top of page

How To Tell If Your Phone Is Hacked (Android & iOS)

How To Tell If Your Phone Is Hacked (Android & iOS) | Black Hat HQ

Checking if a Phone Is Compromised


here's a structured methodology covering both iOS and Android. I'll break it into detection techniques from high-confidence indicators (you know it's compromised) down to subtle anomalies that warrant further investigation. This is a guide on how to tell if your phone is hacked.


Android - Signs of Compromise


High Confidence Indicators


1. Check for sideloaded apps (the most common infection vector)


bash

# From the phone or via ADB shell after enabling USB debugging
pm list packages -i   # Lists every app with its installer

Look for apps installed by "com.android.vending" (Play Store) — anything installed by a different source (ADB, unknown sources, package installer local files) is suspicious. Pay special attention to:


  • Apps with generic names like "System Update", "Settings", "WiFi Service", "Security Manager" that aren't genuine system packages

  • Launcher apps that hide their icon from the drawer

  • Apps with zero permissions that shouldn't exist


2. Device administrator abuse


bash

# List device admin apps
dumpsys device_policy

Malware often registers itself as a device admin to prevent uninstallation. Look for apps with admin privileges that aren't from recognizable companies (Samsung, Google, MDM solutions).


3. Accessibility service abuse (keylogging, overlay attacks)


bash

# Dump accessibility service state
dumpsys accessibility

Check for any third-party accessibility services enabled. This is the most common malware permission — it grants the ability to read screen content, inject keystrokes, and draw overlays on top of other apps. Banking trojans and spyware almost always request this.


4. Network traffic anomalies


bash

# From a rooted phone, capture DNS queries
tcpdump -i any -n port 53

# Or check saved DNS cache
dumpsys netstats | grep -E "(uid|traffic)"

Look for connections to:


  • Known C2 domains (check against threat intel feeds)

  • IPs in data center ranges (158.247.x.x, 45.33.x.x, etc.) that aren't Google/cloud services

  • Encrypted traffic to unusual destinations at consistent intervals


5. Check for non-Play Store app sources


bash

# Verify Unknown Sources / install other apps setting
settings get secure install_non_market_apps
settings get global package_verifier_enable

If install from unknown sources is enabled and the user didn't set it, that's suspicious. Also check if Play Protect is disabled:


bash

settings get global package_verifier_user_consent
settings get global upload_apk_enable

Moderate Confidence Indicators


6. Examine running services for suspicious background processes


bash

# Current running processes
ps -A | grep -E "(\.(com|org|net)\.[a-z]|[0-9]{3})"

Look for processes named to look like Google services but with typos: com.google.andrpid.gmscom.android.sysytemuicom.securty.app.


7. Check battery stats for unusual drain


bash

# Top battery offenders
dumpsys batterystats --charged --checkin | grep "uid="

Battery drain from an unknown UID is suspicious. Also check wakelocks:


bash

dumpsys power | grep WAKE_LOCK

Malware trying to beacon or exfiltrate data holds wake locks, preventing deep sleep.


8. Outgoing SMS to premium numbers


bash

# Check SMS logs for premium rate numbers (shortcodes)
content query --uri content://sms/sent --projection address,body,date

Look for messages to 4-6 digit numbers, especially if the user doesn't remember sending them.


9. Installed certificates (MITM proxy detection)


bash

# List user-installed certificates
keytool -list -keystore /data/misc/user/0/cacerts-added -storepass changeit

If you see unknown CA certificates that weren't installed by corporate MDM, someone is likely intercepting HTTPS traffic on this device.


How to Collect All This Efficiently


On a rooted device with ADB enabled:


bash

# Automated triage script — run from your attack machine
cat << 'SCRIPT' > mobile_triage.sh
#!/bin/bash
DEVICE=$1
TIMESTAMP=$(date +%Y%m%d_%H%M%S)
OUTDIR="mobile_triage_${TIMESTAMP}"
mkdir -p "$OUTDIR"

echo "[*] Pulling installed packages..."
adb -s $DEVICE shell pm list packages -i > "$OUTDIR/packages.txt"

echo "[*] Pulling running processes..."
adb -s $DEVICE shell ps -A > "$OUTDIR/processes.txt"

echo "[*] Pulling device admins..."
adb -s $DEVICE shell dumpsys device_policy > "$OUTDIR/device_policy.txt"

echo "[*] Pulling accessibility services..."
adb -s $DEVICE shell dumpsys accessibility > "$OUTDIR/accessibility.txt"

echo "[*] Pulling battery stats..."
adb -s $DEVICE shell dumpsys batterystats --charged --checkin > "$OUTDIR/battery.txt"

echo "[*] Pulling network stats..."
adb -s $DEVICE shell dumpsys netstats > "$OUTDIR/netstats.txt"

echo "[*] Pulling installed certificates..."
adb -s $DEVICE shell keytool -list -keystore /data/misc/user/0/cacerts-added -storepass changeit > "$OUTDIR/certs_user.txt" 2>/dev/null

echo "[*] Pulling wakelocks..."
adb -s $DEVICE shell dumpsys power | grep WAKE_LOCK > "$OUTDIR/wakelocks.txt"

echo "[*] Packing..."
tar czf "${OUTDIR}.tar.gz" "$OUTDIR"
echo "[+] Done: ${OUTDIR}.tar.gz"
SCRIPT

iOS - Signs of Compromise


iOS is harder to assess because the OS is more locked down. Most iOS infections are either iCloud-related (phishing for Apple ID credentials, SIM swapping to intercept SMS for account takeover) or configuration-based (malicious MDM profiles).


