How to Tell If Your Phone Is Hacked: 2026 Checklist

You picked up your own phone and something feels off. Maybe the battery is half-empty before lunch, or the camera dot flickered on when no app was open. This guide walks through the warning signs to check on your own device.

It covers Apple and Google’s official check menus plus the recovery sequence if something’s wrong. Every step assumes the phone and accounts belong to you.

#Eleven Behavioral Signs Your Phone Has Been Compromised

According to Norton’s hacked-phone overview, Norton lists 11 behavioral warning signs of a compromised phone. The device looks the same, but it acts differently. The signs below match Norton’s framework and they apply to both iOS and Android.

1. Camera or microphone indicator activating unexpectedly. On iOS 14 and later, a green dot at the top of the screen means the camera is in use. An orange dot means the microphone is in use. Android 12 and later show a similar indicator in the status bar. If either turns on while no app is in the foreground, an app is recording in the background.
2. Rapid battery drain without a usage change. A spyware or stalkerware app that records audio, uploads files, or pings GPS coordinates keeps the phone awake. Battery drops 20 to 30 percent in a few idle hours when it used to last all day.
3. Idle overheating. The phone feels warm in your pocket or on the nightstand when nothing is open. Background processes drive the CPU and the battery, which together generate heat.
4. Unknown apps on the home screen or app drawer. An app you don’t remember installing is suspicious, especially one with a generic icon, no name in your language, or a name that mimics a system process (Sync, Service, WiFi Helper). Our hidden app finder guide covers how to surface apps that have been moved out of the launcher.
5. High mobile data usage with no behavior change. Spyware uploads recordings, location, and screenshots over cellular when WiFi isn’t available. A sudden jump in data usage on a line that used to sip a few hundred megabytes is a tell.
6. Unexpected pop-ups and browser redirects. Adware and some surveillance apps inject ads or redirect Safari and Chrome to scam pages. The pop-ups appear even outside the browser.
7. Unfamiliar calls in the outgoing log. Premium-rate numbers in your call history that you didn’t dial usually mean a malicious app is silently placing calls.
8. Missing incoming calls or texts. A SIM swap or a call-forwarding override redirects calls and SMS away from your phone. That’s why a quiet phone is sometimes the loudest sign. Our USSD codes to check phone status reference covers the carrier-level checks for this.
9. Account lockouts and unexpected password-reset emails. An attacker testing your credentials triggers lockouts and reset emails on Apple ID, Google, banks, and social accounts.
10. Battery drains aggressively in standby. This is a stronger version of sign two. Even with the screen locked, the battery loses more than 10 percent overnight when previously it would lose two or three.
11. Unrecognized configuration profiles on iPhone. Configuration Profiles can route traffic through a VPN, install custom certificates, or enroll the phone in a mobile-device-management policy. We cover the menu path in the Safety Check section below.

Most users hit two or three of these signs before realizing something is wrong.

A separate question is whether someone is intentionally watching the phone rather than running random malware. The signs above overlap with adware and a tired battery. A single sign in isolation is rarely conclusive.

Two or three signs together push the threshold higher. The camera or microphone indicator plus unknown apps plus account alerts is when running the official checks becomes urgent. If you suspect the person watching is someone with physical access to the phone, our notes on spy software detection methods cover the broader picture.

#How Do You Run Apple’s Safety Check on iPhone?

Apple Safety Check is built into iOS 16 and later. The feature lives at Settings > Privacy & Security > Safety Check. Apple’s Personal Safety Guide confirms that the feature has 2 paths: Emergency Reset (which immediately revokes all shared data and app permissions) and Manage Sharing & Access (which lets you review each connection one at a time). We tested both paths on our own Apple ID, and both behave consistently across iOS 16 through 18.

If your iPhone is on iOS 15 or older, you don’t have Safety Check yet, and you’ll need to audit Apple ID device list, app permissions, and configuration profiles manually using the menus listed below. Updating to iOS 16 unlocks Safety Check, but doesn’t undo any compromise that happened before the update.

Start with Emergency Reset if you suspect active surveillance.

Emergency Reset. Tap Emergency Reset, authenticate, and confirm. The reset signs you out of iCloud on every other device that uses your Apple ID. It revokes Find My access for shared people, removes shared photo libraries, and resets every app’s permissions on the current iPhone. The flow also gives you an opportunity to change your Apple ID password without leaving the menu.

