I am writing this guide because I keep getting the same question from people who are not in our field: "How do I know if someone is in my phone?" The answer is rarely straightforward, and the internet is full of articles that list symptoms like "your phone is hot" and "your battery drains fast" without explaining what these symptoms actually mean or how to distinguish a compromised device from one that's simply old and overworked. I intend to do better.
This guide is for regular people. Not security professionals. Not developers. People who use their phone for calling, texting, banking, and social media, and who have a reasonable concern that someone — an ex-partner, a stalker, an employer, or something more sophisticated — may be monitoring their device. If that's you, read this carefully.
Unusual data usage spikes. Spyware needs to transmit whatever it collects — your messages, your location, your microphone recordings — to a server. This uses data. If your phone is suddenly using significantly more cellular data than usual, and you haven't changed your behavior, that's worth investigating. On iPhone: Settings → Cellular → scroll down to see per-app data usage. On Android: Settings → Network → Data usage. Look for apps you don't recognize that are consuming data. Look for system processes with unusually high data consumption.
Battery drain that doesn't match your usage. Yes, old batteries drain faster. Yes, hot weather affects batteries. But if your phone's battery life suddenly drops by 30-40% and nothing else has changed — same apps, same usage pattern, same environment — something new is running. Spyware runs constantly in the background, recording audio, tracking location, uploading data. All of this requires processor time and power. Check your battery usage breakdown: Settings → Battery. If you see a process consuming significant battery that you didn't install and can't identify, that's a flag.
Your phone is warm when you're not using it. A phone that's warm while you're actively using it is normal. A phone that's warm while it's sitting on a table, screen off, doing nothing — that's a phone that's doing something you didn't ask it to do. Pick up your phone after it's been idle for an hour. If it's noticeably warm, something is running.
The camera or microphone indicator lights up unexpectedly. Modern iPhones show an orange dot when the microphone is active and a green dot when the camera is active. Android 12+ shows similar indicators in the top-right corner. If you see these indicators when you're not actively using an app that requires them, something is accessing your camera or microphone without your knowledge. Take a screenshot immediately (the indicator will be captured) and note the time.
Apps you didn't install. Go through your installed apps list carefully. On iPhone: Settings → General → iPhone Storage. On Android: Settings → Apps → See all apps. If you find an app you don't recognize and didn't install, look it up. Some stalkerware disguises itself as system utilities with names like "System Service," "Battery Optimizer," "Google Update," or "Phone Manager." If the app doesn't appear when you search for it in the App Store or Play Store, it was sideloaded — installed from outside the official store — and that is a major red flag.
Your phone restarts on its own. Occasional restarts happen. Restarts that happen regularly, especially at the same time, or when you're about to do something sensitive like make a call or open a banking app, are suspicious. Some spyware requires a reboot to install or update its components.
Strange sounds during calls. Modern digital phone networks should not produce clicks, static, or echoes. If you consistently hear unusual sounds during calls, it could indicate call interception. This is less common with encrypted VoIP calls (Signal, WhatsApp calls) and more common with standard cellular calls, which are easier to intercept.
"My phone is slow." Phones slow down as they age, as storage fills up, and as apps update to require more resources. A slow phone is not evidence of compromise. It's evidence of a phone that needs a restart, a storage cleanup, or an upgrade.
"I got a weird text message." Spam texts are universal and do not indicate that you've been hacked. However, if you receive a text with a link and you clicked it, and after clicking it your phone behaved differently — that's a different situation. Some exploits are delivered via specially crafted messages. If you clicked a suspicious link and noticed changes afterward, that combination is worth taking seriously.
"Someone knows things they shouldn't know." Before assuming your phone is hacked, consider: shared accounts (iCloud, Google, Amazon), shared devices (tablets, computers), location sharing that was enabled and forgotten, social media privacy settings that are more open than you think, and the possibility that someone simply saw your screen or overheard a conversation. The most common form of "hacking" in domestic situations is a partner who knows your password because you told them, logged into your account on their device, and is reading your messages through a shared session. Check your active sessions: Google → Security → Your devices. Apple ID → Devices. Facebook → Settings → Security → Where you're logged in.
Do not tip off the attacker. If you think someone is monitoring your phone, do not search for "how to remove spyware" on that phone. Do not text a friend about it. Use a different device — a library computer, a friend's phone, a tablet at a coffee shop — to research and plan.
Document everything. Before you do anything to the phone, write down what you've observed. Dates, times, specific behaviors. Screenshots if possible. This documentation may be important later — for law enforcement, for a protective order, or for your own peace of mind.
If you're in a domestic violence situation: Contact the National Domestic Violence Hotline (1-800-799-7233) or text START to 88788. They have trained advocates who understand technology-facilitated abuse. Do not factory reset your phone before talking to them — the evidence on your phone may be needed for legal proceedings.
If it's not a safety situation: The fastest way to remove most spyware is a factory reset. Back up your photos and contacts (not app data — app data can contain the spyware's persistence mechanism), then reset. Settings → General → Reset → Erase All Content and Settings (iPhone). Settings → System → Reset options → Erase all data (Android). After the reset, set up the phone as new — do not restore from a backup made while the spyware was present.
Change all passwords from a clean device. After the reset, change your passwords for email, banking, social media, and cloud accounts — but do it from a computer or device you trust, not from the phone that was compromised. Enable two-factor authentication on everything. Use an authenticator app (Google Authenticator, Authy), not SMS-based 2FA, because SMS can be intercepted.
MVT (Mobile Verification Toolkit) — Developed by Amnesty International. Can analyze an iPhone backup or Android device for indicators of known spyware including Pegasus. Free, open source, requires a computer and some technical ability. https://github.com/mvt-project/mvt
iVerify — Available on the App Store. Scans your iPhone for known indicators of compromise and also guides you through hardening your device settings. Developed by Trail of Bits, a respected security firm.
Vigil — Our own tool. Scans Android devices for stalkerware, spyware, and surveillance indicators using a curated database of known threats. Available at repo.seteclabs.io.
If you're reading this because you're worried, I want you to know: the fact that you're asking the question means you're already ahead of most people. Most victims of surveillance never think to ask. The asking is the first step. What you do next matters.
Be safe.