Is Your Phone Hacked? 5 Warning Signs + Quick Triage Checklist for Business

How to tell if your phone is hacked: 5 warning signs and what to do next

If your phone is acting strange, this quick checklist helps you decide whether it’s a bug or a breach — and gives step-by-step actions you can run in minutes.

Do these three things now (5-minute triage):

  1. Check battery and storage (Settings → Battery / Storage) for unusual app usage.
  2. Dial *#06# to display your IMEI (your phone’s unique ID) and record it somewhere safe.
  3. Run the forwarding checks below (USSD short codes you type in your dialer) to see if calls/texts are being silently routed away from you.

Quick triage — 5 signs your phone may be compromised

Look for these reliable red flags. Any one of them can be benign, but a cluster of two or more calls for further investigation.

  • Rapid battery drain — spyware often runs in the background and consumes power.
  • Slower performance, frequent crashes, or freezing — background processes and unauthorized services destabilize the OS.
  • Unfamiliar login alerts — MFA prompts or “new sign-in” notices for accounts you use only on your phone.
  • Sudden drop in available storage — large hidden logs or recordings can fill space fast.
  • Apps you didn’t install — especially apps asking for broad permissions or device-admin privileges.

“Your mobile phone is a treasure trove of personal and confidential information.”

How to check call forwarding and your IMEI (USSD short codes and GUI paths)

Call-forwarding abuse is a common, network-level sign of compromise because attackers can intercept calls and messages. USSD (short codes you type in your dialer) often reveals forwarding without digging through menus.

USSD quick checks (type into your dialer)

View forwarding:

  • *#06# — Show IMEI (record this before you report a device).
  • *#61# — Check missed-call conditional forwarding and target number.
  • *#62# — Check forwarding when phone is off or no signal.
  • *#21# — Check unconditional forwarding (all calls).
  • *#004# — Show all call redirection settings.

Disable forwarding:

  • ##61# — Disable missed-call forwarding.
  • ##62# — Disable forwarding when off/no signal.
  • ##21# — Disable unconditional forwarding.
  • ##002# — Disable all conditional and unconditional forwarding (catch-all).

Safety note: USSD codes do different things on different carriers and devices. The disabling codes above are generally safe, but verify with your carrier if you’re unsure. Never use wipe/reset USSD codes unless you understand the consequences (see wipe section).

GUI alternatives (if you prefer Settings menus)

  • Android: Settings → Network & internet → SIMs or Calls → Call forwarding / Advanced (menu labels vary by manufacturer).
  • iPhone: Settings → Phone → Call Forwarding (or Settings → Phone → SIM Applications for certain carriers).

If you find unexpected forwarding or unfamiliar numbers, contact your carrier immediately and request an investigation into SIM provisioning and network-side forwarding. Escalate if you suspect a SIM swap or unauthorized provisioning.

Sample carrier escalation script (copy/paste)

“I’ve discovered unexplained call forwarding on my line and believe my account or SIM may have been compromised. Please open a security ticket for SIM provisioning review and provide logs of recent forwarding changes. My IMEI is: [paste IMEI].”

Wipe, recover, and restore safely

A factory reset removes most user-space spyware, but the approach depends on whether you need forensics preserved.

When NOT to wipe

  • If the device is part of a corporate investigation, preserve evidence and contact IT/security first.
  • If you suspect criminal activity tied to workplace data, law enforcement or legal counsel may need to be involved.

Safe wipe options

  • iPhone: Settings → General → Transfer or Reset iPhone → Erase All Content and Settings.
  • Android (menu reset): Settings → System (or Settings → General Management) → Reset options → Erase all data (factory reset).
  • Android USSD wipe codes (dangerous, device-dependent): *2767*3855# or *#*#7780#*#*. These perform an immediate, irreversible wipe on some devices; many manufacturers/carriers disable them. Only use if you cannot preserve evidence and fully understand the risk.

After wiping:

  1. Set up as a new device if possible (do not restore a full backup that may reintroduce malware).
  2. Change passwords for email, cloud, banking, and social accounts from a separate trusted device; enable MFA on all accounts.
  3. Reinstall apps only from official app stores and grant permissions selectively.
  4. Notify your bank and employer if sensitive information may have been exposed.

