Last winter a friend handed me her iPhone because it was “acting possessed” — dead by lunch, random Portuguese-language ads on the home screen, and a password-reset email from her bank she never asked for. Twenty minutes later we found a configuration profile she had been tricked into installing, and the picture snapped into focus. The earlier you catch a compromised phone, the difference between a fifteen-minute cleanup and months of identity-theft cleanup.
I have walked dozens of people through this exact panic, and the pattern is always the same: a few small symptoms that each look innocent until you line them up. Below I cover what a hacked phone actually looks like and the precise steps I use to clean one up on both Android and iPhone.
Quick Answer
The clearest signs your phone has been hacked are sudden battery drain, apps you never installed, unexpected mobile-data spikes, messages sent from your accounts that you didn’t write, pop-up ads, sluggish performance, and password-reset emails you didn’t request. If two or more apply, run a malware scan and change your passwords today.
What Are the Warning Signs Your Phone Has Been Hacked?
Spyware and adware leave fingerprints. Each sign below can have an innocent explanation on its own, but when several appear together I treat the phone as compromised until proven otherwise. Here are the seven I check first.
Is your battery draining far faster than normal?
Malicious apps run silently in the background — tracking location, uploading contacts, streaming the microphone — and all of that burns battery fast. If a phone that once lasted all day now dies by mid-afternoon for no obvious reason, I open Settings > Battery on iPhone or Settings > Battery > Battery Usage on Android and look for an unfamiliar app near the top of the list. On iOS 14+ and Android 12+, a colored dot in the status bar means the camera or microphone is active right now — seeing it while you’re doing neither is a red flag.
Unexplained battery drain plus a live camera or mic dot is one of the strongest early warning signs.
Are there apps you don’t recognize?
I scroll through every home screen and app drawer. Attackers love disguising apps as bland utilities like “System Service” or “Phone Manager” so they blend in. Uninstall anything you don’t remember adding. On Android, also open Settings > Security > Device Admin Apps and revoke admin access for anything you didn’t authorize. Rogue browser add-ons work the same way on desktop, and my guide on browser extensions that spy on you covers that angle in detail.
If an app is on your phone and you can’t recall installing it, treat it as hostile until you confirm otherwise.
Has your mobile data usage spiked?
Spyware exfiltrates messages, photos, and call logs to remote servers, and that traffic shows up in your data totals. I check Settings > Mobile Data on iPhone or Settings > Network & Internet > Data Usage on Android. An app you barely touch sitting at the top of the data list is worth acting on immediately.
A rarely-used app burning large amounts of background data usually means something is shipping your information out.
Are messages going out that you didn’t write?
If contacts say they’re getting strange links or odd messages from you, act right away. Hijacked phones get used to spread phishing links and run premium-rate SMS scams. I open the Sent folder in both Messages and email and scan for anything I didn’t send.
Outgoing messages you never wrote mean your accounts are already being used against your contacts.
Is the phone sluggish or overheating for no reason?
A phone running hot while idle or freezing often is busy with hidden background processes. On its own this could be a software bug or aging hardware, but paired with any other sign here it points to compromise and warrants a scan.
Heat and lag alone are inconclusive, but combined with another symptom they tip the scales toward malware.
Are pop-up ads showing up outside of apps?
Ads on your home screen, or inside apps that never had ads before, are a hallmark of adware that pays attackers to force advertisements onto your screen. When I see ads appearing where they have no business being, a rogue app is almost always the cause.
Ads outside of an app you opened are a near-certain sign of an adware infection.
Are you getting password resets you never asked for?
Password-reset emails you didn’t request, login alerts from unfamiliar places, or sudden lockouts all point to someone methodically taking over your accounts — often starting from access gained through your phone. This escalates within hours, so I act the same day every time. The fastest way to confirm it is to find and remove unknown logins on Google, Microsoft, and Apple.
Unrequested password resets are the loudest alarm on this list — never ignore them.
How Do You Clean Up a Hacked Phone Step by Step?
Once I’m confident the phone is compromised, I work through these five steps in order. Doing them out of sequence — for example, resetting passwords on the infected device before removing the malware — can hand your new credentials straight back to the attacker.
Step 1: Run a malware scan
On Android, I install Malwarebytes (free) and run a full device scan. On iPhone, I go to Settings > General > VPN & Device Management and delete any configuration profile I didn’t install — those profiles are the main way attackers bypass Apple’s protections without a jailbreak, and they were exactly what my friend had been tricked into adding.
