MARK37 Resources

The Ghost Phone: Has my Phone Been Hacked?

We are contacted every so often because someone is convinced their phone has been compromised.

Strange ads show up. The battery’s hot for no reason. A new phone number is setup but the phone still gets spam calls… something just feels off.

Before you start this process, know that 95% of people never get past the first two steps below, because the thing that scared them turns out to have a simple and boring explanation.

The fear is real and the worry is understandable, so let’s deal with it the right way: not by guessing, but by checking.

Please work through the below steps in order.

If you do find something off, the later steps tell you exactly what to do.

STEP 1 – Slow down and rule out the ordinary

A man once called us convinced his phone was compromised. Apps he never opened were open. Websites he swore he’d never visited sat in his history. Icons had moved around the screen. Settings he didn’t touch were changed. He was rattled.

We asked one question. Does anyone else ever have access to your phone? Long pause. His grandkids had been at the house all weekend.

This happens constantly. A spouse, a kid, a grandkid picks up the phone, pokes around, opens things, drags an icon, visits a site, changes a setting by accident, and sets it back down. Often they do it quietly, because they didn’t want to be told no. We have lost count of how many “hacks” turned out to be a ten-year-old left alone in a room with the device for five minutes. Before you assume an attacker on the other side of the world, ask the people on your side of the house.

Almost everything people read as “hacking” has a far more mundane cause. Before you freak out too much or tear anything apart, check these:

  • SPAM calls even on a new phone number? In short, spammers are robo-dialing every number on the planet, regardless if they know who you are or not. The phone itself is also not designed to somehow magically make your phone number disappear. There are ways to limit the amount of unwanted calls, however, and this is discussed in detail HERE.
  • Eerily accurate ads? This is almost never your phone’s microphone when using a Ghost Phone. It is data brokers, other people’s contacts uploading your number, web tracking, and search activity from people around you being correlated. It may also be your Whatsapp app, or another spyware app disguised as a functional tool that you’re using, that you can’t let go of and have the microphone settings turned on for. On a Ghost Phone with no Google services running in the background and no unwarranted spyware apps, however, the “it heard me” explanation is the least likely one.
  • Battery drain or heat? Usually a single misbehaving app, a recent update, or the phone looking for a wifi or roaming signal, not spyware. Check which app is using the battery in Settings before assuming the worst. Learn more HERE how to dig further into this as a potential issue.
  • The phone feels slow, restarts, or acts strange? Storage is at or near maximum capacity, an app bug, a pending update or a failing battery is almost always the issue, not an intruder.
  • Someone “knows things” about you? Data brokers, old breaches, and public records hold staggering amounts on everyone. That information almost never comes from a live compromise of your device. You can take actions to scrub some of your data from the internet, but as the saying goes, the internet is forever and if it was once online, it’s living somewhere online still. Assume all your information that has ever lived in a government data base or online platform has been exposed and is available to anyone looking to purchase the data.
  • Convinced you’ve been “hacked”? Most of the time, what people call a hacked phone is a hacked account. A reused password, an old data breach, or a login someone phished gets them into your email, your Google or Apple account, or a social app, with no access to your device at all. Check the recent login or security activity on your main accounts, sign out any session you don’t recognize, and change any password you have used in more than one place. On a Ghost Phone, a breached account is far more likely than a breached device.
  • Calls and texts acting strange, or you suddenly lost signal for no reason? Your phone number lives at your carrier, not on your device. In a SIM swap, someone talks your carrier into moving your number onto their phone, then catches your texts and password-reset codes while your own phone goes dark. Your Ghost Phone can be spotless while this happens. Call your carrier and add a port-out PIN or transfer lock so no one can move your number without it.

A Ghost Phone running GrapheneOS with a locked bootloader, no Google Play services, and only apps you deliberately installed and ensured are not given unwarranted permissions has a dramatically smaller attack surface than a stock iPhone or Android. Remotely compromising one is extremely hard and expensive, and it is not something that happens at random. If you didn’t side load a sketchy app, grant strange permissions, or hand the phone to someone you probably shouldn’t have, the odds you’ve been hacked are near zero… but never zero. That is not dismissal. It’s the actual threat picture pulled from many years of experience talking through these scenarios with users.

A harder possibility worth naming

For most people the cause is ordinary. For a small number it is not, and even then it is rarely a faraway hacker. The realistic risk is someone with physical access to the phone who also knows your PIN. A person close to you, with the device in hand and the code to unlock it, can change settings or install something without any remote attack at all.

If that describes your situation, the device audit in Step 3 and the clean reset in Step 4 are your fix, paired with a new PIN no one else knows and a lock screen you keep private. If you have any concern for your safety, deal with that first, and reach out to us or to someone you trust before you make changes the other person might notice.

STEP 2 – Run the integrity check

This is the step that can help settle it. GrapheneOS has a built-in tool, the Auditor, that uses a hardware security chip the operating system cannot lie to. It will tell you plainly whether your device is running genuine, unmodified GrapheneOS and whether anything has been altered.

Think of the Auditor as a notary for your phone. It reads a sealed security chip inside the device that cannot be faked or bypassed, even by someone holding the phone in their hand. There are two ways to run the check. Pick whichever fits what you have on hand.

Option A – Local check (using a second phone)

Use this if you have a second Android phone available. Any Ghost Phone already has the Auditor app. On a regular Android phone, you can install “Auditor” from the Play Store.

