Phone compromise symptoms often overlap with normal instability, so response should begin with triage rather than guesswork.
Separating account-level compromise from device-level compromise is the fastest way to choose the right containment steps.
Triage checklist
- Disconnect from risky networks: turn off Wi-Fi and Bluetooth until you finish basic checks.
- If money or accounts are at risk, change your main email password from a different, trusted device.
- Turn on stronger sign-in protection (2FA or passkeys) on your email and any high-risk accounts.
- Check for unknown apps, and uninstall anything you do not recognize.
- Update your phone’s OS and restart the device.
- If your phone number suddenly stops receiving calls or texts, check for SIM swapping with your carrier.
- If you suspect a targeted situation (for example, an ex-partner monitoring you or employer mobile device management (MDM)), prioritize personal safety and get help before taking steps that could escalate the situation.
Quick safety note: If someone tells you to install a remote access app, "security" app, or profile to fix this, pause. That is a common way to gain control of a device. Use official app stores and official support links only.
| What you are seeing | What to check | What to do next |
|---|---|---|
| Pop-ups or redirects only in your browser | Whether the issue happens only in one browser, and whether a new extension or profile was added | Focus on browser cleanup first (site data, extensions, notifications) before assuming device-level malware |
| Login alerts, password resets, or new devices on your accounts | Email, Apple ID/Google account, and any password manager sign-in history | Recover and secure the accounts first. Many "phone hacks" are actually account takeovers |
| New apps you do not remember installing | App list (including device admin / accessibility permissions on Android) | Remove unknown apps, revoke high-risk permissions, and check for device management profiles |
| Unusual calls/texts, SIM stops working, or number moves to another device | Carrier account changes and whether your number was ported | Treat it as possible SIM swapping and contact your carrier quickly |
| Money missing or new payees/bank transfers | Bank/PayPal/Venmo alerts and transaction history | Prioritize financial account lockdown and fraud reporting, then return to the device checks |
If you also see suspicious activity on your online accounts, start here: How to check if you’ve been hacked.
Before you assume malware, clarify what “hacked” means
Key idea: Most "phone hacks" are actually account takeovers (email, Apple ID, Google account) that show up on your phone. Secure the accounts first, then investigate the device.
People use “hacked phone” to describe several different problems. The fastest way to make progress is to identify which category matches your situation.
Account takeover
Your phone is fine, but your email, Apple ID, Google account, social account, or bank account is compromised. That shows up on your phone because you are signed in, or because attackers use password resets and login alerts to pressure you.
Unwanted app or adware
You installed an app (sometimes a utility app, cleaner app, free VPN, or keyboard) that shows ads, redirects you, or abuses permissions. This is common on Android, but it can happen on any platform through browser abuse or shady apps.
Device management or monitoring
A profile, management system, or monitoring app controls parts of the phone. Sometimes this is legitimate (work device management). Sometimes it is unwanted monitoring (stalkerware or spyware). If you are not sure which it is, treat it as sensitive and do not confront the suspected person until you have a safer plan.
Device or network issue that looks like a hack
Battery problems, buggy updates, weak cellular signal, and flaky Wi-Fi can create symptoms that look scary. The difference is that these issues usually do not come with account alerts, new sign-ins, or new settings you did not change.
Step 1: Stop active damage
If you are seeing suspicious pop-ups, surprise logins, or someone contacting your friends from your accounts, the priority is to stop the bleeding.
- Turn off Wi-Fi and Bluetooth and switch to cellular only (or airplane mode if needed) while you make changes.
- Do not install random “antivirus” apps you found through ads or pop-ups. If you need help, ask a trusted person or use official store listings.
- Do not use links in suspicious emails or texts to reset passwords. Open the app directly or type the official site manually.
Step 2: Check your accounts first
Many hacked phone reports are actually account takeover. If an attacker controls your primary email, they can often reset other accounts, including bank and social accounts.
Start with:
- Your primary email account
- Your Apple ID or Google account
- Your password manager (if you use one)
Actions that usually help:
- Change the password to a strong, unique password. Avoid common password mistakes: Common mistakes creating passwords.
- Turn on 2FA or passkeys: Two-factor authentication (2FA) and its many names.
- Check for unfamiliar devices or sessions signed in to your account, and sign them out.
If you are in full account recovery mode across several services, follow a broader recovery playbook: Been hacked? Take these steps immediately.
Advanced account checks
If the phone symptoms started after a login alert, password reset, or strange email activity, spend five minutes on these checks. They often reveal whether you are dealing with account takeover instead of device malware.
- Check your email settings for new forwarding addresses, new rules, filters, or auto-replies you did not create.
- Check your security history for recent sign-ins, app passwords, and new devices.
- Review connected apps and third-party access (OAuth). Remove anything you do not recognize.
- Verify recovery email addresses and recovery phone numbers. Attackers sometimes add their own, then wait.
- Check for new passkeys, new authenticator devices, or backup codes that were generated without you.
- On social accounts, review login sessions and look for new admin roles, page access, or ad accounts.
If you cannot log in, use official account recovery flows. Avoid creating a new profile with the same email or phone number while recovery is in progress, because it can complicate proof of ownership.
Step 3: Rule out SIM swapping
If your phone suddenly loses service, stops receiving texts, or you get alerts about SIM changes, treat it as urgent. SIM swaps are often used to intercept password reset codes.
- Contact your carrier using a known number or an in-person store, and ask whether there were any recent SIM changes.
- Add a carrier account PIN and strengthen recovery options.