Step 2: Remove every app you don’t recognize
Uninstall unfamiliar apps right away. On Android: Settings > Apps. On iPhone: press and hold the icon, then Remove App. If an Android app refuses to uninstall, it likely holds Device Administrator privileges — revoke those at Settings > Security > Device Admin Apps first, then remove it. When an app still resists, I boot into Safe Mode by holding the Power button, then long-pressing “Power off” until the Safe Mode prompt appears; third-party apps are disabled there, so they come off cleanly.
Step 3: Change your passwords, email first
Email is the master key to every other account, so I change it first, then banking, social media, and anything with saved payment details. Use a unique, strong password for each one, and turn on two-factor authentication everywhere it’s offered — my walkthrough on setting up two-factor authentication makes that quick. It’s also worth checking whether your password was already exposed in a data breach.
Step 4: Audit your signed-in devices
I open myaccount.google.com > Security > Your devices for Google and Android, or appleid.apple.com > Devices for iPhone, and remove anything I don’t recognize. Reviewing sign-in times and locations usually surfaces the intruder fast.
Step 4 follow-up: Confirm 2FA is active
Before moving on, I verify two-factor authentication is genuinely enabled and not just half-configured. A single missed account is all an attacker needs to walk back in.
Step 5: Factory reset as a last resort
If malware survives the steps above, a factory reset is the most reliable fix. Back up photos and contacts to the cloud first, then restore from a backup dated before your symptoms began — restoring a post-compromise backup just reinstalls the problem you removed.
Work these steps in order and most phones are fully clean within two hours.
Which Security Tools Should You Use on Android vs. iPhone?
When three or four tools all claim to help, I find a side-by-side comparison settles it fastest. Here’s what I actually reach for, all free or built in.
| Tool | Platform | Purpose | Cost |
|---|---|---|---|
| Malwarebytes | Android | Malware scan and removal | Free |
| Google Play Protect | Android | Real-time app scanning | Built-in |
| Apple ID Security | iPhone | Device audit and remote wipe | Built-in |
| Have I Been Pwned | Both | Check email against breach databases | Free |
You don’t need to pay for anything — the built-in and free tools above cover the whole cleanup.
Common Mistakes to Avoid
These are the slip-ups I see most often, each with the fix I give people.
- Waiting to act. Symptoms don’t resolve on their own, and every hour gives attackers more time to harvest data. Fix: act the same day you notice something off.
- Changing only one password. Attackers usually target several accounts at once. Fix: change all important passwords, not just the obvious one.
- Restoring a backup without checking its date. A post-compromise backup reinstalls the malware. Fix: restore the most recent backup from before symptoms started.
- Skipping permission reviews after a reset. A clean phone can still leak data through over-permissioned apps. Fix: review each app’s permissions before granting them — a flashlight has no business reading your contacts.
- Resetting passwords on the still-infected phone. Active spyware can capture the new ones. Fix: remove the malware first, then change credentials from a clean device.
Most of the damage I see comes from rushing the order, not from the malware itself.
Frequently Asked Questions
Can iPhones get hacked?
Yes, iPhones can be hacked, though their closed ecosystem makes it harder. The friend I helped was compromised through a rogue configuration profile she installed after tapping a link in a fake “delivery” text — no jailbreak required.
Does a factory reset remove all malware?
In nearly all cases, yes — a factory reset wipes the device back to its original state. The one exception is firmware-level malware, which is extraordinarily rare; in years of helping people I’ve never seen it outside of news reports about state-sponsored attacks on high-value targets.
How do I check whether my email was exposed in a data breach?
Use Have I Been Pwned, a free and reputable service that checks your address against hundreds of known breaches. I ran my own email through it and found it in two old breaches, which is exactly why I now use unique passwords everywhere.
What is SIM swapping and should I worry about it?
SIM swapping is when an attacker convinces your carrier to move your number to a SIM they control, intercepting your SMS codes. I had a reader hit by this; the fix was calling the carrier directly and adding a SIM-lock PIN to the account, which blocks the transfer.
How long does it take to fully secure a hacked phone?
Most people finish a scan, password change, and account audit in under two hours. When I helped my friend it took about ninety minutes, and adding a factory reset would have added roughly another half hour.
Conclusion
A hacked phone is stressful but very recoverable — the real risk is waiting, because every hour a compromised device sits in your pocket adds to the damage. Work through the steps above the moment you spot two or more warning signs, then make two-factor authentication your permanent first line of defense. Start your scan today.