What to Do If Your Phone's Been Hacked — It Depends Who You Are

For most people, a compromised phone means a phishing link clicked, a malicious app downloaded, or an account accessed from an unfamiliar location. The remediation is straightforward: remove the offending app, change the passwords, run a scan.

For executives, government officials, legal professionals, and high-net-worth individuals, the threat model is categorically different. Sophisticated adversaries — whether nation-state intelligence services, corporate espionage operators, or organized criminal groups — do not rely on phishing links. They use purpose-built commercial spyware that installs itself without any interaction from the target, operates invisibly for months, and cannot be detected or removed by any consumer security tool.

This guide covers both scenarios. Knowing which one applies to you is the most important decision you’ll make.

Understand the Threat You’re Actually Facing

Consumer-grade threats

Most phone compromises fall into this category. The attack vectors are familiar: malicious apps, credential phishing, SIM swapping, account takeover. The symptoms can be visible — apps you didn’t install, unexpected data usage spikes, login alerts from unfamiliar locations, battery draining faster than normal.

These threats are serious. They are also addressable with the steps outlined below.

Advanced persistent threats

Commercial spyware tools — Pegasus from NSO Group, Predator from Intellexa, Graphite from Paragon, and others in this category — operate on fundamentally different principles. They exploit zero-day vulnerabilities: unknown flaws in iOS or Android that Apple and Google haven’t yet discovered, let alone patched. In zero-click attacks, infection requires no action from the target. The mere act of receiving a message is sufficient.

Once installed, these tools are designed to be undetectable. They do not drain batteries noticeably. They do not create unfamiliar apps. They operate within the existing processes of the device, exfiltrating messages, calls, location data, and microphone audio without leaving artifacts that standard security scans can find.

If you handle sensitive information, operate in a high-threat environment, or hold a position that would make you a valuable target for a sophisticated adversary, you should assume the possibility of this threat class and act accordingly — regardless of whether you’ve seen any symptoms.

If You Suspect a Consumer-Grade Compromise: What to Do

1. Disconnect immediately. Turn off Wi-Fi and mobile data, or power the device down entirely. This cuts off remote access while you assess the situation.
2. Check for unfamiliar apps. Review your installed applications for anything you don’t recognize, particularly apps with elevated permissions — access to your microphone, camera, location, or contacts that you didn’t explicitly grant. 
3. Run a reputable security scan. Tools like iVerify can detect many consumer-grade threats and known indicators of compromise. These tools are a reasonable first step for this threat category. 
4. Change credentials from a separate device. Use a different, trusted device to update passwords for your most sensitive accounts: email, banking, cloud storage, and any professional systems. Enable two-factor authentication if you haven’t already, preferably using an authenticator app rather than SMS. 
5. Consider a factory reset. If problems persist or you’ve confirmed malicious software, a factory reset will remove most consumer-grade threats. Back up your data first. Note that a factory reset does not remove sophisticated spyware embedded at the OS level — if you’re in that threat category, see below. 
6. Harden going forward. Keep your OS and apps current. Be deliberate about app permissions. Avoid public Wi-Fi without a trusted VPN or SDN. Do not sideload applications from outside official app stores. 

If You Suspect Advanced Spyware: The Situation Is Different

A factory reset will not remove Pegasus-class spyware. Neither will a security scan. Neither will changing your passwords. These tools are engineered specifically to survive standard remediation efforts.

The hard truth is that once a device running iOS or Android has been compromised by advanced spyware, there is no reliable way to fully remediate it using that device. This is not a failure of the individual tools involved — it is a structural consequence of how consumer mobile operating systems are architected.

iOS and Android were designed for the mass consumer market. Their attack surfaces are enormous: millions of lines of code, a vast ecosystem of third-party applications, complex parsing libraries for images, videos, and documents — each representing a potential zero-day exploit waiting to be discovered. Spyware operators invest continuously in finding those vulnerabilities before the OS vendors do. Every time Apple or Google patches one flaw, another is identified. This is not a solvable problem within the existing architecture.

