it may resist the shutdown sequence — causing the device to take significantly longer than normal to power off. You might notice the shutdown spinner running for 30 to 60 seconds or longer on a device that normally shuts down in under 10 seconds.

This is particularly relevant for Android devices, where background services can hold wake locks that delay shutdown. If your phone consistently takes an unusually long time to power off, try booting into Safe Mode — which disables all third-party apps — and see if shutdown time normalizes. If it does, a third-party app is the likely culprit. On iOS, a delayed shutdown may indicate a process exploiting system-level privileges, which is a more serious indicator requiring further investigation.

New Email Rules or Filters You Didn't Create

Email account access is often the first thing an attacker secures after compromising your credentials, because email is the recovery method for almost everything else. A sophisticated attacker won't just read your email — they'll create forwarding rules or filters that silently copy every incoming message to an external address, or automatically delete security alerts and password reset emails before you see them.

Log into your email account on a desktop browser and go directly to Settings → Filters and Rules (Gmail), Rules (Outlook), or the equivalent for your provider. Look for any rules you don't recognize. Pay particular attention to rules that forward messages externally, mark messages as read automatically, or delete messages matching specific keywords like "password reset," "security alert," or "verification." These are hallmarks of an attacker trying to maintain invisible access while preventing you from noticing unauthorized logins.

How Long Has Your Phone Been Compromised?

One of the most uncomfortable realities of mobile device compromise is how long it typically goes undetected. Security researchers have consistently found that the average time between initial compromise and detection — known as "dwell time" — exceeds 200 days for mobile devices. That means an attacker can be silently monitoring your phone for more than six months before you notice anything wrong.

Why so long? Modern mobile malware is engineered specifically to be invisible. It limits battery consumption during active hours, compresses transmitted data to stay under detection thresholds, and mimics the behavior patterns of legitimate apps. Commercial spyware vendors market their products to customers — whether corporate IT teams, government agencies, or abusive partners — on the basis of their ability to remain hidden indefinitely. The longer the malware stays undetected, the more data it collects.

Early detection matters enormously. A compromise caught in week one means the attacker has collected a week of your messages, location data, and keystrokes. A compromise caught after six months means they've had half a year of continuous access to everything you do on your phone — every password entered, every conversation had, every account accessed. The damage from a long-running compromise is exponentially harder to contain because you can't be sure which accounts are affected, which passwords were captured, or what the attacker has already done with the data.

This is why periodic proactive scans matter even when nothing seems wrong. Running a security scan monthly — not just when something feels off — is the difference between catching a compromise at week two and discovering it at month seven.

Different Types of Phone Hacks and How They Happen

Not all phone compromises work the same way. Understanding what type of attack you may be dealing with helps you respond appropriately and understand the full scope of the risk.

Spyware (Monitoring Without Your Knowledge)

Spyware is software designed to observe and report on your activities without your awareness. It typically captures some combination of your messages, call logs, contacts, GPS location, browser history, and in some cases, ambient audio and video. Spyware is delivered through phishing links, malicious apps, or — in cases involving sophisticated nation-state tools like Pegasus — zero-click exploits that require no interaction from the target at all.

Commercial spyware is a legal gray area. Products like FlexiSpy and mSpy are marketed to parents monitoring children or employers monitoring corporate devices, but they're frequently misused. The defining feature of spyware is that it operates invisibly — there is no indication to the device owner that it's running. Once installed, it typically survives reboots and app updates, and on Android devices it may be installed as a system app to survive factory resets performed through the standard Settings menu.

Stalkerware (Domestic Abuse Situations)

Stalkerware is a category of spyware specifically used in the context of intimate partner surveillance. It's installed by an abusive partner, ex-partner, or family member who has had brief physical access to the device — often with the knowledge of the PIN or biometric lock. Unlike corporate spyware, stalkerware is explicitly designed for covert surveillance of individuals in personal relationships.

If you suspect stalkerware, the response requires care beyond the technical. Removing stalkerware from a device can alert the person who installed it, which can escalate danger in abusive situations. Organizations like the National Domestic Violence Hotline (1-800-799-7233) have trained advocates who can advise on safe next steps that prioritize your physical safety alongside your digital security. The Coalition Against Stalkerware (stopstalkerware.org) maintains a list of certified support organizations. From a technical standpoint, if it's safe to do so, a factory reset performed after moving to a new device is the most complete solution.

Ransomware on Mobile

Mobile ransomware encrypts files on your device or locks your phone entirely, demanding payment — typically in cryptocurrency — to restore access. While ransomware is far more prevalent on desktop computers, mobile variants exist and have grown more sophisticated. Android devices are more commonly targeted than iOS because of the platform's openness to third-party apps, but iOS ransomware has been distributed through malicious configuration profiles.

