How to Check If Your Phone Is Hacked 2026
Quick Answer: To check if your phone is hacked, start by dialing *#21# and *#62# on your phone’s keypad to check for unauthorized call forwarding. Then run a security scan — use Google Play Protect on Android (Google Play Store → Profile icon → Play Protect → Scan) or Apple’s Safety Check on iPhone (Settings → Privacy & Security → Safety Check). Look for warning signs like unexplained battery drain, data spikes, unknown apps, or overheating when idle. The key thing to know: USSD codes only detect call forwarding — they cannot detect spyware, malware, or remote access trojans. You need a proper security scan for that.
Time needed: 10–20 minutes for a basic check; 30–60 minutes for a thorough audit Difficulty: Beginner Works on: iOS 18+ / Android 15+ / Both What you’ll need: Your phone, access to Settings, an internet connection for downloading a security app (if needed)
Table of Contents
Why This Matters in 2026
Mobile devices aren’t just phones anymore — they’re digital vaults. Your smartphone holds banking apps, two-factor authentication codes, health records, location history, and private communications. That makes it an extraordinarily valuable target.
The numbers tell the story. According to Kaspersky’s 2025 threat report, attacks on Android smartphone users jumped 29% in the first half of 2025 compared to the same period in 2024. Android malware rose 67% year-over-year according to Zscaler’s 2025 findings. Mobile banking trojans nearly quadrupled during the same period. And these trends are accelerating into 2026, with AI-powered malware that rewrites its own patterns to evade detection, deepfake voice attacks that bypass identity verification, and automated phishing engines generating region-specific smishing messages at scale.
Even iPhones aren’t immune. In 2025, Apple disclosed nine zero-day vulnerabilities that hackers actively exploited. Trojan apps infiltrated the App Store, with Apple removing approximately 20 malicious apps in early 2025. The myth that iPhones can’t be hacked is exactly that — a myth.
This guide walks you through every method to detect a compromised phone, from quick dial codes to deep system audits, covering both iPhone and Android with step-by-step visual instructions.
🚨 Do This RIGHT NOW (If You Suspect a Hack)
Before you read the full guide, take these immediate actions if you believe your phone is actively compromised. Think of this as your emergency checklist — calm but urgent.
1. Disconnect from the Internet
Turn on Airplane Mode immediately. This cuts off the hacker’s ability to send or receive data from your device.
- iPhone: Swipe down from the top-right corner → Tap the airplane icon
- Android: Swipe down from the top of the screen → Tap Airplane Mode
You should see: The airplane icon in your status bar and all connectivity icons (Wi-Fi, cellular) disappearing.
2. Don’t Log Into Sensitive Accounts on This Phone
If your phone is compromised, a keylogger could be recording everything you type. Use a different, trusted device (a friend’s phone, a computer) to change your most critical passwords:
- Email (this is the master key to everything)
- Banking and financial apps
- Apple ID or Google Account
3. Check for Suspicious Call Forwarding
Open your phone’s dialer and type *#21# then press call. This reveals if your calls are being forwarded to another number. If you see anything other than “Not Forwarded,” someone may be intercepting your calls.
To kill all forwarding immediately: Dial ##002# and press call. This disables all conditional and unconditional call forwarding.
4. Look for Unknown Apps
Scroll through your entire app list. If you see apps you don’t recognize and didn’t install, that’s a red flag.
- iPhone: Settings → General → iPhone Storage (shows all installed apps)
- Android: Settings → Apps → See all apps
5. Run a Quick Security Scan
Re-enable Wi-Fi briefly (keep Airplane Mode on for cellular if possible):
- Android: Open the Google Play Store → Tap your profile icon → Play Protect → Scan
- iPhone: Go to Settings → Privacy & Security → Safety Check
Now take a breath. The sections below walk you through a complete, methodical check.
12 Warning Signs Your Phone Is Hacked
Not every slow phone is hacked, and not every hacked phone is slow. But a combination of these symptoms — especially appearing together or suddenly — should raise your alert level.
🔋 1. Battery Draining Unusually Fast
What it looks like: Your phone used to last all day and now dies by 2 PM — with the same usage patterns.
Why it happens: Spyware and malware run continuously in the background, monitoring your activity, recording keystrokes, tracking your location, and transmitting data to remote servers. All of this consumes significant processing power and battery life.
How to check:
- iPhone: Settings → Battery → Scroll down to see battery usage by app. Look for apps consuming disproportionate power, especially ones you don’t recognize or rarely use.
- Android: Settings → Battery → Battery usage. Same principle — look for apps consuming unusual amounts of battery that you don’t use actively.
Rule out first: Old batteries naturally degrade. An iPhone battery below 80% health (Settings → Battery → Battery Health) will drain faster regardless. Also, running a VPN or having poor cellular signal causes faster drain.
📶 2. Unexplained Data Usage Spikes
What it looks like: Your monthly data consumption suddenly doubles or triples without any change in your habits.
Why it happens: Spyware sends intercepted data — messages, location info, photos, keystrokes — to hacker-controlled servers. This transmission consumes mobile data, often in large bursts.