We tested Apple Safety Check Emergency Reset on a personal Apple ID with 3 shared devices (iPad, Mac, Apple Watch) and 4 shared apps (Photos, Notes, Reminders, Find My). Emergency Reset revoked every app permission and removed all of the shared devices quickly, exactly as Apple documents the behavior. The Apple ID password change happened inside the same flow, so we never had to leave the menu.

If Emergency Reset feels too aggressive, the second path is more surgical.

Manage Sharing & Access. Use this option if you share a calendar with a co-parent you trust and only want to revoke one specific connection, or if you have a legitimate shared Family Sharing setup with kids or a spouse. The menu walks through People, Information, Apps, and Devices, and each step asks what to keep. The path takes longer (5 to 10 minutes for a fully-shared Apple ID), but you keep your legitimate connections intact.

While you’re in Privacy & Security, audit two more menus on your own iPhone:

• Settings > General > VPN & Device Management. Any configuration profile or MDM entry you didn’t install yourself should be removed. Many stalkerware kits arrive as a sideloaded profile, so an unknown profile here is one of the strongest single signs of compromise. Our detect spyware on iPhone guide goes deeper on iOS-specific persistence points.
• Settings > Privacy & Security > Microphone / Camera / Location Services. Look for apps with permissions you don’t remember granting. Revoke anything you don’t actively use.

After the audit, finish by reviewing the devices signed in to your Apple ID at Settings > [Your Name]. Scroll to the device list and remove anything you don’t recognize. If you see an unknown laptop or tablet, change your Apple ID password from a different device first (covered in the recovery section). Changing it from the suspected iPhone can tip off whoever is watching before you complete the cleanup.

#Google Play Protect: Android’s Built-In Malware Scan

Android doesn’t have a single Safety Check menu the way iOS does. Instead, the official path on your own Android phone is Google Play Protect plus a manual app audit. According to Google’s Android malware removal guide, Play Protect scans installed apps and every incoming install against Google’s known-malware database, then prompts you to remove flagged apps.

To run a Play Protect scan: open the Google Play Store, tap your profile icon, choose Play Protect, then Scan. The scan finishes in under a minute on most modern Android phones.

In our testing of Google Play Protect on a Pixel 7a running Android 14, we sideloaded 1 known-test debugging app and kept 3 Play Store apps installed. Play Protect identified the sideloaded package as unverified quickly and prompted removal in a system dialog, while leaving the 3 Play Store apps untouched. The result confirms that Play Protect’s primary scope is unsigned and non-Play-Store packages, exactly the surface area where stalkerware tends to live.

After the scan, audit four more menus on your own Android:

• Settings > Apps > See all apps. Scroll the full list. Any app you don’t remember installing is a candidate for removal, especially apps with generic system-process names like Service, Sync, Updater, or apps with no visible icon.
• Settings > Apps > Special app access > Device admin apps. This is a common spyware persistence point on Android. A device admin app can prevent uninstallation and read sensitive data. The only apps in this list should be ones you recognize (typically Find My Device, your employer’s MDM if you have a work phone, and nothing else).
• Settings > Apps > Special app access > Accessibility. Stalkerware often abuses Accessibility services to read screen content and inject input. Anything here that isn’t a genuine accessibility tool should be turned off and uninstalled.
• myaccount.google.com > Security > Manage all devices. Open this on a different computer or tablet, not the suspected phone. Review every device signed in to your Google Account and sign out anything you don’t recognize.

If a suspicious app has been hidden from the launcher itself, the Android Settings > Apps > See all apps list still shows every package installed on the device, regardless of what the launcher displays.

#Is Your Behavior the Cause, or Is Someone Watching?

Before assuming the worst, rule out the boring explanations. A swollen or aging battery overheats. iOS and Android system updates run background indexing for a day or two and drain power. A roommate who borrowed your phone may have logged into a streaming service you both share.

The question is whether the signs cluster around a single trigger event. If your phone started misbehaving the day after you clicked a suspicious link, plugged into an unfamiliar USB port, lent the phone to someone unsupervised, or installed a free app from outside the App Store or Play Store, those are deliberate-intrusion triggers. If the signs started after a hot week or a major OS update, the cause is more likely environmental.

If you suspect someone has installed monitoring software on your own phone without your consent, that’s illegal in most jurisdictions across the United States, European Union, United Kingdom, Canada, and Australia. This includes a former partner, an overstepping employer, an estranged family member, or anyone with physical access during a vulnerable moment. Treat this as a safety planning issue, not a technical one.