Mobile ransomware often arrives disguised as utility apps — a QR code reader, a PDF viewer, or a fake security app — downloaded from outside official stores or from a store that passed initial review before the malicious code was activated remotely. If your phone displays a ransom demand or suddenly becomes locked with an unfamiliar PIN, do not pay. Contact your carrier, perform a factory reset, and restore from a clean backup predating the infection. Paying ransoms does not guarantee you'll regain access and funds the criminals to continue.

Remote Access Tools (RATs)

Remote Access Tools are among the most dangerous forms of mobile malware because they give an attacker live, interactive control over your device. Rather than passively collecting data, a RAT lets the attacker see your screen in real time, tap on apps, read your messages as they arrive, and operate your phone as if they were holding it. Some advanced RATs can even activate the camera and microphone on demand for real-time audio and video surveillance.

RATs on mobile are typically delivered through sophisticated phishing attacks or through malicious apps that request accessibility permissions — which are powerful enough to observe and interact with everything on screen. On Android, a request for Accessibility Services from any app that doesn't have an obvious accessibility purpose is a major red flag. On iOS, RATs are limited by the platform's sandboxing architecture unless the device is jailbroken. If you suspect a RAT, treat it as a severe compromise: change all passwords from a separate device, contact your financial institutions, and perform a complete factory reset.

What to Do Right Now If You Suspect a Hack

Step 1: Run a Security Scan

CyberFence's Smart Scan checks your device for key security indicators: whether your Web Shield is active, device lock status, OS version, and whether the device has been jailbroken or rooted. Run this immediately. The scan takes under two minutes and provides a clear security posture snapshot — including flags for conditions commonly associated with compromise, like a disabled lock screen, an outdated OS, or detected jailbreak status.

Don't skip this step in favor of manual investigation alone. Automated scanning checks for dozens of indicators simultaneously and is faster than manually working through settings menus. The results also give you a documented baseline — useful if you later need to report the incident to your carrier, employer, or law enforcement.

Step 2: Change Your Most Important Passwords

Immediately change passwords for: email accounts, banking and financial apps, social media, and any account with payment information stored. Do this from a different device if possible, in case your phone's keyboard has been compromised. Use a trusted computer rather than another mobile device if one is available.

When resetting passwords, use the opportunity to upgrade to strong, unique passwords for every account — a 16+ character random string generated by a password manager is ideal. Never reuse passwords across accounts. If a keylogger has been capturing your keystrokes, every reused password is compromised the moment one is. Prioritize accounts in this order: primary email (because it's the recovery path for everything else), financial accounts, work accounts, social media, and everything else.

Step 3: Enable Two-Factor Authentication

Even if an attacker has your password, 2FA prevents them from accessing your accounts without physical access to your secondary device. Enable it on every account that supports it — email first, banking second, everything else after.

Prefer an authenticator app (like Google Authenticator or Authy) over SMS-based 2FA wherever possible. SMS 2FA is vulnerable to SIM swapping — where an attacker convinces your carrier to transfer your phone number to their SIM card, giving them access to all your SMS-delivered verification codes. Hardware security keys (like YubiKey) provide the strongest form of 2FA and are worth using for your most critical accounts. After enabling 2FA, download and securely store your backup codes in a location separate from your phone.

Step 4: Review App Permissions

Go to Settings → Privacy (iOS) or Settings → Apps (Android) and review which apps have access to your camera, microphone, location, contacts, and messages. Revoke any permissions that seem excessive or that you don't recognize. This is also the moment to uninstall any apps you don't use or don't recognize.

On iOS, the Privacy & Security menu groups permissions by type — you can see every app that has ever requested camera access in one view, which makes it easy to spot anomalies. On Android, the Permission Manager under Settings → Privacy provides the same capability. Pay particular attention to apps with both location access and microphone or camera access — that combination in a non-obvious app (a flashlight app, a calculator, a keyboard) is a serious red flag. Also review which apps have Accessibility Services enabled on Android, as that permission provides near-total device control.

Step 5: Update Your OS

Many attacks exploit known vulnerabilities in older operating system versions. Install the latest iOS or Android update immediately. This patches known security holes that attackers may be using. Security patches are released separately from feature updates and should be applied as soon as they're available — not weeks later.

If your device is too old to receive OS updates, that's a significant and ongoing security risk. Both Apple and Google publish end-of-life dates for device support. Devices that no longer receive security updates should be replaced, because known vulnerabilities in those devices accumulate publicly over time and become easier — not harder — for attackers to exploit. Running a security app like CyberFence can partially compensate, but it cannot fully replace OS-level patches.