How to check:
- iPhone: Settings → Cellular → Scroll down to see data usage per app. Look for unfamiliar apps using significant data, or known apps using far more than expected.
- Android: Settings → Network & internet → Internet → Look at usage per app. On Samsung: Settings → Connections → Data usage → Mobile data usage.
Rule out first: Streaming in higher quality, auto-backups of photos to cloud services, or app updates downloading over cellular can all cause legitimate spikes.
🌡️ 3. Phone Overheating When Idle
What it looks like: Your phone feels hot to the touch even when sitting on a table, unlocked and unused.
Why it happens: Malware running background processes — especially cryptocurrency miners or spyware recording audio/video — pushes the processor hard, generating heat.
How to check: Simply leave your phone idle for 10–15 minutes with the screen off. Pick it up. If it’s warm or hot, something is working hard in the background.
Rule out first: Extended gaming, video calls, or charging will naturally heat your phone. High ambient temperatures matter too. The concern is heat during inactivity.
📱 4. Apps You Didn’t Install
What it looks like: You discover an app on your phone you have zero memory of downloading.
Why it happens: Hackers (or someone with physical access to your device) install spyware disguised as legitimate-looking apps. Some malware can also download additional apps silently after initial infection.
How to check:
- iPhone: Settings → General → iPhone Storage → Review every app. Tap any you don’t recognize to see when it was downloaded and how much storage it uses.
- Android: Settings → Apps → See all apps → Sort by “Recently installed” if available. Review unfamiliar entries.
Note: Some phones come with pre-installed bloatware from the manufacturer. Not every unrecognized app is malicious — but any app you can’t identify deserves investigation.
📨 5. Strange Texts, Calls, or Messages You Didn’t Send
What it looks like: Friends or contacts tell you they received messages you didn’t send. You see outgoing calls in your log to numbers you don’t recognize. Your social media posts content you never wrote.
Why it happens: Once a hacker has control of your phone, they can send messages, make calls, and post on social media to spread malware to your contacts or conduct social engineering attacks.
How to check: Open your Phone app and Messages app. Review your recent outgoing calls and sent messages. Check your social media accounts for posts, messages, or follows you didn’t initiate.
🔐 6. Unauthorized Account Access
What it looks like: You receive password reset emails you didn’t request, login verification codes arrive at random times, or you find yourself locked out of accounts.
Why it happens: Spyware captures your login credentials and sends them to hackers. With your username and password, they attempt to access your accounts — often starting with email, since controlling your email gives access to password resets for everything else.
How to check: Check your email inbox for security alerts, password reset confirmations, or “new login” notifications you don’t recognize. Most major platforms (Google, Apple, Facebook, Instagram) send login alerts by default.
💰 7. Unexpected Charges on Your Phone Bill
What it looks like: You see charges for premium SMS services, subscriptions, or services you never signed up for.
Why it happens: Some malware subscribes your phone to premium-rate services or sends costly SMS messages to revenue-generating numbers. Hackers with remote access may also use your phone’s subscriptions.
How to check: Review your phone bill carefully, especially sections for “premium services,” “third-party charges,” or “content purchases.”
🔊 8. Background Noise During Calls
What it looks like: You hear clicking, static, distant voices, or unusual echoing during phone calls that wasn’t there before.
Why it happens: Call-monitoring apps or call-forwarding to a third party can introduce audio artifacts. Some spyware that records calls may also produce subtle background interference.
How to check: Pay attention during your next few calls. Ask the other person if they hear anything unusual on their end too.
Rule out first: Poor cellular signal naturally causes call quality issues. This sign alone isn’t conclusive.
📷 9. Camera or Microphone Activating Unexpectedly
What it looks like: On iPhone, you see the green dot (camera) or orange dot (microphone) indicator in the status bar when you haven’t opened any app that uses them. On Android, you may see a camera or microphone icon in the status bar.
Why it happens: Spyware can activate your camera and microphone to record audio and video without your knowledge, then transmit the recordings to the attacker.
How to check:
- iPhone: Look for the green (camera) or orange (microphone) indicator dots in the top-right of your screen. Open Control Center and the dot will tell you which app just used the camera or mic.
- Android (12+): Look for the green camera/mic indicator in the top-right corner. Tap it to see which app is using these sensors. Go to Settings → Privacy → Permission manager → Camera/Microphone to audit which apps have access.
⚙️ 10. Settings Changed Without Your Action
What it looks like: Bluetooth is on when you turned it off. Location services were enabled when you’d disabled them. Your default browser changed. Your security settings look different.
Why it happens: Malware often needs to change device settings to operate — enabling location tracking, turning on Bluetooth for data exfiltration, or disabling security features to avoid detection.
How to check: Regularly review your Settings. Pay particular attention to:
- Location Services (should be off or “While Using” for most apps)
- Bluetooth (should be off when not in use)
- Developer options on Android (should be off for most users)
- Install from unknown sources on Android (should be disabled)
🐌 11. Sudden Performance Slowdowns
What it looks like: Your phone lags, apps crash, transitions stutter, and everything feels sluggish — but your phone is relatively new.
Why it happens: Malware consumes CPU, RAM, and storage resources. A phone simultaneously running its normal tasks and hidden spyware operations will slow down noticeably.
