What To Do If Someone Hacked Your Phone: A Step-by-Step Guide

Finding out your phone was hacked hits like a punch to the chest. Your first instinct is to panic. Resist it. The actions you take in the next 30 minutes will determine how much damage gets done — and whether you have the evidence needed to do something about it.

This guide covers exactly what to do, in order. Don't skip steps. The sequence matters.

1 Disconnect From Wi-Fi and Mobile Data

Your first move is to cut the attacker's access. If malware is actively running on your phone, it's communicating with servers controlled by whoever deployed it — uploading your files, relaying your messages, or waiting for commands. Disconnecting severs that channel immediately.

This isn't a permanent fix, but it buys you time. It also preserves the state of your device for forensic purposes before anything else gets modified or deleted.

⚡ Do this now

Toggle Airplane Mode on. On iPhone: swipe into Control Center and tap the airplane icon. On Android: pull down the notification shade and tap Airplane Mode. This disables Wi-Fi, cellular, and Bluetooth simultaneously. Leave it on until you've worked through Steps 2 and 3.

2 Check for Unfamiliar Apps and Account Activity

With the network cut, now audit your device. Attackers typically install tools to maintain access — stalkerware, remote access apps, keyloggers — and they're usually disguised as something plausible. Look for anything you don't remember installing, especially apps with vague names like "System Helper," "Device Manager," or clones of real apps with slightly different icons.

Beyond apps, check your sent messages across SMS, email, and every social app. Look at your call logs. Review your "Devices" or "Active Sessions" settings on your Google, Apple, or Microsoft account to see if any unrecognized devices have logged in.

🔍 Do this now

iPhone: Settings → General → iPhone Storage — scroll through every app. Android: Settings → Apps — sort by install date to spot recent additions. Review permissions under Settings → Privacy → Permission Manager. Screenshot anything suspicious before you delete it — you'll need that evidence later.

3 Run a Breach Check

Hacking a phone is rarely the end goal — it's the means to access your accounts. Your credentials may already be circulating on dark web markets or breach databases. A breach check tells you exactly which of your accounts have been exposed, what data was taken, and when it happened.

You need this information before you start changing passwords, because it tells you where to focus first. Changing your Netflix password while your email credentials are exposed is rearranging deck chairs.

Find out what's already been stolen SkullSnare scans your full breach history — every account, every exposed data point — and gives you a legal-ready report.

Scan Now — $20

4 Change All Passwords From a Secure Device

Do not change passwords on the compromised phone. If a keylogger is installed, every character you type is being captured. Use a laptop, tablet, or another phone that you trust — one that wasn't connected to the same networks as the compromised device.

Start with your email. It's the master key. If an attacker controls your email, they can reset every other account through password recovery flows. Once email is secured, move to banking, then social media, then everything else your breach scan flagged.

🔐 Do this now

Use a password manager to generate strong, unique passwords for each account — never reuse. Change email first, then banking, then the accounts your breach scan identified as compromised. After changing each password, review active sessions and sign out all other devices. Force-expire any API tokens or app passwords linked to that account.

5 Enable Two-Factor Authentication on All Accounts

A password alone is no longer sufficient. Two-factor authentication (2FA) means an attacker needs both your password and physical access to a second device to log in. Even if your credentials were stolen, 2FA blocks the login.

One important caveat: if you suspect SIM swapping — where an attacker has taken control of your phone number — avoid SMS-based 2FA. An attacker with your number receives the same one-time codes you do. Use an authenticator app instead.

🛡️ Do this now

Download an authenticator app (Google Authenticator, Authy, or 1Password) on a secure device. Enable app-based 2FA on every account, starting with email and banking. Disable SMS-based 2FA where possible. Save backup codes in a secure location — not in the notes app on your phone. For your highest-value accounts, consider a hardware security key.

6 Factory Reset If Necessary

If you found malware, if the compromise is severe, or if you simply can't be certain the device is clean — factory reset it. A reset wipes the operating system partition, eliminating virtually all persistent malware. It's the nuclear option, but sometimes it's the right call.

The catch: a factory reset also wipes your data. Back up only what you're certain is safe — contacts and documents, not your full app list or configuration. Some backup solutions will restore the malware along with your data if you're not careful.

⚠️ Do this now

Before resetting, back up contacts and essential documents to a cloud service from a secure network connection (not the compromised one). iPhone: Settings → General → Transfer or Reset iPhone → Erase All Content and Settings. Android: Settings → General Management → Reset → Factory Data Reset. After reset, restore from a backup point that predates the compromise — not your most recent backup, which may contain malware.

7 Report to Authorities With Evidence

Unauthorized access to a phone is a federal crime in the United States under the Computer Fraud and Abuse Act, and a criminal offense in most countries. Reporting it matters — not just for your own recovery, but because law enforcement builds pattern files that lead to prosecutions.

The problem is that most people don't have usable evidence when they file a report. Vague descriptions don't go far. What authorities can act on: timestamped breach logs, specific account compromise records, documentation of what was accessed, and a clear timeline. That's exactly what a formal breach report gives you.

📋 Do this now

File a report with the FBI's Internet Crime Complaint Center (IC3.gov) and your local police department. Contact your carrier to report potential SIM swapping. Notify your bank if any financial accounts were accessed. Gather all evidence before filing: screenshots of unfamiliar apps, your SkullSnare breach report, unusual account activity logs, and any messages sent without your authorization.

Prevention: Don't Get Here Again

Recovery is painful. Prevention is cheap. Once you've secured your accounts and cleaned your device, lock down the attack surface for next time:

Keep your OS and apps updated — most exploits target known vulnerabilities in outdated software
Never connect to public Wi-Fi without a VPN; treat coffee shop networks as hostile
Use app-based 2FA on every account that supports it — SMS codes are interception-prone
Review app permissions every few months and revoke anything that doesn't need camera, mic, or location access
Enable Find My (iPhone) or Find My Device (Android) for remote wipe capability
Don't click links in unsolicited texts or emails — even from numbers you recognize
Run a breach scan quarterly to catch credential exposure before it becomes account takeover

If you're not sure whether you've already been compromised, start there. Read 5 Signs Your Phone Has Been Hacked before running your scan — knowing the warning signs helps you know what to look for in your results.

💀

Don't wait. Find out what was stolen before it gets worse.

SkullSnare scans your full breach history and generates a legal-ready evidence report — everything you need to recover and report.