What to actually do if you believe you’ve been targeted by advanced spyware:

• Bring in a forensic specialist. Organizations like Amnesty International’s Security Lab or Access Now’s Digital Security Helpline have documented expertise in detecting and analyzing commercial spyware infections. iVerify’s Mobile Threat Hunting feature has also demonstrated real capability: the tool has identified confirmed Pegasus infections across tens of thousands of device scans, including on devices belonging to executives and government officials. 
• Isolate the device. Do not use it for any sensitive communications until it has been analyzed. Assume that anything said near or on that device may be accessible to the adversary.
• Evaluate your communications infrastructure. If your device has been compromised, the communications infrastructure around it — the people you contact, the systems you access — should be reviewed by your security team or an outside specialist.

The Structural Problem: Why Consumer Phones Cannot Be Made Secure for High-Threat Environments

The steps above address incidents after they occur. They do not address the underlying vulnerability.

Consumer smartphones — regardless of brand or operating system — share a fundamental architectural characteristic: they were designed to be general-purpose computing platforms. That means a large, complex, continuously evolving attack surface. It means an app ecosystem where third-party code runs in close proximity to sensitive data. It means OS vendors in a perpetual race to patch vulnerabilities that sophisticated adversaries find first.

This is not a criticism of Apple or Google. They build excellent products for the market they serve. But “excellent consumer product” and “appropriate for sensitive communications in high-threat environments” are not the same category.

The distinction that matters is between app-level security and device-level security. End-to-end encrypted messaging apps — Signal, WhatsApp, and others — protect data in transit between two points. They do not protect the device itself. If the device has been compromised by spyware that reads data before it is encrypted and after it is decrypted, the encryption of the transmission is irrelevant. Genuine security for high-stakes communications requires a different architectural premise: a device built from the hardware layer up for security, not a consumer device with security features added on top.

What Device-Level Security Actually Looks Like

The Sotera SecurePhone was designed from this premise. Three architectural layers work together:

•  Hardware. The device is built at the silicon level as a purpose-built secure platform. Standard smartphones do not address malware threats at the hardware layer. The Sotera SecurePhone does.

• Operating System. The device runs Green Hills Software Integrity 178B — not iOS or Android. Integrity 178B is a real-time operating system (RTOS) that powers safety-critical systems in military aircraft including the B-2, F-16, F-22, and F-35, as well as commercial aviation platforms. It enforces compartmentalization not just at the application level but within individual applications, using virtual address spaces that prevent leakage between compartments. Commercial spyware operators invest their resources in exploiting iOS and Android. The Sotera SecurePhone does not run iOS or Android. It does not share their attack surface and is not a target of those exploit development efforts.
• Applications. The Sotera SecurePhone runs proprietary secure voice and messaging applications built specifically for Integrity 178B. Incoming data — including messages from external senders — is handled entirely within an isolated sanitation compartment. Any failure during decoding triggers a contamination event: all systems that interacted with the data are sanitized before the data is permitted to move into clean system areas. This architecture is always enabled. It cannot be turned off.

The result: voice calls and messages between two Sotera SecurePhones cannot be intercepted and decrypted by a third party. 

The Sotera SecurePhone is not a replacement for a general-purpose smartphone. It does not support Wi-Fi connectivity, app installation, camera functionality, or the full feature set of a consumer device — by design. Each of those features represents an attack surface that does not exist on the SecurePhone because the functionality was never implemented. 

The Right Question

The question most people ask after a phone compromise is “how do I fix this?” That is the right question for consumer-grade threats, and the steps above address it.

The more important question — particularly for high-value targets — is “why was this possible in the first place, and what would have prevented it?” That question leads not to remediation, but to architecture.

A device cannot be secured against Pegasus-class spyware with add-on apps or protections, it has to eliminate the attack vectors completely and proactively. 

To learn more about how the Sotera SecurePhone addresses advanced mobile security threats, visit our product page or contact our team.