THE GREY FILEFIELD NOTES FROM THE QUIET TRADE
← THE GREY FILE  ·  Scenarios
Scenario

Your Phone Is Compromised

Assume it is, act calmly, and remember that the device was always telling on you — the malware is just the loud part.

Filed 14 Feb 2019 Anywhere2021 FILE Nº SCN-0067 min Declassified — for field use

I will tell you the uncomfortable thing first, because it reframes everything else: your phone does not need to be hacked to betray you. A perfectly healthy phone, doing exactly what it was built to do, is already a beacon that reports roughly where you are, who you spoke to, when, and for how long, to anyone who can ask the right system. The carrier holds that record whether or not you ever open an app. Malware is just the part where someone is also reading your messages and watching through the lens. Loud, yes. But it is a worse version of a problem you already had.

By 2021 I was mostly consulting, and half the calls I took were some version of this: I think my phone has been got. What do I do. Almost always the answer began the same way — slow down, assume the worst, and act like a professional rather than a victim.

The signs, and the signs that aren't

People panic at the wrong things and miss the real ones. A hot, fast-draining battery and unexplained data use can mean something is running in the background that you did not start — but they can also mean a tired battery and a chatty app, so do not convict on those alone. Stack the indicators instead of trusting any one:

  • Behavior that isn't yours. Texts you didn't send. A two-factor code arriving for a login you didn't attempt. Apps you don't remember installing. Settings that changed themselves.
  • The account symptoms. The real damage usually shows in your accounts before your handset. A password that suddenly doesn't work. A recovery email quietly swapped. A login alert from a city you've never been to. These point at the likeliest modern attack, which is not exotic spyware at all — it is someone who got your number moved to their SIM, or reused one of your old passwords from a breach you forgot about.
  • The physical tells. A phone warm when it should be cold and idle. The camera or microphone indicator flicking on when nothing should be using them.

One sign is noise. Three together, pointing the same way, is the moment you stop wondering and start acting.

What it actually costs you

Understand what an attacker gets, because it tells you what to protect. It is rarely a single fact that hurts you. It is the join — the way scattered pieces assemble into a picture. Your contacts become their contacts to impersonate. Your location history becomes a pattern of life. Your photos carry, by default, the exact coordinates where each was taken and the device that took them. And the metadata is often worse than the content: a log showing you called the same lawyer four times the week before a resignation tells the whole story without a single word of what was said.

So when you think a phone is compromised, you are not just thinking about the device. You are thinking about every account it can reach and every person in it.

The clean-up, calmly

Do not throw it in a river. Do not start frantically deleting apps, which only destroys the record of what happened. Work in order, from a different, trusted device wherever you can.

  1. Cut the link. Put the suspect phone in airplane mode, or off and into a signal-blocking sleeve if you have one. A device that cannot reach the network cannot keep reporting or keep being reached. This is the calm equivalent of pulling a tooth.
  2. Save the bleeding accounts first, not the phone. From the clean device, change the passwords on the important accounts — email first, because email is the master key that resets everything else. Then anything financial. Use a unique password for each; reused passwords are the seams that collapse the whole structure.
  3. Move off SMS for the second factor. A code sent by text is defeated the moment someone steals your number from the carrier. Switch your important accounts to an app-based or hardware key. Then call your mobile provider and lock the account against an unauthorized SIM swap.
  4. Check the recovery details. Attackers don't always change the password — they quietly add themselves as a recovery email or number, so they can come back later. Hunt those down on every account and remove what isn't yours.
  5. Wipe and rebuild the device, don't 'clean' it. If the indicators are real, a factory reset and a fresh setup is the honest fix. Reinstall only what you need, from official sources. Do not restore a backup blindly if the backup might carry the same problem back in.
  6. Then warn the people in it. Whoever attacked your phone now has a list of everyone you talk to and a convincing way to impersonate you to them. A quiet word to the ones who matter — if you get an odd message from me, call and check — closes the door the attacker actually wanted open.

Cut the line first, save the accounts second, rebuild the device last. Panic deletes the evidence and skips the part that protects you.

The posture that makes the next time boring

The professional starting position is uncomfortable and freeing at once: assume compromise. Operate as though one layer — a device, a password, a habit — has already failed, and structure your life so the failure you didn't catch doesn't take everything else down with it. Separate your identities so a breach of one doesn't unlock the rest. Keep the dangerous conversations off the always-on device, or off a device at all. And remember the oldest truth about the thing in your pocket: as long as the radio is live, it is negotiating with the world around it. The only phone that cannot be located is one that is off and shielded — and the habit of knowing that is what saves you when the gear lets you down.

A client of mine in REDACTED spent a frantic afternoon convinced she was being watched through her camera. She might have been; I could not prove it either way. But by the time we finished she had locked her SIM, rotated her passwords, and moved the conversations that mattered onto a device she left at home. Whether anyone had been inside the old phone became almost beside the point. She had made herself expensive to follow, which is the only victory on offer. You do not get invisible. You get not worth the trouble.

Identity withheld, the city left blank, the timeline shifted. The clean-up is exactly as I have run it more times than I would like.

— M.