Rule out first: Low storage space (under 10% free) causes slowdowns. Older phones naturally slow with OS updates. Restart your phone before concluding malware is the cause.
📴 12. Phone Takes Longer to Shut Down
What it looks like: When you power off your phone, it hangs on the shutdown screen significantly longer than usual.
Why it happens: Hidden spyware may be finishing data collection or transmission processes before allowing the device to fully shut down, similar to how a computer delays shutdown when apps are still running.
Hacking Signs: Quick-Reference Diagnostic Table
| Warning Sign | Severity | What It Might Mean | First Thing to Check |
|---|---|---|---|
| Battery draining fast | ⚠️ Medium | Background malware | Battery usage by app |
| Data usage spikes | ⚠️ Medium | Data exfiltration | Data usage per app |
| Overheating when idle | ⚠️ Medium | Hidden processes | Leave phone idle, check temp |
| Unknown apps installed | 🔴 High | Spyware/stalkerware | Full app list in Settings |
| Messages you didn’t send | 🔴 High | Remote control | Outgoing message logs |
| Account lockouts | 🔴 High | Credential theft | Email security alerts |
| Unexpected charges | 🔴 High | Premium SMS fraud | Phone bill details |
| Background noise on calls | ⚠️ Medium | Call interception | Multiple calls, compare quality |
| Camera/mic activating | 🔴 High | Active surveillance | Indicator dots in status bar |
| Settings changed | 🔴 High | Malware reconfiguration | Security & privacy settings |
| Sudden slowdowns | ⚠️ Medium | Resource hijacking | Storage space, then app usage |
| Slow shutdown | ⚠️ Medium | Spyware finalizing tasks | Time your shutdown |
One symptom alone rarely confirms a hack. Three or more appearing together — especially the 🔴 High severity signs — strongly suggest your phone has been compromised.
USSD Codes to Check If Your Phone Is Hacked
USSD (Unstructured Supplementary Service Data) codes are short dial-pad commands that communicate directly with your mobile carrier’s systems. They’re free, require no internet connection, and give instant results. You’ll see them all over the internet marketed as “secret codes to detect hackers” — but you need to understand their real limitations before relying on them.
What USSD Codes Can Actually Do
USSD codes only check call forwarding and diversion settings. They reveal whether your incoming calls, texts, or data are being redirected to another phone number. This is useful because hackers sometimes set up call forwarding to intercept your two-factor authentication codes or listen in on your conversations.
What USSD Codes Cannot Do
USSD codes cannot detect:
- Spyware or stalkerware installed on your device
- Remote Access Trojans (RATs) giving hackers control of your phone
- Keyloggers recording your passwords
- Malware mining cryptocurrency or stealing data
- SIM cloning or SIM swapping
- Zero-click exploits operating at the system level
Think of USSD codes as checking if someone redirected your mail at the post office. They won’t tell you if someone broke into your house.
Essential USSD Codes and How to Use Them
Open your phone’s Dialer app (the app you use to make calls) and type each code exactly as shown, then press the call button.
Code 1: *#21# — Check Unconditional Call Forwarding
What it does: Shows whether ALL your calls are being automatically forwarded to another number, regardless of circumstances.
How to read the result:
- ✅ “Not Forwarded” or “Disabled” for all categories = You’re good
- 🔴 A phone number appears next to any category (Voice, Data, SMS) = Your calls are being redirected
What to do if forwarding is active: If you see an unfamiliar number, note it down (it could be evidence), then dial ##21# to disable unconditional forwarding.
You should see: A pop-up or screen showing the forwarding status for Voice, Data, Fax, and SMS — each should say “Not Forwarded.”
Code 2: *#62# — Check Forwarding When Unreachable
What it does: Reveals where your calls go when your phone is turned off, out of range, or in airplane mode.
How to read the result:
- ✅ Your carrier’s voicemail number = Normal (this is expected)
- 🔴 An unfamiliar number = Someone may be intercepting your calls when your phone is off
What to do if suspicious: Dial ##62# to disable this forwarding.
Code 3: *#61# — Check Forwarding When Unanswered
What it does: Shows where calls go when you don’t pick up after a certain number of rings.
How to read the result:
- ✅ Your voicemail number = Normal
- 🔴 An unknown number = Suspicious — hackers can set this to a very short ring time so you barely notice the call before it’s forwarded
What to do if suspicious: Dial ##61# to disable.
Code 4: *#67# — Check Forwarding When Line Is Busy
What it does: Shows where calls are redirected when you’re already on another call or reject a call.
How to read the result:
- ✅ Your voicemail = Normal
- 🔴 Unknown number = Investigate
What to do if suspicious: Dial ##67# to disable.
Code 5: ##002# — Nuclear Option: Disable ALL Call Forwarding
What it does: Disables every type of call forwarding at once — conditional and unconditional.
When to use it: If you found suspicious forwarding on any of the codes above, or if you just want a clean slate. This is the “reset everything” code.
You should see: A confirmation message saying all forms of call forwarding have been erased.
Code 6: *#06# — Check Your IMEI Number
What it does: Displays your phone’s unique 15-digit International Mobile Equipment Identity number.
