You hand your phone to your bored child to download a game as you catch up with your spouse over dinner at a restaurant. After five minutes of silence: “Mom, what’s this?” Your child hands back a phone that has taken on a life of its own, as screen after screen of inappropriate ads pop up; each time you close one, new ads appear.
Over the next few days, your phone battery needs constant juice as your data usage hits the roof. Annoying? Yes—but these may also be clues that your phone has been hacked.
Ways your phone can be hacked
Letting your child download apps onto your phone willy-nilly, or doing so indiscriminately yourself, puts your phone at risk for malware—software that may look like a legitimate app but is designed to damage your files or steal personal information. Hacked phones can be used to go on a shopping spree with stolen credit card info, hijack your number or use your account to buy upgraded phones to sell illegally. Criminals can also change the email address associated with your bank account or digital wallet.
“Even if you think you don’t have sensitive material on your phone, you’re still vulnerable,” said Justin Cappos, Ph.D., associate professor of computer science and engineering at New York University’s Tandon School of Engineering. Scammers still have access to information like your email, which is often linked to your banking accounts. Your phone is also often part of a two-step verification process to gain access to various accounts.
The criminal can also install spyware, which is a type of malware that can access your location, movements, and even your phone’s camera and microphone. If you’re listening to Spotify while you’re getting ready in the morning, said Cappos, hackers could theoretically take pictures of you getting into the shower.
About 4 out of every 5 Americans now own a smartphone—up from 35% in 2011, according to a recent Pew Research Center study. Likewise, experts say the threat of phone hacks will continue to rise as more Americans (1 in 5) now use smartphones as their sole access to the internet, according to Pew.
How to know if your phone is hacked
Your phone is taking forever to work or is constantly crashing, or perhaps it won’t shut down or let you get rid of unwanted software. These problems can, of course, arise from other reasons, but they can also be clues that malware has infiltrated your phone—especially if the incidents happen along with other curious behaviors on this list.
Some other signs that may indicate someone else is now controlling your phone:
Spike in data usage. “It’s a dead giveaway,” said Cappos, whose research interests include practical security issues and software updates.
A lot of pop-up ads. Particularly when they appear when you’re not running any particular app or where you’d typically not expect them, like a government website.
Weird browser activity. For instance, there’s an icon or tool on your phone’s web browser that you’ve never seen before.
Records activity you didn’t do. Something is most definitely up if your phone said you visited a website you actually didn’t visit, or people are receiving emails you didn’t write.
iPhone or Android: Which phone is hacked more?
Smartphones can be vulnerable to hacking, but Apple phones are less at risk—mostly because they’re on a closed system. “That’s not always an advantage, but in this case, the rigidity gives you some protection,” said Nasir Memon, Ph.D., a vice dean at NYU’s Tandon School of Engineering and professor of computer science and engineering.
When the iPhone—owned by 44.6% of smartphone users last year—needs to update its security system, it doesn’t have to contend with any other parties to make it happen. As a result, security updates occur much more frequently than with an Android phone.
The closed system also means iPhone users can buy apps only from the App Store, which Apple vets to make sure they’re legit. Google Play works to eliminate bad apps as well, but unlike iPhones, Android users can also download new apps from third parties. That’s where shady apps tend to lurk, said Memon.
Also, with an iPhone, you can set your phone to “Limit Ad Tracking.” “Everyone with an iPhone should do this,” said Capppos. “It’s a valuable and easy step to take to protect your privacy.” Unfortunately, he said, this isn’t an option on Android phones.
OK, my phone’s been hacked. Now what?
If all signs point to foul play and you’re desperately thinking, “My phone has been hacked—how do I fix it?!” keep your wits about you. Depending on the situation, it may be more of an inconvenience than an emergency. Here’s what to do if your phone has been hacked, step by step:
If your phone has stopped working:
- Contact your mobile carrier. A representative can tell you the reason and whether someone has canceled your phone and helped himself to upgraded versions. Your carrier will probably direct you to return to the store where you bought your phone.
- At the store, a rep might be able to tell you whether someone has come in pretending to be you. The rep can also revert your account back to your phone.