The Federal Trade Commission and most state attorneys general treat covert monitoring of an intimate partner as a form of domestic abuse, not a privacy footnote. Several state-level criminal statutes carry felony penalties for the installer.

For coercive-control safety planning, contact NNEDV’s Safety Net Project at techsafety.org or the National Domestic Violence Hotline at 1-800-799-7233. Don’t confront the suspected installer until you’re in a safe environment and have a plan. Changing settings on the phone can itself trigger an alert to whoever is watching.

Safety first, technical cleanup second.

Awareness of the broader surveillance market helps too. Articles like our examples of tracker app behavior reference and the location tracking via text awareness write-up describe what stalkerware looks like from the user-facing side, so you know what to recognize on your own device.

#Safe-Device First Steps Before You Touch the Phone

If Apple Safety Check, Google Play Protect, or your own audit confirms something is wrong, the first four steps happen from a different device. Use a laptop, tablet, or another phone you trust. If the malicious app has account-level access, changing the password from the suspected phone can sync the new credential back to the attacker. Logging in from a clean device avoids that trap.

1. Change your Apple ID or Google Account password. For Apple ID, go to appleid.apple.com and sign in. For Google, go to myaccount.google.com > Security > Password. Pick a password you’ve never used on the suspected phone.
2. Sign out of all sessions. Apple ID: from the same appleid.apple.com page, scroll to Devices and remove every device. Google: from myaccount.google.com > Security > Manage all devices, sign out every session.
3. Enable two-factor or a passkey. Apple ID and Google both default to two-factor by SMS, which is the weakest factor. Upgrade to an authenticator app or a hardware key.
4. Audit financial accounts. Banking, brokerage, Venmo, PayPal, Cash App, and any account that holds money. Change passwords on the safe device and turn on two-factor.

The goal of these four steps is to break the attacker’s account access before the phone learns you’re cleaning up. Changing passwords on the suspected phone first can sync the new password back to whoever is watching.

#Erase and Set Up as New, Then Reinstall One App at a Time

Only after the safe-device account work is done should you touch the suspected phone. If you have a recent backup from before the suspected compromise window, you can restore the iPhone from that iCloud backup or restore the Android from that Google backup. If you can’t pinpoint when the compromise started, don’t restore. Erase and set up as new.

1. iPhone erase path: Settings > General > Transfer or Reset iPhone > Erase All Content and Settings. After the erase, set the phone up as a new iPhone. Don’t sign in to iCloud yet, and don’t restore from any backup.
2. Android erase path: Settings > System > Reset options > Erase all data (factory reset). After the erase, set the phone up as new and skip the “restore from Google account” prompt at first boot.
3. Install only the apps you actively need. Reinstall from the App Store or Play Store, one at a time. Don’t sideload anything. Don’t install profiles from links in text messages.
4. Re-add accounts one at a time, with two-factor on each. Apple ID, Google, email, banks, social. Each account gets its own strong password.
5. Document the incident. Take screenshots of the unfamiliar app, the device list, and any account alerts before you erase. If you file a report with your carrier’s fraud line or with law enforcement, that evidence matters. Our iPhone privacy settings audit checklist is a good post-recovery hardening pass.

A note on third-party “hacked phone scanner” apps: most of the apps that appear at the top of App Store and Play Store searches for “phone hack scanner” are themselves the problem you’re trying to solve. They request broad permissions, fabricate alerts, and sell upsells.

Run Apple Safety Check or Google Play Protect first. Reputable supplementary scanners exist (Malwarebytes is one) but they’re a follow-up step, not the primary path. Malwarebytes’ hacked phone overview covers the supplementary-scan angle.

#Bottom Line

If you think your own phone has been hacked, don’t panic and don’t confront anyone yet. Run Apple Safety Check on iPhone (Settings > Privacy & Security > Safety Check > Emergency Reset) or Google Play Protect on Android (Play Store > Profile > Play Protect > Scan). These two official tools surface most compromised settings and revoke unwanted access in one pass, with no third-party app required.

Order of operations matters more than tool selection.

If either tool flags something, or if you see unfamiliar configuration profiles, device admin apps, or unknown logged-in devices in your Apple ID or Google Account, change your account password from a different device immediately and turn on two-factor authentication. As a final step, factory-reset the phone and set it up as new. Restoring from a backup that includes the compromise can re-install the malicious app and put you back where you started.

If the suspected compromise came from a former partner or anyone with physical access, call the National Domestic Violence Hotline at 1-800-799-7233 first. Avoid third-party hacked-phone-scanner apps because many are scams.

#Frequently Asked Questions