Why it matters: Your IMEI isn’t a hack-detection tool, but you should write this number down and store it somewhere safe. You’ll need it to:
- Report a stolen phone to your carrier
- File a police report
- Block the device from being used on any network
How to read the result: A 15-digit number will appear. Compare it with the IMEI printed on your phone’s original box or in Settings → About Phone. If they don’t match, your phone may have been tampered with or cloned.
USSD Code Quick-Reference Table
| Code | Function | Normal Result | Suspicious Result | Disable Code |
|---|---|---|---|---|
| *#21# | Unconditional forwarding | Not Forwarded | Unknown number shown | ##21# |
| *#62# | Forwarding when unreachable | Carrier voicemail | Unknown number shown | ##62# |
| *#61# | Forwarding when unanswered | Carrier voicemail | Unknown number shown | ##61# |
| *#67# | Forwarding when busy | Carrier voicemail | Unknown number shown | ##67# |
| ##002# | Disable ALL forwarding | Confirmation message | N/A | N/A |
| *#06# | Show IMEI | 15-digit number | Mismatch with original | N/A |
Network note: These codes work on GSM networks (AT&T, T-Mobile, most international carriers). If you’re on an older CDMA network (some Verizon or US Cellular plans), try *72 or *92 as alternatives. You may also see “Invalid MMI code” errors on certain carriers — this doesn’t mean you’re hacked, it means your carrier doesn’t support that particular code.
How to Check If Your iPhone Is Hacked (Step-by-Step)
These steps are verified for iOS 18 and later (2026). Menu locations may shift slightly with future updates.
Step 1: Run Apple’s Safety Check
Open Settings → Tap Privacy & Security → Scroll down and tap Safety Check.
You should see: A screen with two options: “Quick Exit” (in case you need to leave fast for safety) and “Manage Sharing & Access.” Tap Manage Sharing & Access to review what people, apps, and devices can access your information.
This tool lets you review and revoke access you’ve granted to people (Family Sharing, shared location), apps (permissions like camera, microphone, contacts), and devices (trusted devices connected to your Apple ID).
What to look for: Any person, app, or device you don’t recognize having access to your data. Revoke anything suspicious.
Step 2: Check for Unknown Device Profiles
Open Settings → Tap General → Look for VPN & Device Management (or just “Profiles” on older versions).
You should see: Either nothing (which is normal — most personal phones have no profiles) or profiles you recognize (like a work email configuration if your employer manages your phone).
Red flag: If you see a profile you don’t recognize, it could be a configuration profile that grants someone remote control over parts of your phone. Tap it → Tap “Remove Profile” and enter your passcode.
Step 3: Audit App Permissions
Open Settings → Tap Privacy & Security → Review each permission category:
- Location Services: Tap it and review every app. Set suspicious or unnecessary apps to “Never.” Pay attention to any app set to “Always” — very few apps legitimately need constant location access.
- Camera and Microphone: Review which apps have access. Disable for any app that doesn’t need it.
- Bluetooth: Review and remove apps that shouldn’t need Bluetooth connectivity.
Also check: Settings → Privacy & Security → Tracking. Make sure “Allow Apps to Request to Track” matches your preference.
Step 4: Review Apple ID Trusted Devices
Open Settings → Tap your name at the top → Scroll down.
You should see: A list of all devices signed into your Apple ID. This includes your iPhone, iPad, Mac, Apple Watch, and any other Apple devices you own.
Red flag: If you see a device you don’t own — especially a device type you don’t use (like a Mac if you only use Windows) — tap it and select “Remove from Account.” Then immediately change your Apple ID password.
Step 5: Check for Jailbreak Indicators
Jailbroken iPhones have their built-in security barriers removed, making them vastly more vulnerable to malware.
Look for these apps: Cydia, Sileo, Zebra, or Installer. If any of these are on your phone and you didn’t put them there, your phone has been jailbroken — potentially by someone with physical access.
Quick test: Open Safari and navigate to cydia:// in the address bar. If a Cydia app opens or your phone responds (instead of showing an error), your phone is jailbroken.
Step 6: Check for Suspicious Battery and Data Usage
Open Settings → Battery → Review battery usage by app over the last 24 hours and last 10 days. Look for apps consuming significant battery that you don’t use or recognize.
Open Settings → Cellular → Scroll down to review data usage by app. Reset statistics monthly (scroll to the very bottom → “Reset Statistics”) so you can track changes.
Step 7: Update iOS
Open Settings → General → Software Update.
Install any available update immediately. iOS updates frequently patch actively exploited vulnerabilities. Running an outdated iOS version is one of the simplest ways for hackers to maintain access to your device.
How to Check If Your Android Phone Is Hacked (Step-by-Step)
These steps are verified for Android 15 and One UI 7 (Samsung). Steps may vary slightly by manufacturer.
Step 1: Run Google Play Protect Scan
Open the Google Play Store app → Tap your profile icon in the top-right corner → Tap Play Protect → Tap Scan.
You should see: Play Protect scanning your installed apps. When done, it shows either “No harmful apps found” (good) or flags specific apps (take action immediately).