Advanced persistence, zero-click threats, and what to look for next

Some threats are stealthy: zero-click exploits (which require no user action) and sophisticated spyware like those reported in high-profile cases can persist or reappear after resets via backups or account compromise.

Checks for advanced persistence:

  • iPhone: Settings → General → VPN & Device Management — look for unknown configuration profiles or MDM profiles that you didn’t install.
  • Android: Settings → Security → Device admin apps (or Settings → Apps → Special access → Device admin) — revoke unknown device admin rights.
  • Check for rooting/jailbreak indicators: unexpected app stores, removal of OEM updates, strange permissions, or an inability to install security updates.
  • Run Play Protect (Android) and keep iOS updated — they catch many common threats but not all state-level tools.

If you suspect a zero-click or nation-state scale tool, engage professional incident responders or your company’s security partner; these cases often require specialized forensic work.

For CISOs and IT leaders: fold mobile compromise into your IR playbook

  • Make a one-page quick-reference and require employees to report these five red flags immediately.
  • Define a “do not wipe” protocol for devices that must be preserved for forensic analysis.
  • Collect: device IMEI, carrier account details, forwarding logs, MDM logs, last backup timestamps, and relevant app logs.
  • Work with carriers to request SIM provisioning logs and recent changes to forwarding settings; carriers can often block or re-provision SIMs and investigate suspicious account activity.
  • Train helpdesk staff with a short script and escalation path; simulate mobile incidents in tabletop exercises.

Priority timeline — what to do now, next 24h, next 72h

  • Now (5–15 minutes): Record IMEI, run USSD forwarding checks, capture screenshots of battery/storage and any unfamiliar apps or login alerts.
  • Next 24 hours: Contact carrier (provide IMEI and ask for forwarding logs), change critical passwords from a trusted device, enable MFA, and alert IT/security if corporate data is involved.
  • Next 72 hours: If suspicious activity persists, preserve the device for forensic analysis or follow your company’s wipe-and-restore procedure. Notify law enforcement if sensitive financial or identity theft risk exists.

Terms to know

USSD
Short codes you type into your phone dialer to query or change network settings (e.g., call forwarding).
IMEI
Your phone’s unique identifier; useful when reporting a stolen or compromised device.
SIM swap
Fraud where attackers transfer your phone number to a new SIM to intercept codes and calls.
MDM
Mobile Device Management — corporate tools that control and monitor devices.
Zero-click
An exploit that compromises a device without the user needing to tap a link or install an app.

Image alt-text suggestions

  • Android call forwarding settings screenshot — alt: “Android call forwarding settings showing forwarding numbers”.
  • iPhone erase settings screenshot — alt: “iPhone Reset menu with Erase All Content and Settings highlighted”.
  • Battery usage screen screenshot — alt: “Battery usage by app highlighting excessive background usage”.

Want the quick-reference? Turn this checklist into a printable one-page handout for employees or a company-ready incident playbook—use it in training and helpdesk scripts to shorten detection-to-remediation time.

Key takeaways and FAQs

  • How can I tell if my phone is hacked?

    Watch for rapid battery drain, slow performance, unfamiliar login alerts, sudden storage loss, and apps you didn’t install. Use IMEI and call-forwarding checks to confirm network-side tampering.

  • How do I check whether calls or messages are being forwarded?

    Use USSD codes like *#61#, *#62#, and *#21# to view forwarding; disable with ##61#, ##62#, ##21#, or the catch-all ##002#. GUI paths in Settings are an alternative if you prefer not to use USSD.

  • Should I factory reset right away?

    If the device is part of a corporate or legal investigation, preserve it and contact IT/security first. Otherwise, a factory reset is an effective way to remove most spyware—just back up critical data carefully and set up as new to avoid reintroducing malware.

  • What should I tell my carrier?

    Provide your IMEI and ask them to open a SIM provisioning/forwarding investigation and to supply logs of recent forwarding or provisioning changes. Use the sample escalation script above to speed things along.

Mobile threats are now a mainstream risk to business and personal privacy. A short, scripted set of checks—battery, storage, IMEI, and forwarding—lets you triage fast. If the situation escalates, involve your carrier, IT team, or professional incident responders so you don’t wipe evidence or miss network-side fixes.

0