Guides & How-To
How to Check if Your Phone Is Tapped: 12 Signs, Diagnostic Codes and What to Do (2026 Guide)
A 2026 field guide from Cybrvault's investigators: the 12 signs your phone is being tapped, the exact iPhone and Android codes to run right now, how to tell wiretap from spyware from a bad battery, and the step-by-step playbook to lock an attacker out for good.

Every week Cybrvault gets a call that starts the same way: *"I think my phone is tapped."* Sometimes it's a Miami executive in the middle of a hostile deal. Sometimes it's a spouse in a divorce. Sometimes it's a founder who noticed their competitor is a little too well-informed. And sometimes — honestly — it's an old battery and an anxious week.
This guide gives you the exact 15-minute checklist our incident-response team runs before we escalate to a forensic sweep. No fear-mongering, no VPN affiliate pitch — just what actually works in 2026, on the phones people actually carry, against the tapping techniques that are actually in use right now.
What "phone tapping" actually means in 2026
"Tapping" is an umbrella term. When people say it, they usually mean one of four very different things — and the fix is different for each one.
1. Carrier-side wiretap (the legal kind)
This is the classic wiretap: a court order compels AT&T, Verizon or T-Mobile to duplicate your call and SMS metadata to a law-enforcement collection point. You cannot detect it from the handset. There is no code, no app, no battery symptom. If this is happening to you, your lawyer will find out long before your phone will.
2. Commercial spyware / stalkerware
Apps like mSpy, FlexiSpy, Cocospy, Hoverwatch, Eyezy and their 2026 clones. These require somebody to physically install software on your device (or, on iPhone, know your Apple ID + 2FA code to enable full iCloud backup access). Almost every "my phone is tapped" case Cybrvault investigates is actually this — and it's the one you *can* detect and remove.
3. Nation-state spyware (Pegasus, Predator, KingsPawn)
Zero-click exploits delivered over iMessage, WhatsApp or a poisoned link. If you're a journalist, dissident, defense contractor, executive at a target industry, or you've been named in a Citizen Lab or Amnesty report, this is a real risk. For 99% of readers of this article, it isn't. Apple's Lockdown Mode blocks the vast majority of known Pegasus vectors as of 2026.
4. Call forwarding / SIM swap / eSIM hijack
Not a "tap" in the classic sense, but functionally identical: your calls and SMS end up on someone else's device. This is the fastest-growing category we see in Miami, especially against high-net-worth targets. It's also the easiest to detect — see the codes section below.
The 12 warning signs your phone is tapped
One of these on its own means nothing. Three or more clustered in the same week is when we open a case.
- 1**Battery drains noticeably faster than a month ago**, even with the same apps and usage. Spyware runs background services that never sleep.
- 2**The phone is warm when idle**, sitting on your desk, screen off, no charging. Live microphone streaming heats the SoC.
- 3**Background data usage climbs without explanation.** Check Settings → Cellular / Mobile Data and look for apps you don't recognize using MB when you weren't using them.
- 4**Calls have echoes, static, clicks, or a half-second delay** at the start. Modern spyware is quieter than 2015-era tools, but transcoding still introduces artifacts.
- 5**Phone lights up, reboots or shows activity when you're not touching it.** Especially at 2–4 AM when spyware pushes logs to its C2.
- 6**Text messages arrive with strange characters, symbols or numbers.** SMS-based command channels leak occasionally.
- 7**Shutdown takes unusually long** or the phone refuses to power off. Spyware often intercepts the shutdown call to keep the mic alive.
- 8**Your carrier bill shows premium-SMS charges or international calls you didn't make.**
- 9**People start referencing conversations you had only in person or over an "encrypted" channel.** This is the highest-signal indicator on the list.
- 10**A device admin app or accessibility service you don't recognize appears** in Android settings — see the diagnostic section below.
- 11**A profile or MDM configuration appears on your iPhone** under Settings → General → VPN & Device Management. If you didn't enroll a work profile, this is a red flag.
- 12**Two-factor codes stop arriving** for accounts that used to text you — a strong sign of SIM swap or call forwarding.