On Samsung phones: You can also run the built-in anti-malware. Open Settings → Tap Battery and device care (or Device care) → Tap Device protection → Tap Scan phone.
Step 2: Check for Apps with Device Administrator Access
Device administrator privileges give apps deep system access — legitimate uses include work email apps or parental controls. Malware that gets admin access is much harder to remove.
On Stock Android / Pixel: Settings → Security & privacy → Device admin apps On Samsung: Settings → Security and privacy → Other security settings → Device admin apps
You should see: Only apps you recognize and deliberately gave admin access (like Google Find My Device, a work email app, or your company’s MDM tool).
Red flag: Any unfamiliar app with admin access. Toggle it off, then uninstall the app.
Step 3: Check “Install Unknown Apps” Permission
Open Settings → Apps → Tap the three-dot menu → Special access → Install unknown apps.
You should see: A list of apps that can install other apps from outside the Play Store. Most should say “Not allowed.”
Red flag: If browsers, file managers, or unfamiliar apps show “Allowed,” someone may have enabled sideloading to install spyware. Toggle them all to “Not allowed.”
Step 4: Audit App Permissions
Open Settings → Privacy (or Security and privacy) → Permission manager.
Review each sensitive permission:
- Camera: Only your camera app, video calling apps, and QR code scanners should have access.
- Microphone: Similar — only apps that genuinely need audio input.
- Location: Review which apps have “Allow all the time” access. Very few apps need constant location data.
- Files and media: Review carefully — spyware uses this to exfiltrate your photos and documents.
- Accessibility: This is a critical permission. Accessibility services can read your screen, control your phone, and intercept input. Only accessibility apps (screen readers for visually impaired users, etc.) should have this. If an unfamiliar app has Accessibility access, that’s a major red flag.
Step 5: Review Google Account Linked Devices
Open Settings → Tap Google → Tap Manage your Google Account → Go to the Security tab → Scroll to Your devices.
You should see: All devices signed into your Google account.
Red flag: Any device you don’t recognize. Tap it and select Sign out. Then change your Google account password immediately.
Step 6: Enable Samsung Auto Blocker (Samsung Only)
Open Settings → Tap Security and privacy → Tap Auto Blocker → Toggle it On.
For maximum protection, also tap Maximum restrictions and enable it. Note that this restricts some features (like sideloading apps and installing apps from sources other than Galaxy Store and Play Store), which is exactly what you want if you’re concerned about hacking.
You should see: Auto Blocker active in your security settings, blocking sideloaded apps and suspicious USB commands.
Step 7: Check for Data and Battery Anomalies
Data usage: Settings → Network & internet → Internet → Review usage per app. On Samsung: Settings → Connections → Data usage → Mobile data usage.
Battery: Settings → Battery → Battery usage → Look for unknown apps consuming significant battery.
Step 8: Update Your Operating System
Settings → System → Software update (or System update). On Samsung: Settings → Software update → Download and install.
Install any available updates. Android security patches fix known vulnerabilities that hackers actively exploit.
Advanced Detection: Beyond the Basics
If you’ve completed the steps above and still suspect your phone is compromised — or if you need deeper analysis — consider these advanced methods.
Check Network Activity (Android)
On some Android phones, you can access detailed network diagnostics by dialing *#*#4636#*#* in your dialer. This opens a hidden “Testing” menu where you can view:
- Phone information (active connections)
- Wi-Fi information
- Usage statistics
- Battery information
What to look for: Active data connections when you’re not using your phone. Unusual network activity patterns.
Note: This code works on stock Android and Pixel devices. It may not work on all Samsung or other manufacturer phones.
Check iPhone Field Test Mode
Dial *3001#12345#* and press call on your iPhone to enter Field Test Mode. This displays detailed information about your cellular connection, including:
- Serving cell info
- Signal strength metrics
- Connected network details
What to look for: This is primarily for advanced users or if you suspect cell tower spoofing (a MITM attack). Unusual connected cell towers or rapidly changing cell IDs could indicate interception.
Review Your Google/Apple Account Activity
Google: Visit myaccount.google.com/security from a trusted device → Check “Recent security activity” and “Your devices”
Apple: Visit account.apple.com → Sign in → Review devices and recent activity
Look for:
- Sign-ins from locations you haven’t been
- Devices you don’t own
- Security changes you didn’t make (password resets, recovery email changes)
Monitor for SIM Swap Attacks
A SIM swap occurs when a hacker convinces your carrier to transfer your phone number to a new SIM card. Signs include:
- Sudden complete loss of cellular service (no bars, “No Service” or “SOS Only”)
- Calls and texts stopping entirely
- 2FA codes no longer arriving
- Notifications that your SIM has been changed
- If you suspect a SIM swap: Contact your carrier immediately from another phone. Request a SIM lock or port-out PIN on your account. Most major US carriers (AT&T, T-Mobile, Verizon) now offer account PINs — set one up proactively.
Better protection: Switch to an eSIM if your phone supports it. eSIMs cannot be physically removed and swapped like traditional SIM cards, making SIM-swap attacks significantly harder to execute.
