How To Tell If Your Phone Is Hacked (Android & iOS)
- Biohazard

- 22 hours ago
- 6 min read

Checking if a Phone Is Compromised
here's a structured methodology covering both iOS and Android. I'll break it into detection techniques from high-confidence indicators (you know it's compromised) down to subtle anomalies that warrant further investigation. This is a guide on how to tell if your phone is hacked.
Android - Signs of Compromise
High Confidence Indicators
1. Check for sideloaded apps (the most common infection vector)
bash
# From the phone or via ADB shell after enabling USB debugging
pm list packages -i # Lists every app with its installer
Look for apps installed by "com.android.vending" (Play Store) — anything installed by a different source (ADB, unknown sources, package installer local files) is suspicious. Pay special attention to:
Apps with generic names like "System Update", "Settings", "WiFi Service", "Security Manager" that aren't genuine system packages
Launcher apps that hide their icon from the drawer
Apps with zero permissions that shouldn't exist
2. Device administrator abuse
bash
# List device admin apps
dumpsys device_policy
Malware often registers itself as a device admin to prevent uninstallation. Look for apps with admin privileges that aren't from recognizable companies (Samsung, Google, MDM solutions).
3. Accessibility service abuse (keylogging, overlay attacks)
bash
# Dump accessibility service state
dumpsys accessibility
Check for any third-party accessibility services enabled. This is the most common malware permission — it grants the ability to read screen content, inject keystrokes, and draw overlays on top of other apps. Banking trojans and spyware almost always request this.
4. Network traffic anomalies
bash
# From a rooted phone, capture DNS queries
tcpdump -i any -n port 53
# Or check saved DNS cache
dumpsys netstats | grep -E "(uid|traffic)"
Look for connections to:
Known C2 domains (check against threat intel feeds)
IPs in data center ranges (158.247.x.x, 45.33.x.x, etc.) that aren't Google/cloud services
Encrypted traffic to unusual destinations at consistent intervals
5. Check for non-Play Store app sources
bash
# Verify Unknown Sources / install other apps setting
settings get secure install_non_market_apps
settings get global package_verifier_enable
If install from unknown sources is enabled and the user didn't set it, that's suspicious. Also check if Play Protect is disabled:
bash
settings get global package_verifier_user_consent
settings get global upload_apk_enableModerate Confidence Indicators
6. Examine running services for suspicious background processes
bash
# Current running processes
ps -A | grep -E "(\.(com|org|net)\.[a-z]|[0-9]{3})"
Look for processes named to look like Google services but with typos: com.google.andrpid.gms, com.android.sysytemui, com.securty.app.
7. Check battery stats for unusual drain
bash
# Top battery offenders
dumpsys batterystats --charged --checkin | grep "uid="
Battery drain from an unknown UID is suspicious. Also check wakelocks:
bash
dumpsys power | grep WAKE_LOCK
Malware trying to beacon or exfiltrate data holds wake locks, preventing deep sleep.
8. Outgoing SMS to premium numbers
bash
# Check SMS logs for premium rate numbers (shortcodes)
content query --uri content://sms/sent --projection address,body,date
Look for messages to 4-6 digit numbers, especially if the user doesn't remember sending them.
9. Installed certificates (MITM proxy detection)
bash
# List user-installed certificates
keytool -list -keystore /data/misc/user/0/cacerts-added -storepass changeit
If you see unknown CA certificates that weren't installed by corporate MDM, someone is likely intercepting HTTPS traffic on this device.
How to Collect All This Efficiently
On a rooted device with ADB enabled:
bash
# Automated triage script — run from your attack machine
cat << 'SCRIPT' > mobile_triage.sh
#!/bin/bash
DEVICE=$1
TIMESTAMP=$(date +%Y%m%d_%H%M%S)
OUTDIR="mobile_triage_${TIMESTAMP}"
mkdir -p "$OUTDIR"
echo "[*] Pulling installed packages..."
adb -s $DEVICE shell pm list packages -i > "$OUTDIR/packages.txt"
echo "[*] Pulling running processes..."
adb -s $DEVICE shell ps -A > "$OUTDIR/processes.txt"
echo "[*] Pulling device admins..."
adb -s $DEVICE shell dumpsys device_policy > "$OUTDIR/device_policy.txt"
echo "[*] Pulling accessibility services..."
adb -s $DEVICE shell dumpsys accessibility > "$OUTDIR/accessibility.txt"
echo "[*] Pulling battery stats..."
adb -s $DEVICE shell dumpsys batterystats --charged --checkin > "$OUTDIR/battery.txt"
echo "[*] Pulling network stats..."
adb -s $DEVICE shell dumpsys netstats > "$OUTDIR/netstats.txt"
echo "[*] Pulling installed certificates..."
adb -s $DEVICE shell keytool -list -keystore /data/misc/user/0/cacerts-added -storepass changeit > "$OUTDIR/certs_user.txt" 2>/dev/null
echo "[*] Pulling wakelocks..."
adb -s $DEVICE shell dumpsys power | grep WAKE_LOCK > "$OUTDIR/wakelocks.txt"
echo "[*] Packing..."
tar czf "${OUTDIR}.tar.gz" "$OUTDIR"
echo "[+] Done: ${OUTDIR}.tar.gz"
SCRIPTiOS - Signs of Compromise