60-second check: phone tapping codes that actually work in 2026
These are GSM MMI codes — they're carrier-level, not app-level, and they work on virtually every unlocked iPhone and Android in the US. Open your dialer and type them exactly as shown, including the * and #.
*#21# — Show all call, SMS and data forwarding
This is the single most useful code on this list. It returns a screen listing whether voice calls, SMS, data and fax are being forwarded to another number. Everything should say **Disabled** or **Not forwarded**. If any line shows a number you don't recognize, your phone is effectively tapped at the carrier level — write down the number, screenshot the screen, and go to the next section.
*#62# — Show conditional forwarding (when unreachable)
Reveals where calls and texts go when your phone is off or out of coverage. Legitimately this points to your carrier's voicemail. If it points to any other number, someone has hijacked your fallback.
*#67# — Show forwarding when busy
Same idea but for the "busy" condition. Same rule: your carrier's voicemail = normal, anything else = investigate.
##002# — Nuclear option: disable all forwarding
If *#21#, *#62# or *#67# returned anything suspicious, dial ##002# to erase every forwarding rule on the SIM. Then call your carrier from a different phone and put a port-out PIN on the account.
*#06# — Display your IMEI
Not a tap detector, but write it down. If you ever need to report the device stolen or cloned, the carrier will ask for it.
iPhone: how to check if your iPhone is tapped
iOS 18 and 19 (2026) are aggressively locked down. A remote tap of a modern, patched iPhone with a strong Apple ID password is one of the hardest attacks in commercial cybersecurity. That means for most people, the risk lives in three specific places — check them in order.
- 1**Settings → General → VPN & Device Management.** If there's a Configuration Profile or MDM enrollment you didn't install, remove it. This is the #1 way stalkerware persists on iPhone in 2026.
- 2**Settings → Apple Account → Devices.** Review every device signed in to your Apple ID. Anything you don't recognize, tap → Remove from Account, then change your Apple ID password.
- 3**Settings → Privacy & Security → Safety Check.** Apple's built-in tool for exactly this situation. Run "Emergency Reset" if you're in a domestic-abuse context; otherwise run "Manage Sharing & Access" and revoke anything you don't need.
- 4**Check for jailbreak.** Look for Cydia, Sileo, Zebra or unsigned apps in the app library. A jailbroken phone can be tapped invisibly. If you find one and you didn't jailbreak it yourself, back up your data and factory reset immediately.
- 5**Enable Lockdown Mode.** Settings → Privacy & Security → Lockdown Mode. This closes the message- and web-based attack surface that Pegasus and Predator rely on. It breaks some legitimate features (link previews, some attachment types) but it's the single strongest hardening switch Apple ships.
Android: how to check if your Android phone is tapped
Android's flexibility is why stalkerware thrives here. Ninety percent of the commercial spyware we remove for Miami clients lives on Android. The good news: it almost always hides in the same three menus.
- 1**Settings → Security → Device admin apps** (some phones call it "Device administrators"). Every entry here has the power to lock, wipe or track your phone. If anything other than Find My Device, Google Play Protect and your MDM (if you have one) is listed, disable it, then uninstall the app.
- 2**Settings → Accessibility → Installed services.** Legit apps that need Accessibility: password managers, screen readers, a few automation tools. Stalkerware lives here almost universally, because Accessibility gives it the ability to read every screen and log every keystroke. Anything you don't personally recognize → turn off → uninstall.
- 3**Settings → Apps → See all apps → menu → Show system apps.** Scroll for anything with generic names like "System Service", "Sync Services", "Battery Update" that has an install date matching a specific event (a fight, a lost/found phone, an ex-partner's visit). Package names that don't start with com.google, com.android, com.samsung, com.motorola, or your carrier are the suspects.
- 4**Google Play Protect scan.** Play Store → profile icon → Play Protect → Scan. Enable "Improve harmful app detection" — it opts you into Google's cloud-side analysis, which catches stalkerware that hasn't been flagged locally yet.
- 5**Check installed certificates.** Settings → Security → Encryption & credentials → Trusted credentials → User. Empty is normal. Any certificate here means someone can decrypt your HTTPS traffic — remove it.