What to Do If Your Phone Is Hacked (Recovery Steps)
You’ve confirmed suspicious activity. Now it’s time to act methodically. Follow these steps in order — skipping steps can leave gaps that let the hacker back in.
Step 1: Enable Safe Mode (Android) or Recovery Mode (iPhone)
Safe Mode boots your phone with only the pre-installed system apps running, disabling all third-party apps — including malware.
Android Safe Mode:
- Press and hold the Power button until the power menu appears
- Press and hold the “Power off” option on screen
- A prompt will appear: “Reboot to Safe Mode” → Tap OK
- Your phone restarts. You’ll see “Safe Mode” in the bottom-left corner of the screen
iPhone: iOS doesn’t have a traditional Safe Mode, but you can restart in Recovery Mode if you need to restore:
- Connect your iPhone to a computer with iTunes (Windows) or Finder (Mac)
- iPhone 8 or later: Quickly press Volume Up → Quickly press Volume Down → Press and hold the Side button until you see the Recovery Mode screen
- Your computer will offer to Update or Restore
Step 2: Delete Suspicious Apps
While in Safe Mode (Android) or normally (iPhone), remove any apps you don’t recognize or didn’t install.
iPhone:
- Settings → General → iPhone Storage → Tap the suspicious app → Delete App
- Or: Long-press the app icon on your home screen → Remove App → Delete App
Android (in Safe Mode):
- Settings → Apps → Tap the suspicious app → Uninstall
- If the Uninstall button is grayed out, the app has admin access. Go to Settings → Security → Device admin apps → Disable it first, then uninstall.
Step 3: Clear Browser Cache and Data
Malicious code can persist in your browser’s stored data.
iPhone (Safari):
- Settings → Safari → Scroll down → Clear History and Website Data → Confirm
Android (Chrome):
- Open Chrome → Tap the three-dot menu → Settings → Privacy and security → Clear browsing data → Select All time → Check all boxes → Clear data
Step 4: Remove Unknown Device Profiles and Certificates
iPhone: Settings → General → VPN & Device Management → Remove any profile you don’t recognize.
Android: Settings → Security → Encryption & credentials → Trusted credentials → Check the “User” tab. Remove any certificates you didn’t install. Also check Settings → Security → Device admin apps and remove unfamiliar entries.
Step 5: Change ALL Critical Passwords (From a Different Device)
Do this from a trusted computer or another phone — not the compromised device.
Change passwords in this priority order:
- Email (your email is the recovery method for almost everything)
- Apple ID or Google Account
- Banking and financial apps
- Social media (Instagram, Facebook, X, TikTok)
- Any accounts where you reuse passwords (this is why password reuse is dangerous)
Enable two-factor authentication (2FA) on every account that supports it. Use an authenticator app (Google Authenticator, Microsoft Authenticator, or Authy) rather than SMS-based 2FA — SMS codes can be intercepted through SIM swaps.
Step 6: Update Your Operating System
iPhone: Settings → General → Software Update → Download and Install Android: Settings → System → Software update → Download and Install
Security updates patch the very vulnerabilities hackers exploit. Install them immediately.
Step 7: Factory Reset (Nuclear Option)
If issues persist after all the above steps, a factory reset is your most effective last resort. It erases everything and returns your phone to its original state, eliminating virtually all forms of malware.
Before you reset: Back up your essential data (photos, contacts, documents) to a trusted cloud service or computer. However, be cautious — if your backup was created after the phone was compromised, it may contain the malware. Only back up personal files, not app data or settings.
iPhone:
- Settings → General → Transfer or Reset iPhone → Erase All Content and Settings
- Enter your passcode and Apple ID password when prompted
- Wait for the process to complete, then set up as a new phone
Android:
- Settings → General management → Reset → Factory data reset
- Tap Reset → Enter your PIN → Tap Delete all
- Wait for the process to complete
- On Samsung: Settings → General management → Reset → Factory data reset → Reset → Delete all
After the reset: Reinstall apps manually from the official App Store or Play Store only. Do NOT restore from a backup that might be infected. Set up everything fresh.
Step 8: Notify Your Contacts and Carrier
- Tell your contacts that your phone was compromised so they can ignore any suspicious messages that appeared to come from you
- Contact your mobile carrier to report the incident and set up a PIN or port-out protection on your account
- Monitor your financial accounts for unauthorized transactions for the next 30–90 days
- Check your credit report for any unfamiliar activity (available free at annualcreditreport.com in the US)
Troubleshooting Common Problems
Problem 1: “I dialed *#21# and it shows ‘Conditional Call Forwarding Active'”
Symptom: The code shows forwarding is enabled, and you see your carrier’s voicemail number.
Cause: This is almost always normal. Most carriers set up conditional forwarding to your voicemail by default. That’s how your voicemail works — when you don’t answer, the call forwards to your voicemail box.
Fix: Compare the number shown with your carrier’s known voicemail number. You can call your carrier to confirm. If it IS your voicemail number, you’re fine. If it’s a number you don’t recognize, dial ##002# to disable all forwarding and then contact your carrier.
Problem 2: “Play Protect says my phone is fine, but I still see weird behavior”
Symptom: Google Play Protect shows no threats, but your phone still exhibits suspicious activity.