iOS is harder to assess because the OS is more locked down. Most iOS infections are either iCloud-related (phishing for Apple ID credentials, SIM swapping to intercept SMS for account takeover) or configuration-based (malicious MDM profiles).
High Confidence Indicators
1. MDM and configuration profiles
bash
# From an SSH session on a jailbroken device, or via Apple Configurator
ls -la /var/MobileDevice/ConfigurationProfiles/
# Check for installed profiles
profiles show
Look for profiles that:
Install a root CA certificate (enables HTTPS interception)
Configure a proxy server
Redirect traffic through a specific gateway
Have no identifiable organization description
2. Enterprise certificate abuse (legitimate cert, malicious app)
bash
# List enterprise-signed apps
ls -la /private/var/containers/Bundle/Application/
iOS malware often uses stolen enterprise developer certificates to sideload apps outside the App Store. These apps don't show notifications in Settings → VPN & Device Management. Check for any app with an iTunesMetadata.plist that references a non-Apple enterprise certificate.
3. Outgoing traffic to suspicious destinations
bash
# On jailbroken device — monitor DNS
tcpdump -i awdl0 -n port 53 2>/dev/null
Look for beaconing behavior: consistent outbound connections at fixed intervals, especially to IPs in data center ASNs.
4. Certificate trust stores (MITM indicator)
sh
# Unjailbroken: Settings → General → About → Certificate Trust Settings
# Check for any non-Apple root certificates that are "trusted"
If there's a user-installed root CA in the trusted store that wasn't put there by the user's IT department, the device is likely having HTTPS traffic intercepted. This is the single strongest indicator on iOS because it requires deliberate user action to install.
5. Keyboard extension / custom keyboards (keystroke logging)
Settings → General → Keyboard → Keyboards → Add New Keyboard
Check for third-party keyboards that appear on this list that the user didn't add. Custom keyboard extensions have full access to everything typed, including passwords if "Allow Full Access" is enabled.
Moderate Confidence Indicators
6. Unusual network configuration (VPN, proxy)
Settings → General → VPN & Device Management
Settings → Wi-Fi → (i) → Configure Proxy
Look for:
A VPN configuration the user didn't install (often used for traffic exfiltration)
An HTTP proxy configured on the WiFi connection (MITM)
A PAC file URL (can be malicious)
7. App anomalies on a jailbroken device
sh
# Check for suspicious daemons
ls -la /Library/LaunchDaemons/
Look for plist files that launch something in /private/var/mobile/ or /tmp/ rather than system paths. Also check:
sh
# Substrate/MobileSubstrate tweaks
ls /Library/MobileSubstrate/DynamicLibraries/
Any unknown .dylib files injected into processes.
8. iCloud account anomalies (account takeover)
Log into iCloud.com and check Settings → Devices — any unknown devices?
Apple ID → Password & Security — any unfamiliar phone numbers for SMS recovery?
Check Sent Messages in iMessage — messages the user didn't send? (Sign of SMS forwarding)
Network-Level Detection
If you can put the phone on a network you control (simulate a WiFi network with tcpdump or a transparent proxy), capture traffic for 30-60 minutes while the phone sits idle:
bash
# From your attack machine as the gateway/AP
tcpdump -i wlan0 -w phone_traffic.pcap 'host <phone_ip>'
# Identify suspicious destinations
tshark -r phone_traffic.pcap -T fields -e dns.qry.name -e ip.dst \
| sort | uniq -c | sort -rn | head -30
What to look for:
DNS queries to domains registered within the last 90 days
Connections to IPs associated with known C2 infrastructure
Unusual periodic traffic to a single IP (beaconing)
Traffic to cloud infrastructure (AWS, DigitalOcean, Hetzner) on non-standard ports
Data uploads that are consistently sized suggesting encrypted exfiltration
What You Won't Easily Find
Pegasus and zero-click exploits (NSO Group, Intellexa, etc.) — these infections leave almost no trace on the device. The forensic artifacts exist in the sysdiag (iOS) or logcat (Android), but they're deleted during the infection process. You generally need:
Android: Check for known compromise via Android Device Security Database artifacts (specific files in /data/system/ that shouldn't exist)
iOS: The sysdiagnose logs may show process crashes from the exploit, but NSO variants clean these. You'd need a physical device extraction and analysis with Cellebrite or GrayKey
For practical mobile pentesting, if you're not working on a high-value executive target, the detection methods above will catch 95%+ of commodity spyware and malware.
Quick Triage Checklist
Regardless of platform, here's a 5-minute triage:
Check for unknown installed apps — most infections start here
Check device admin / MDM profiles — persistent abuse vector
Check accessibility services — Android spyware tell
Check certificate trust store — iOS MITM indicator
Check network traffic — beaconing to C2
Check battery drain / background activity
Check for premium SMS / unusual data usage




Comments