  1. On the second phone (the one doing the checking), open the Auditor app and tap Auditor.
  2. On your Ghost Phone (the one being checked), open the Auditor app and tap Auditee.
  3. The checking phone will display a QR code. Point your Ghost Phone’s camera at it.
  4. Tap the QR code on the checking phone to move it forward a step.
  5. Your Ghost Phone now shows its own QR code. Point the checking phone’s camera at that one.
  6. The checking phone displays the result, telling you whether your Ghost Phone is genuine, unmodified GrapheneOS.

The first time you do this, the Auditor “remembers” your specific phone. Every check after that is even more meaningful, because it is comparing against that first known-good fingerprint.

Option B – Remote check (automatic, with email alerts)

This pairs your phone with the free GrapheneOS Attestation service. Once it’s set up, the service checks your phone on a schedule and emails you the moment anything ever looks wrong. You don’t have to remember to do a thing.

What you’ll need: your Ghost Phone, and a second screen such as a laptop, desktop, or another phone or tablet. You need the second screen because your Ghost Phone is going to read a code off of it with its camera.

  1. On your second device, open a web browser and go to attestation.app. Create a free account with a username and password. Write these down somewhere safe.
  2. Pick up your Ghost Phone and open the Auditor app.
  3. In Auditor, tap Enable remote verification.
  4. Look at your second screen. The attestation.app website is now showing a QR code (a black-and-white square, like the ones on restaurant menus). Point your Ghost Phone’s camera at it to scan it.
  5. Auditor will ask for an alert email address. Enter an email you check regularly. This is where a warning goes if a future check ever fails.
  6. Go back to your second screen and refresh the attestation.app page. Within a moment you’ll see your first verification result appear, confirming it worked.

From here on, the service quietly checks your phone on a schedule. As long as everything is healthy, you hear nothing. If something is ever off, you get an email. One thing worth knowing: if you ever factory reset or wipe the phone, you’ll need to clear the old pairing and run through these steps again to set up a fresh one.

If the Auditor confirms your device, that is strong, hardware-backed proof the operating system is intact. Run that first. For most people, it is also the last step they need.

STEP 3 – Audit what’s actually on the device

If you want to go further, or the Auditor flagged something, walk through these. Most real-world trouble on any phone comes from something that was installed or granted, not some invisible ghost in the machine.

  • Apps you don’t recognize. Open your app list. Anything you don’t remember installing or don’t use? Remove it.
  • Accessibility access. Go to Settings > Accessibility. Any app with accessibility permission can see and control a lot. If something is listed there that you didn’t deliberately set up, that is a red flag. Turn it off.
  • Device admin apps. Settings > Security, look for device admin apps. Nothing should be there that you didn’t add on purpose.
  • Permissions. Open the permission manager and check what has access to your microphone, camera, and location. Revoke anything that has no business with them.
  • Network access. GrapheneOS lets you control which apps can reach the internet at all. Review the Network permission and cut off anything that doesn’t need it.
  • VPN, Private DNS, and certificates. Check Settings for any VPN or always-on VPN you didn’t configure, any Private DNS entry you didn’t set, and under trusted credentials, any user-added certificate you don’t recognize. A certificate you didn’t add yourself can let someone intercept your traffic. Remove anything unfamiliar.
  • Extra user profiles. If there’s a profile on the device you didn’t create, that’s worth a hard look.

If all of that comes back clean and the Auditor confirmed the device, you are not hacked. You can stop here with confidence.

STEP 4 – The clean slate (when you want to be completely sure)

If you’re still uneasy, or you found something and want it gone, the most thorough fix is to wipe the device back to a known-good state and rebuild it yourself.

  • Confirm the device is genuine GrapheneOS using the verified boot key check (covered in the verify guide above).
  • Factory reset the phone from recovery. This clears out anything sitting in your data.
  • Set up the Auditor on the fresh install so you have a clean baseline going forward.
  • Reinstall only the specific apps you actually need, by your own hand. You can pick exactly what to add HERE.

A clean reset plus a verified-genuine OS is about as certain as it gets. Whatever you were worried about does not survive that process.

If something genuinely looks wrong, or you’re still not sure, stop using the device for anything sensitive. No banking, no passwords, no private messages until you’ve sorted it out. Write down exactly what you saw, including anything the Auditor or an alert email reported, and contact us. We will help you work out whether it’s a real problem or a false alarm. Either way, you don’t have to carry the uncertainty alone, and you don’t have to guess.

Keep it that way

Once you’ve settled it, a few habits keep the answer boring:

  • Turn on two-factor authentication for your email and any account that matters. Use an authenticator app rather than text messages where you can, which also takes the SIM-swap risk off the table.
  • Never install an app from a link someone sent you. Add apps yourself, on purpose, from a source you trust. You can see our recommended set HERE.
  • Glance at the permissions when you install something. If a flashlight wants your microphone and your contacts, that tells you what it really is.
  • Keep the phone updated. GrapheneOS updates close the doors before anyone walks through them.
  • Keep your PIN to yourself and set a short lock-screen timeout, so the phone isn’t sitting unlocked on a counter for whoever wanders by.

None of this is fear. It’s the same reason you lock your front door. Not because you expect a break-in tonight, but because it costs you nothing and ends the wondering.

That’s the whole idea behind a phone you can verify. You are never stuck wondering. You can always check.

Connect on Social Media

Get updates by email
Shopping cart0
There are no products in the cart!
Continue shopping