Your smartphone contains a wealth of personal and sensitive information, making it a major target for cybercriminals seeking to breach or steal your data. Through harmful applications and websites, phishing schemes, and various other threats, an attacker can take control of your device using spyware. So, how can you determine if your phone has been compromised or tampered with?
Amy Clark, the managing editor of the consumer review site Techreport, has compiled a useful guide on the risks associated with phone hacking. This guide provides tips on recognizing signs that your phone may have been breached and offers strategies to defend against the intruder.
Signs that your phone has been hacked:
1. Your battery discharges faster than normal. Any spyware present on your phone continuously operates to monitor your activities and transmit the information to the hacker. This results in a quicker depletion of your battery. Stay alert for any unexpected decreases in your battery level. Check your phone’s battery settings to see if the charge is dropping more significantly than usual.
2. Your phone is functioning more slowly. Does your device feel sluggish compared to before, or are applications crashing or freezing? These could be indicators that someone has infiltrated your device. Pay attention to how long it takes to open apps or perform other tasks to assess if the performance is lagging.
3. Unfamiliar logins are occurring. Social media platforms often notify users of unusual login attempts, such as those from an odd hour or a distant location. Such notifications may suggest that someone has gained access to your mobile device and is attempting to log into your accounts with your credentials. In that case, be sure to change the password for the compromised account.
4. Available storage space has decreased. Although spyware is not visible, it does consume storage on your device. If you suspect a loss of free space, check your used storage in the settings. If you haven’t recently installed new apps or added content, see if the amount of used space has increased since your last check.
5. Apps you don’t recall installing. If you discover an application that you don’t remember installing, it could be the work of a hacker. Go through all the installed apps on your device to find any that seem unfamiliar and remove them.
How to respond to a hack:
If you suspect that your phone has been hacked or tapped, how can you take action? One creative suggestion from Clark is to utilize a USSD code. Typically provided by your mobile service provider, USSD (Unstructured Supplementary Service Data) codes consist of short sequences of numbers that you can enter on your phone’s keypad to check your account balance, solve technical issues, and access special features.
Additionally, certain USSD codes can reveal if your calls are being diverted to a different phone number, which indicates that your device has been compromised. Other codes can halt the call redirection.
As Clark explains, there are two kinds of call forwarding: conditional and unconditional. Conditional forwarding occurs when specific conditions are met, such as failing to answer the call or turning off your phone. Unconditional forwarding happens regardless of your phone’s status.
Using a USSD code is straightforward. Simply open your phone app, select the keypad, and type in the code. You may also need to press the Call button.
Here are several useful USSD codes suggested by Clark.
*#06# – This code reveals your phone’s unique IMEI (International Mobile Equipment Identity) number. You’ll need this code if you suspect your device has been hacked and wish to file a report with your provider or even the authorities.
*#61# – This code will inform you if your missed calls are being redirected to a different number, indicating conditional forwarding. This information will specify whether call forwarding or SMS forwarding is active and show you the receiving number. If this is the case, it means all missed calls and messages are being sent to that number.
##61# – This code turns off missed call forwarding. If you find that your calls are being directed to another number, simply enter this code to disable call forwarding. Afterwards, dial *#61# to confirm that forwarding has been disabled. I tested this code on one of my Android phones that had call forwarding active, and it successfully disabled it.
*#62# – This code indicates if calls are being redirected when your phone is off or has no signal, which is another sign of conditional forwarding. You’ll also see the number that is receiving your calls.
##62# – This code deactivates call forwarding when your phone is powered down or without a signal.
*#21# – This code shows if your calls are being unconditionally forwarded in every circumstance, meaning all calls are redirected.
##21# – This code disables unconditional forwarding. If you must use this code, reach out to your mobile provider to check if they’re aware of any suspicious activity related to your SIM.
*#004# – This code displays all call redirection settings on your device. It provides information about all incoming calls, voicemails, and SMS messages, revealing if they’re being redirected and to which number. This code is a helpful tool in identifying redirect configurations.
##002# – This command will deactivate all forms of conditional and unconditional call forwarding. Use this code to turn off everything, particularly if some call forwarding is still enabled after trying the other codes.
*2767*3855# or *#*#7780#*#* – These codes can restore your phone to factory settings but are only applicable to Android devices. If you suspect your phone has malware or spyware, using this reset method can eliminate the threat.
For manual resets, on an iPhone, go to Settings, select General, and then tap on Transfer or Reset iPhone. On the following screen, choose “Erase All Content and Settings” and follow the prompts to reset your device. For an Android phone, access Settings, find Reset Options or something similar, and follow the instructions to perform a factory reset.