Cause: Play Protect is good at catching known malware from the Play Store, but it has limitations. Sophisticated spyware, zero-day exploits, and sideloaded malware may evade it. Stalkerware specifically designed to hide from basic scans is another possibility.
Fix: Install a dedicated mobile security app for a deeper scan (see Recommended Apps below). If the behavior persists after multiple scans, consider a factory reset as the definitive solution.
Problem 3: “I can’t uninstall a suspicious app”
Symptom: You’ve found an app you want to remove, but the “Uninstall” button is grayed out or missing.
Cause: The app has been granted device administrator privileges, which prevents normal uninstallation. Some malware grants itself admin access to resist removal.
Fix (Android):
- Go to Settings → Security and privacy → Other security settings → Device admin apps
- Find the suspicious app and toggle it off
- Go back to Settings → Apps → Find the app → Now tap Uninstall
Fix (iPhone):
- If it’s a configuration profile: Settings → General → VPN & Device Management → Tap the profile → Remove Profile
- If it’s a regular app that won’t delete: Restart your phone, then try again. If it still won’t delete, you may need to restore through iTunes/Finder.
Problem 4: “I keep getting ‘Invalid MMI Code’ when I dial USSD codes”
Symptom: Your phone shows an error message instead of results when you enter *#21# or similar codes.
Cause: Your carrier or phone model doesn’t support that specific USSD format. This is common on some CDMA networks and certain carrier configurations.
Fix: This doesn’t mean you’re hacked — it just means that code isn’t compatible with your setup. Try checking call forwarding through your phone’s settings instead: iPhone → Settings → Phone → Call Forwarding. Android → Phone app → Settings → Call forwarding. You can also call your carrier directly and ask them to check if any forwarding is active on your account.
Problem 5: “My phone was hacked and I’ve been locked out of my accounts”
Symptom: You can’t access your email, social media, or banking because the hacker changed your passwords.
Cause: The attacker gained access to your credentials and changed passwords and recovery information.
Fix:
- Start with your email — use the account recovery process (Google: accounts.google.com/signin/recovery / Apple: iforgot.apple.com)
- Once email is recovered, use it to reset passwords on other accounts
- For social media: Facebook hacked account recovery, Instagram hacked account recovery
- For banking: Call your bank directly using the number on the back of your card — not a number from your phone
- If you can’t recover accounts yourself, contact the platform’s support with ID verification
- Consider filing a report at ic3.gov (FBI’s Internet Crime Complaint Center) if financial loss occurred
Pro Tips for Advanced Users
1. Use DNS-over-HTTPS (DoH) for Encrypted Browsing
Configure your phone to use encrypted DNS, which prevents eavesdroppers on public Wi-Fi from seeing which websites you visit.
iPhone: Settings → Wi-Fi → Tap the “i” next to your network → Configure DNS → Manual → Add servers like 1.1.1.1 (Cloudflare) or 8.8.8.8 (Google). For system-wide DoH, install a DNS profile from Cloudflare’s 1.1.1.1 app.
Android: Settings → Network & internet → Private DNS → Enter “one.one.one.one” (Cloudflare) or “dns.google” (Google).
2. Set Up a SIM PIN
A SIM PIN is required every time your phone restarts, preventing anyone from using your SIM card in another device.
iPhone: Settings → Cellular → SIM PIN → Toggle On → Set a PIN (default is usually 1234 — change it immediately). Android: Settings → Security → SIM card lock → Toggle On → Set a new PIN.
3. Disable USB Debugging and Developer Mode (Android)
If Developer Options are enabled on your phone and you’re not a developer, turn them off. USB Debugging allows deep access to your phone via a computer connection.
Settings → Developer options → Toggle USB debugging Off. Better yet, toggle the entire Developer options section Off.
4. Enable Lockdown Mode (iPhone) for Extreme Threats
If you’re a journalist, activist, or high-profile target, Apple’s Lockdown Mode significantly reduces your attack surface.
Settings → Privacy & Security → Lockdown Mode → Turn On.
This disables many features (message link previews, certain web technologies, wired connections with accessories), but makes your iPhone extremely hard to compromise. Apple’s official Lockdown Mode documentation details exactly what gets restricted.
5. Use a Physical Security Key for Critical Accounts
Hardware security keys (like YubiKey or Google Titan) provide the strongest 2FA available. They’re phishing-resistant because they require physical possession of the key and cryptographic verification of the website you’re signing into — a phishing page can’t fake that.
Both Google and Apple support security keys for account login.
6. Audit Permissions Monthly
Set a monthly reminder to review which apps have access to your camera, microphone, location, contacts, and files. Permissions can be requested gradually over time as apps update — an app that was safe at install could become invasive after updates.
Recommended Security Apps
For a comprehensive analysis of mobile security tools, see our Best Antivirus Apps for iPhone and Android 2026 guide. Here’s a quick rundown of top-tier options:
For iPhone
- Apple’s Built-in Safety Check — Free, already on your phone. Excellent first-line tool for reviewing sharing and access settings.
- iVerify — Goes beyond basic scans to detect jailbreaks, check security configurations, and guide you through hardening your iPhone’s settings. Used by cybersecurity professionals.