How to tell tapping from a bad battery or a bloated app
Most "my phone is tapped" reports Cybrvault triages turn out to be one of three benign things. Rule these out before you factory reset in a panic:
- **Battery health under 80%.** Settings → Battery → Battery Health (iPhone) or a free app like AccuBattery (Android). A worn cell drains fast and runs hot exactly like spyware does.
- **A recent OS update.** iOS and Android both re-index photos and rebuild search databases for 24–72 hours after a major update. Expect heat, drain and background data during that window.
- **A single misbehaving app.** Facebook, Snapchat, Instagram, and some ride-share apps routinely burn 15–25% of battery per day. Check the per-app battery breakdown in Settings before you assume the worst.
You confirmed a tap. Now what — in the exact right order.
The temptation is to delete the spyware and move on. Don't. The person who installed it usually has your credentials too, and they'll just reinstall. This is the sequence Cybrvault's IR team runs on a confirmed compromise — do them in order, don't skip steps.
- 1**Assume the phone is listening right now.** Move to a different room before you keep reading, and don't discuss your plan out loud near the device.
- 2**Photograph the evidence.** Screenshot the suspicious device admin, profile, or forwarded-number screen. If this goes to court or law enforcement, you'll want it.
- 3**From a clean device (a friend's laptop, a work computer), change your primary email password first**, then Apple ID / Google account, then bank, then everything else. Password manager makes this 20 minutes instead of 3 hours.
- 4**Enable hardware or app-based 2FA** (a YubiKey, or Google/Microsoft Authenticator) on every important account. Remove SMS 2FA where possible — SIM swap defeats it.
- 5**Call your carrier from that clean device** and put a port-out PIN and a SIM-change PIN on the account. Ask them to check for active call forwarding on the backend, not just what your handset reports.
- 6**Back up photos and contacts only** (not apps, not settings) to iCloud or Google, then factory reset the phone. Restoring "from backup" restores the spyware — this is the #1 mistake we see.
- 7**Reinstall apps one at a time from the official store**, sign in fresh, and re-enable 2FA as you go.
- 8**Consider a new SIM/eSIM** if you found forwarding rules. Costs $5 and forces any hijack to start over.
- 9**If the attacker is someone you know personally, especially in a domestic-violence context, involve a professional before removing anything.** The National Domestic Violence Hotline (1-800-799-7233) has a technology safety team that will walk you through preserving evidence.
When to bring in a professional forensic sweep
A factory reset fixes 95% of stalkerware cases. It does not fix:
- Nation-state spyware, which can survive resets on some device generations.
- Compromises where the attacker still holds your Apple ID / Google account credentials and 2FA seed.
- Cases where you need a chain-of-custody forensic report for divorce, custody, HR or law enforcement — a self-serve reset destroys the evidence.
- Compromises of executives, board members or investigators where the threat model justifies MVT (Mobile Verification Toolkit) analysis or a Cellebrite/GrayKey extraction against a known-good baseline.
For those cases, Cybrvault's mobile forensics team runs an evidence-preserving acquisition, cross-references against the Amnesty MVT indicators, checks for carrier-side forwarding via a signed carrier records request, and delivers a written report you can hand to counsel or law enforcement. Most engagements close in 3–5 business days.
Frequently asked
Answered in the FAQ block below — includes whether *#21# actually works, whether an iPhone can be tapped without physical access, and what to do if your ex installed something before they left.
Book a phone security check with Cybrvault
If you've run the codes, walked the settings, and something still doesn't feel right — trust the instinct. A 30-minute triage call with a Cybrvault engineer is free, confidential, and usually gives you a clear answer the same day. Contact us or call **+1-305-988-9012**. We work with clients across Miami-Dade and remotely across the US.
// frequently asked
Questions teams ask us
Does *#21# really detect if your phone is tapped?+
*#21# reliably detects one specific kind of tap: unconditional call, SMS or data forwarding at the carrier level. If someone has enabled forwarding to spy on your calls or intercept your 2FA codes, *#21# will show it. It does NOT detect commercial stalkerware installed on the handset (mSpy, FlexiSpy, etc.), nation-state spyware like Pegasus, or a court-ordered wiretap at the carrier's collection point. Treat it as one check in a bigger workflow, not a definitive answer.