Why restarting your phone every day serves as the best protection against zero-click attacks
Phone hacking methods are becoming increasingly subtle. Thus, you should treat your phone as if it were a computer, according to this cybersecurity specialist.
In recent years, spyware has frequently been discovered on the devices of journalists, activists, and politicians, including U.S. officials, heightening fears over the rapid spread of spyware technology and the subsequent lack of protections in the tech industry amid rising threats.
Recently, Meta’s WhatsApp announced that it had uncovered a hacking operation affecting around 90 users, primarily journalists and members of civil society across numerous countries. A WhatsApp spokesperson indicated that the Israeli spyware company Paragon Solutions, now acquired by the Florida-based private equity firm AE Industrial Partners, was responsible for the attack.
What does zero-click capability mean?
Paragon’s spyware, Graphite, was found to have infiltrated WhatsApp groups by merely sending users a harmful PDF attachment. Without the users’ awareness, it can access and read messages on encrypted platforms like WhatsApp and Signal.
This technique is known as a zero-click attack, meaning that victims do not need to take any action for their devices to be compromised. In contrast, phishing or one-click attacks necessitate some interaction with a malicious link or attachment. Once a device is infected with zero-click capabilities, the attacker can covertly gain full access to the device by exploiting a security vulnerability.
In a conversation with us, Rocky Cole, co-founder of the mobile threat protection firm iVerify, explained that “in the case of Graphite, through WhatsApp, some kind of payload, like a PDF or an image, [was sent to the victims’ devices] and the underlying processes that receive and handle those packages have vulnerabilities that the attackers exploit [to] infect the phone.”
While public reports do not clarify “whether Graphite can engage in privilege escalation [vulnerability] and function outside WhatsApp or even penetrate the iOS kernel itself, we have data from our detections and other work with customers indicating that privilege escalation via WhatsApp to gain kernel access is indeed feasible,” Cole stated.
iVerify has found cases where “multiple crashes of WhatsApp on [mobile] devices [they’re] monitoring with iVerify” appeared to be malicious, suggesting that such attacks could be “potentially more widespread” than the 90 individuals reported to have been affected by Graphite.
Although the WhatsApp attack mainly targeted civil society members, mobile spyware poses a growing threat to everyone because mobile exploitation is more prevalent than many may realize, according to Cole. Furthermore, “this leads to an emergent ecosystem surrounding mobile spyware development and an increasing number of venture capital-backed mobile spyware companies are ‘under pressure to become profitable enterprises,'” he noted.
This ultimately “creates marketing competition” among spyware vendors and “reduces barriers” that might prevent mobile exploitation attacks.
Just a month prior, WhatsApp won a lawsuit against NSO when a federal judge in California determined that NSO was taking advantage of a security vulnerability within the messaging app to deploy Pegasus. The notorious NSO Group, recognized for infecting the phones of journalists, activists, and Palestinian rights organizations, has similarly utilized zero-click capabilities through their Israeli-developed Pegasus spyware, a commercial spyware and phone hacking tool.
Historically, the NSO Group has refrained from selling to clients based in the U.S. and has also faced a ban from the U.S. Commerce Department during the Biden administration for allegedly providing spyware to authoritarian regimes. However, “changing political landscapes [under the Trump administration] raises the likelihood that spyware could become more common in the United States” — intensifying mobile exploitation.
“And the world is completely unprepared to address this,” Cole asserted.
Best practices for safeguarding your device
Cole suggests that individuals should handle their phones similarly to how they would a computer. This implies that, just as one would implement a set of best practices to safeguard traditional devices like laptops from exploitation and threats, those same standards and methods should be applied to smartphones. This includes restarting your phone every day because “many of these exploits reside only in memory. They aren’t files, and by rebooting your device, theoretically, you should be able to eliminate the malware as well,” he explained.
Nonetheless, Cole also points out that if it involves a zero-click vulnerability such as Graphite or Pegasus, reinfection can occur easily, which is why it’s advisable to utilize a mobile security solution to determine if you’ve been targeted. The iVerify mobile threat scanner for advanced mobile compromise is available for just $1 and is user-friendly. To find out how to download and test the app yourself, refer to our guide on detecting infamous NSO spyware on your device.
If you’re using an Apple device, you might also consider activating lockdown mode. Cole explains that “lockdown mode effectively limits some capabilities of internet-facing applications [which can] somewhat decrease the attack surface.”
The only effective way to truly protect yourself against zero-click vulnerabilities is to rectify the underlying weaknesses. As Cole highlighted, this means that only Apple, Google, and app developers can address this issue, making it crucial for end users to apply new security patches as soon as they are available.