Related guide: SIM swapping. Official resource: FTC: SIM swap scams (how to protect yourself).
Step 4: Check for unknown apps and high-risk permissions
If your phone was compromised through an app, the key is to identify the app and remove its access. Focus on high-risk permissions first, because those enable the most damaging behavior.
High-risk permissions to review
- Accessibility access (can read your screen and click buttons for you)
- Notification access (can read 2FA codes and password reset alerts)
- Device admin or device management
- SMS and call permissions
- Screen recording or overlay permissions
If you find an unfamiliar app with these permissions, remove the permission first, then uninstall the app. If an app will not uninstall, that often indicates device admin access or device management.
iPhone checks (iOS)
- Update iOS, then restart.
- Review installed apps and delete anything you do not recognize.
- Check which devices are signed in to your Apple ID. If you see a device you do not recognize, remove it and change your Apple ID password. Official resource: Apple: See where you’re signed in.
- Search Settings for VPN and remove any VPN configuration you did not install.
- Search Settings for Profiles or Device Management. If you see an unknown configuration profile or management you do not recognize, treat this as a serious sign. If this is a work device, talk to your IT team before removing management.
- Review app permissions (Location, Contacts, Photos, Microphone, Camera) and remove anything that does not make sense.
If your iPhone is managed and you do not know why, learn what configuration profiles do and how they are installed: Apple: Install or remove configuration profiles.
Android checks
- Update Android, then restart.
- Run Google Play Protect and scan for harmful apps. Official resource: Google: Play Protect and scam protection (February 2025).
- Review installed apps and uninstall anything you do not recognize.
- Disable suspicious Accessibility services and remove apps with notification access that should not have it.
- Remove device admin access for apps that do not need it.
- Turn off installing unknown apps unless you have a specific reason and understand the risk.
If you suspect targeted monitoring
If your concern involves a current or former partner, a family member, or a workplace situation, be careful. Some changes you make can alert the person monitoring you.
- If you feel unsafe, prioritize physical safety and get support before making big changes.
- Consider using a separate trusted device (a friend’s phone, a new phone) to change passwords and plan next steps.
- On iPhone, Apple provides a Personal Safety guide (including Safety Check) that can help you review sharing and access: Apple Personal Safety Guide.
- If this is a work-managed device, talk to your IT department. Removing management can break access to work apps and email.
If you believe your phone is being used to steal money or intercept resets, address your phone number and primary email first. That blocks the most common escalation paths.
If the pop-ups are only in your browser
If you only see the problem in one browser (for example, Safari or Chrome), the cause is often a bad site, a browser notification setting, or a sketchy extension (on Android browsers that support them).
- Close all tabs, clear browsing data, and remove any site permissions you do not recognize.
- Do not call phone numbers shown in pop-ups. Those are often support scams.
- If the issue disappears in a different browser, focus on browser settings rather than your whole phone.
If money is missing or financial accounts look touched
If you see unauthorized transfers, new payees, or suspicious logins, treat it as a bank fraud incident, not just a phone issue. Contact your bank using the number on your card or official site, and lock down your email and phone number recovery first.
Related: How to protect your bank account from getting hacked.
When to factory reset
Rule of thumb: A factory reset can remove unwanted apps, but it does not fix password reuse. Change your key passwords and enable 2FA first, or the problem can come right back.
A factory reset is a reasonable last step when you have strong signs of compromise and simpler cleanup did not help, or when you cannot confidently remove a suspicious app.
- Back up photos, videos, and documents. Avoid restoring unknown apps automatically.
- Change critical passwords from a different, trusted device first (so the attacker cannot follow along).
- After resetting, re-install apps only from official stores, and keep the list minimal at first.
- Watch for the same symptoms returning immediately, which can indicate an account issue rather than a phone issue.
Common questions
Can someone hack my phone just by calling me or knowing my number?
Most real-world phone compromises do not start with magic. They start with a link, an app install, credential theft, or phone number takeover through your carrier. Treat unexpected messages as hostile, and protect the accounts that control password resets.
Should I install a random antivirus app?
No. Many security apps advertised through pop-ups are scams or low-quality apps that create more risk. If you want scanning on Android, use built-in protections like Google Play Protect and well-known vendors from the official store.
If I factory reset, am I guaranteed safe?
A reset can remove bad apps, but it does not fix compromised accounts. If the attacker still controls your email or phone number, they can come back through password resets. Treat factory reset as one part of the plan, not the whole plan.
How do I tell a real security alert from a fake pop-up?
Real security alerts usually appear inside a trusted app or in your account settings, not as a random browser pop-up telling you to call a number. If you see an alert, open the relevant app directly (Apple ID, Google account, your bank app) and check recent activity there. When in doubt, use the official support site, not the phone number or link shown in the message.
Should I change passwords on the possibly hacked phone?
If you have strong reason to believe the phone itself is compromised, change critical passwords from a different trusted device first. That reduces the chance an attacker sees your new credentials or intercepts verification codes.
If you are not sure whether it is the phone or the accounts, start with account security and phone number recovery first. Those are the most common ways attackers keep access.
Prevention
- Keep iOS or Android updated.
- Install apps only from official stores. On Android, avoid sideloading unless you understand the tradeoffs and trust the source.
- Treat unexpected links and attachments as hostile, even if they come from a friend.
- Use 2FA or passkeys on your email and high-risk accounts, and keep recovery info up to date.
- Review your account recovery methods at least a few times per year, especially your email account and phone number.
Featured image by Midjourney and Jonas Borchgrevink.