Can an iPhone be tapped without physical access in 2026?+
Realistically, only by nation-state-grade zero-click exploits (Pegasus, Predator, KingsPawn) — and only if you're a high-value target like a journalist, dissident, defense contractor or specific executive. For the average user with a patched iOS 18/19 device, a strong Apple ID password and 2FA, remote tapping without physical access or credential compromise is essentially not happening. The realistic risks are: someone knows your Apple ID + 2FA code, someone had your unlocked phone for 5+ minutes, or someone installed a Configuration Profile / MDM on it.
My ex installed something on my phone before they left. What do I do?+
Don't confront them, don't delete the app yet, and don't factory reset until you've preserved evidence — you may need it for a restraining order, custody, or a criminal complaint. Move to a location the phone isn't in, then: (1) take screenshots of the suspicious app and its permissions from a friend's phone camera, (2) call the National Domestic Violence Hotline (1-800-799-7233) — their tech safety team specializes in exactly this, (3) from a clean device change your Apple ID / Google, email, bank and 2FA, (4) then factory reset. If you're in South Florida, Cybrvault's team can do an evidence-preserving forensic acquisition before the reset — call +1-305-988-9012.
Will a factory reset remove phone tapping software?+
For 95% of commercial stalkerware (mSpy, FlexiSpy, Cocospy, Hoverwatch, Eyezy and similar), yes — a full factory reset removes it. Critical caveat: do NOT restore "from backup" or the spyware comes right back. Back up photos and contacts only, factory reset, then reinstall apps individually from the official store. A reset does not fix a carrier-level forwarding tap (dial ##002# for that), does not revoke stolen credentials (change every password from a clean device), and does not guarantee removal of nation-state spyware on older hardware.
How much does a professional phone forensic sweep cost?+
Typical Cybrvault engagements: a triage call is free (usually 30 minutes, gives you a clear next step). A same-day remote hardening session runs $250–$450. A full on-device forensic acquisition and written report suitable for legal proceedings — including MVT analysis for Pegasus/Predator indicators and carrier-records review — runs $1,800–$3,500 depending on device count and scope. Ninety percent of clients need the middle option, not the full forensic report.
Can law enforcement tap my phone without me knowing?+
In the US, yes — a Title III wiretap order or a pen register order authorizes the carrier to duplicate call and metadata streams at the network edge, and there is no signal on the handset that reveals it. You will not detect a lawful carrier-side tap with any app, code or scanner sold on the internet. If this is a realistic concern for you, the correct move is a criminal defense attorney, not a spyware scanner.
Does putting my phone in a Faraday bag protect me from tapping?+
A Faraday bag blocks all radio (cellular, Wi-Fi, Bluetooth, GPS) while the phone is inside. That means real-time tapping and location tracking are impossible while the device is bagged — useful for sensitive meetings. It does not remove installed spyware, and the moment you take the phone out, any spyware resumes streaming (with a queued backlog). Think of a Faraday bag as a mute button, not a fix.
// miami, fl services
Cybersecurity built for South Florida
// need help applying this?
Book a free, confidential consultation.
Our engineers can map this to your environment in 30 minutes.
Get secured// keep reading
Related articles

Guides & How-To
How to Check if Your Computer Is Hacked (Windows 11): 15 Warning Signs and How to Fix It (2026)
A hands-on 2026 guide for Windows 11 users: 15 warning signs your PC has been hacked, the exact built-in tools to confirm it (Task Manager, Event Viewer, netstat, Defender Offline), and the step-by-step recovery playbook Cybrvault uses on Miami client machines.

Mobile Security
How to Tell If Your Phone Is Hacked: 15 Warning Signs and What to Do (2026 Guide)
Worried your iPhone or Android has been hacked? Here are the 15 telltale signs your phone is compromised, how to confirm it, and the exact steps to remove the hacker and lock everything back down — written by Miami cybersecurity firm Cybrvault.

Cybersecurity Culture
Hacker Typer: The Fun and Fascinating World of Fake Hacking
Hacker Typer is the viral browser tool that makes anyone look like a Hollywood hacker. Here's how it works, why it went viral, how to use it safely, and what real ethical hacking actually looks like behind the green text.