For Android
- Google Play Protect — Free, built into every Android phone. Good baseline protection that scans apps automatically.
- Malwarebytes Mobile Security — Excellent at detecting spyware, adware, and PUPs (potentially unwanted programs) that other scanners miss.
- Bitdefender Mobile Security — Consistently top-rated in independent tests by AV-TEST and AV-Comparatives. Strong real-time protection with minimal battery impact.
For Both Platforms
- 1Password or Bitwarden — Password managers that generate unique, strong passwords for every account. This single tool prevents the most common way hackers access multiple accounts (password reuse).
- Cloudflare 1.1.1.1 — Free app that encrypts your DNS queries and can function as a basic VPN, protecting you on public Wi-Fi networks.
For in-depth reviews and comparisons of security tools, explore our Best VPN Apps 2026 and Best Password Managers 2026 roundups.
Frequently Asked Questions
Can my phone be hacked if it’s turned off?
No. A phone that is truly powered off cannot be hacked remotely. When the device is off, its wireless radios (cellular, Wi-Fi, Bluetooth) are inactive and the operating system isn’t running, so there’s no connection for an attacker to exploit. However, some modern phones have low-power chips that run even when “off” (like iPhone’s Find My network), though exploiting these is extremely sophisticated and typically reserved for state-level attackers — not a concern for most people.
Does *#21# actually tell you if your phone is hacked?
Not exactly. Dialing *#21# only shows whether your calls are being forwarded to another number. While unauthorized call forwarding can be one sign of a hack, this code cannot detect spyware, malware, keyloggers, or any other form of phone compromise. Think of it as one data point, not a definitive answer. A clean *#21# result does not mean your phone is secure.
Are iPhones safer than Android phones?
In general, iPhones have a smaller attack surface due to Apple’s closed ecosystem, strict App Store review process, app sandboxing, and regular security updates pushed to all supported devices simultaneously. However, iPhones are not immune. Apple disclosed nine zero-day vulnerabilities actively exploited by hackers in 2025 alone, and sophisticated spyware like Pegasus has successfully targeted iPhones. Both platforms require vigilance — no phone is hack-proof.
Will a factory reset remove all malware and spyware?
In the vast majority of cases, yes. A factory reset erases all apps, data, and settings, returning the phone to its original state. This removes virtually all consumer-grade malware, spyware, and stalkerware. However, some extremely sophisticated exploits (like firmware-level rootkits) can theoretically survive a factory reset. These are exceedingly rare and typically deployed by state-sponsored actors. For 99.9% of users, a factory reset is the definitive solution.
Can someone hack my phone through a text message?
Yes, but it depends on the type. Simply receiving a text message won’t hack your phone in most cases. However, tapping a malicious link in a text can lead to a phishing page or trigger a download of malware. More dangerously, “zero-click” exploits — used by advanced spyware like Pegasus — can compromise a phone through a text or iMessage without you tapping anything. These exploits are rare and expensive, typically targeting journalists, activists, and government officials rather than average users. Still, never tap links from unknown senders.
How can I tell if someone is tracking my location through my phone?
Check your location-sharing settings. iPhone: Settings → Privacy & Security → Location Services → review which apps have access. Also check Settings → [Your Name] → Find My → to see who you’re sharing your location with. Android: Settings → Location → App location permissions → review each app. Also check Google Maps → your profile icon → Location sharing → to see if you’re sharing with anyone. Additionally, check for AirTags or Bluetooth trackers near you: iPhone has built-in “Items That Can Track Me” detection (Find My app → Items tab), and Android users can use the “Tracker Detect” app or built-in unknown tracker alerts (Android 14+).
My phone is acting weird — how do I know if it’s a hack or just a glitch?
The key difference is pattern and persistence. A glitch is usually a one-time thing that goes away after a restart. A hack tends to produce multiple symptoms that persist across restarts. If your phone shows 3+ warning signs from our diagnostic table above (especially high-severity ones like unknown apps, unauthorized account access, or camera/mic activation), treat it as compromised and follow the recovery steps. If a single restart fixes everything, it was probably just a software glitch.
What’s the first thing I should do if I think I’m hacked?
Turn on Airplane Mode immediately to cut the hacker’s connection, then follow our “Do This RIGHT NOW” emergency checklist at the top of this guide. The two most critical immediate actions are: disconnect from the internet (Airplane Mode) and change your email password from a different device. Everything else follows from there.
Can my phone camera be used to spy on me without my knowledge?
Technically yes, spyware can access your camera. But modern phones provide visual indicators. iPhones show a green dot in the status bar when the camera is active and an orange dot for the microphone. Android 12+ shows similar indicators in the top-right corner. If you see these indicators when you haven’t opened an app using the camera or mic, investigate immediately by checking recent app activity and permissions.
How often should I check if my phone is hacked?
For most people, a monthly security audit is sufficient — review app permissions, check for unknown apps, review account activity, and ensure your OS and apps are up to date. If you’re in a higher-risk category (handling sensitive information, public figure, in a domestic dispute), consider weekly checks and using dedicated security software with real-time monitoring.