Step 6: Factory Reset (If Necessary)

If you believe your phone has been deeply compromised, a factory reset is the most reliable way to remove malware. Back up your data first, then perform a full reset. Don't restore from a backup that predates the suspected hack — restore your contacts and photos, but reinstall apps fresh from the official app store rather than restoring from a full backup, which may contain the malware itself.

On Android, some sophisticated malware installs itself as a system app in a partition that survives a standard factory reset. If you've performed a factory reset and the suspicious behavior returns, consider flashing the device's firmware using the manufacturer's official tools — a deeper level of reset that overwrites the system partition entirely. On iOS, a full restore via a computer (not an iCloud restore) combined with "Erase All Content and Settings" is the most thorough approach and is sufficient in nearly all cases.

Step 7: Install CyberFence and Keep It On

Going forward, CyberFence's Web Shield will block malware and phishing sites before they can infect your device. The Smart Scan will monitor your device health. And the VPN will encrypt your traffic so credentials can't be stolen on public networks. Think of it as continuous monitoring rather than a one-time cleanup tool.

The most effective security posture is one where protection is always active — not switched on only after something feels wrong. CyberFence runs quietly in the background, scanning new network connections, checking links before they load, and maintaining an up-to-date threat intelligence database. Set the app to run Smart Scans automatically on a weekly schedule so you catch any new indicators of compromise early, before they develop into a full breach.

How Phones Get Hacked in the First Place

• Phishing links — clicking a fake email or text message that installs malware. Modern phishing messages are sophisticated: they mimic delivery notifications, bank alerts, and two-factor authentication requests with convincing branding. A single tap on the wrong link can trigger a drive-by download that installs malware before you've even seen the page fully load.
• Malicious apps — apps from outside official app stores, or compromised apps that slipped through review. Both the Google Play Store and Apple App Store have had documented cases of malicious apps passing initial review and being installed by millions of users before being removed. Apps that request excessive permissions — especially accessibility or SMS permissions — warrant extra scrutiny before installation.
• Public Wi-Fi attacks — connecting to unsecured networks where attackers intercept your traffic. Man-in-the-middle attacks on public Wi-Fi can capture unencrypted credentials and session tokens. Evil twin attacks — where an attacker creates a Wi-Fi network named "Airport Free WiFi" or "Hotel_Guest" — trick devices into connecting automatically and routing all traffic through the attacker's equipment. A VPN eliminates this risk entirely.
• SIM swapping — attackers convince your carrier to transfer your phone number to their SIM. This is done through social engineering: calling customer service with enough of your personal information — often obtained from data breaches — to impersonate you. Once they control your number, they can receive every SMS-based verification code sent to you. Carriers have added security measures, but SIM swap attacks remain a real threat. Adding a carrier account PIN or passphrase provides meaningful protection.
• Zero-day exploits — rare but serious attacks on unpatched OS vulnerabilities. Zero-day exploits target security flaws that the OS vendor doesn't yet know about, meaning no patch exists. These are expensive to develop and typically used by nation-state actors or sophisticated criminal groups against high-value targets. They can compromise a device with zero user interaction — no tap required. Keeping your OS updated minimizes your exposure window even when zero-days exist, because patches for discovered vulnerabilities arrive faster than attackers can repurpose exploits.

Prevention Is Easier Than Recovery

Once your phone is compromised, recovering accounts, containing the damage, and rebuilding your security takes hours — or days. Prevention is dramatically easier. A compromise that goes undetected for six months — which is the average — means six months of your messages, location history, passwords, and financial transactions have been in an attacker's hands. Recovering from that isn't a single afternoon of password changes; it's an ongoing audit of every account, every transaction, and every contact relationship that may have been poisoned by messages sent in your name.

The habits that prevent phone hacks are straightforward: keep your OS updated, don't tap links in unsolicited messages, only install apps from official stores, use a VPN on public Wi-Fi, and enable 2FA everywhere. None of these require technical expertise. They require consistency. The majority of phone compromises exploit human behavior — impulsive clicks, convenience shortcuts, and delayed updates — rather than exotic technical vulnerabilities. Changing those habits eliminates most of your attack surface.

CyberFence's Web Shield blocks phishing links and malware before they reach your device. The VPN encrypts your traffic so credentials can't be stolen on public networks. And Smart Scan monitors your device security posture automatically. Together, these three layers of protection address the most common attack vectors — network-level interception, malicious content delivery, and device misconfiguration — without requiring you to be a security expert to benefit from them. The goal is to make good security the path of least resistance, not an additional burden.

One app. Comprehensive protection. Try CyberFence free.