High Confidence Indicators


1. MDM and configuration profiles


bash

# From an SSH session on a jailbroken device, or via Apple Configurator
ls -la /var/MobileDevice/ConfigurationProfiles/

# Check for installed profiles
profiles show

Look for profiles that:

  • Install a root CA certificate (enables HTTPS interception)

  • Configure a proxy server

  • Redirect traffic through a specific gateway

  • Have no identifiable organization description


2. Enterprise certificate abuse (legitimate cert, malicious app)


bash

# List enterprise-signed apps
ls -la /private/var/containers/Bundle/Application/

iOS malware often uses stolen enterprise developer certificates to sideload apps outside the App Store. These apps don't show notifications in Settings → VPN & Device Management. Check for any app with an iTunesMetadata.plist that references a non-Apple enterprise certificate.


3. Outgoing traffic to suspicious destinations


bash

# On jailbroken device — monitor DNS
tcpdump -i awdl0 -n port 53 2>/dev/null

Look for beaconing behavior: consistent outbound connections at fixed intervals, especially to IPs in data center ASNs.


4. Certificate trust stores (MITM indicator)


sh

# Unjailbroken: Settings → General → About → Certificate Trust Settings
# Check for any non-Apple root certificates that are "trusted"

If there's a user-installed root CA in the trusted store that wasn't put there by the user's IT department, the device is likely having HTTPS traffic intercepted. This is the single strongest indicator on iOS because it requires deliberate user action to install.


5. Keyboard extension / custom keyboards (keystroke logging)


Settings → General → Keyboard → Keyboards → Add New Keyboard

Check for third-party keyboards that appear on this list that the user didn't add. Custom keyboard extensions have full access to everything typed, including passwords if "Allow Full Access" is enabled.


Moderate Confidence Indicators


6. Unusual network configuration (VPN, proxy)

Settings → General → VPN & Device Management
Settings → Wi-Fi → (i) → Configure Proxy

Look for:

  • A VPN configuration the user didn't install (often used for traffic exfiltration)

  • An HTTP proxy configured on the WiFi connection (MITM)

  • A PAC file URL (can be malicious)


7. App anomalies on a jailbroken device


sh

# Check for suspicious daemons
ls -la /Library/LaunchDaemons/

Look for plist files that launch something in /private/var/mobile/ or /tmp/ rather than system paths. Also check:


sh

# Substrate/MobileSubstrate tweaks
ls /Library/MobileSubstrate/DynamicLibraries/

Any unknown .dylib files injected into processes.


8. iCloud account anomalies (account takeover)


  • Log into iCloud.com and check Settings → Devices — any unknown devices?

  • Apple ID → Password & Security — any unfamiliar phone numbers for SMS recovery?

  • Check Sent Messages in iMessage — messages the user didn't send? (Sign of SMS forwarding)


Network-Level Detection


If you can put the phone on a network you control (simulate a WiFi network with tcpdump or a transparent proxy), capture traffic for 30-60 minutes while the phone sits idle:


bash

# From your attack machine as the gateway/AP
tcpdump -i wlan0 -w phone_traffic.pcap 'host <phone_ip>'

# Identify suspicious destinations
tshark -r phone_traffic.pcap -T fields -e dns.qry.name -e ip.dst \
    | sort | uniq -c | sort -rn | head -30

What to look for:


  • DNS queries to domains registered within the last 90 days

  • Connections to IPs associated with known C2 infrastructure

  • Unusual periodic traffic to a single IP (beaconing)

  • Traffic to cloud infrastructure (AWS, DigitalOcean, Hetzner) on non-standard ports

  • Data uploads that are consistently sized suggesting encrypted exfiltration


What You Won't Easily Find


Pegasus and zero-click exploits (NSO Group, Intellexa, etc.) — these infections leave almost no trace on the device. The forensic artifacts exist in the sysdiag (iOS) or logcat (Android), but they're deleted during the infection process. You generally need:


  • Android: Check for known compromise via Android Device Security Database artifacts (specific files in /data/system/ that shouldn't exist)


  • iOS: The sysdiagnose logs may show process crashes from the exploit, but NSO variants clean these. You'd need a physical device extraction and analysis with Cellebrite or GrayKey


For practical mobile pentesting, if you're not working on a high-value executive target, the detection methods above will catch 95%+ of commodity spyware and malware.


Quick Triage Checklist


Regardless of platform, here's a 5-minute triage:


  1. Check for unknown installed apps — most infections start here

  2. Check device admin / MDM profiles — persistent abuse vector

  3. Check accessibility services — Android spyware tell

  4. Check certificate trust store — iOS MITM indicator

  5. Check network traffic — beaconing to C2

  6. Check battery drain / background activity

  7. Check for premium SMS / unusual data usage


Enroll In Online Cybersecurity & Hacking Classes/Courses | Black Hat HQ

Comments


bottom of page