- Log in to your account, change your password and add any extra security features available to you, such as a PIN.
- Visit the Federal Trade Commission’s IdentityTheft.gov website, where you can report the theft and receive instructions for issuing a fraud alert and checking your credit report. Let your local police know as well.
If your phone still works but is acting strangely:
- Stop using it to shop, bank or do any other activity that requires you to enter sensitive data (such as passwords).
- Update all software. This is priority No. 1, said Cappos. Then (though this may not be as effective as you hope) scan for viruses and spyware. If you have a hard time doing any of this, get tech support. You might be able to find free help from the company that created the device, such as Apple or Samsung. Be careful about downloading security software—it can be malware masquerading as such.
- If you think sensitive material was compromised, you may have to wipe out your phone. You’ll find iPhone directions here, Pixel directions here, and Galaxy directions here. Beware: Copying your photos and other materials before the wipeout may or may not be safe, depending on how you go about it. “Definitely don’t give your hacked phone access to a Dropbox account or similar with sensitive data,” said Cappos. “If you set up a new account—like a junk email account—and then email things over, this is safer.”
- File a complaint with the FTC and report it to your local police.
- Monitor your personal data to see if it may have been breached.
How do I block future phone hacker attacks?
What’s scarier than realizing your phone is hacked? Not realizing that your phone has been hacked. The most sophisticated scammers do their evil deeds without letting on at all. That said, the best solution to unhacking your phone is to not have it hacked in the first place. Here’s what you can do to protect yourself.
Set your phone to update automatically. “An update almost always fixes a security problem,” said Cappos. If you don’t do it, a hacker will know the weak spots and how to exploit them.
Set your browser for maximum security. Also, pay attention to security warnings. It’s too easy to ignore them—you just want to check your email at the coffee bar, after all! But you’re better safe than sorry.
Limit the number of apps on your phone. Get rid of the ones you barely use. Before you want to download a new app, ask yourself: “Do I really need it?” “Every time you install an app, you’re taking on risk,” said Cappos. While this doesn’t sound at all practical, the best thing to do about apps with sensitive information (like your bank account) or potentially embarrassing photos is to put those on a separate phone, he said.
Check your data and microphone settings. If one of your apps is using a sky-high amount of data, and it shouldn’t, then get rid of it. Also check your microphone settings (under Privacy). Disable permissions for apps that don’t need to have it.
Only download apps from the Apple App Store and Google Play Store. Shady apps tend to come from third parties, whether it’s promoted from its own webpage or via an email. “They’ll try to convince you to install it, but don’t,” said Memon. While of course it’s not a guarantee that you’ll stay safe, it’s a good rule to stay away from apps offered up by “strange places,” as Memon puts it.
Check out the app developer before you buy. As the FTC explains: If it doesn’t provide a phone number or website, then it’s probably not trustworthy. Read the permissions statements and make sure it’s only asking to access parts it needs to function. For example, the music-recognition app Shazam would need your microphone to operate, but a crossword puzzle app does not. If that’s not the case, the app may be taking advantage of permissions for marketing purposes—or worse.
Beware when connecting to public Wi-Fi. “It’s like having a conversation in a public room,” said Cappos. It can be hard to tell if the Wi-Fi is legit, so avoid doing things like shopping with a credit card or banking while connected to it. You’re better off using your phone’s data network or going to the bank’s site instead of using the app. Fix your phone’s settings so it doesn’t automatically connect to nearby Wi-Fi. Also, Cappos said, “ensure your connections to sites are encrypted end-to-end (i.e., HTTPS). Use HTTPS Everywhere or similar to protect yourself.”
Don’t open attachments unless you know exactly what it is and who it’s from. If it’s a link to a company, then access it by typing the URL into your browser.
Know where your phone is at all times. According to a report from Kaspersky Lab, a cybersecurity company, more than 58,000 Android phone users had “stalkerware” (legal spyware) installed, but more than 35,000 of users didn’t realize it was there. To avoid spyware, be careful who you give your device to.
Protect your phone with a six-digit security code. It’s easy enough for you to remember, but difficult for a thief to figure out within the number of attempts limited by the phone, said Memon. “Of course, don’t write that number on your phone.”