How to Remove a Hacker From Your Phone: The 2026 Step-by-Step Recovery Guide (iPhone & Android)

If you're reading this, your phone is doing something it shouldn't — battery dying by lunch, pop-ups in Safari you didn't open, texts in your Sent folder you never wrote, or a 2FA code arriving for a login you didn't try. A hacker on a modern smartphone has access to almost everything: your bank, your email, your photos, your location, and the 2FA codes that protect every other account you own. Speed matters more than perfection.

This guide is the exact playbook the Cybrvault incident-response team uses with Miami clients who walk in with a compromised phone. It works for iPhone (iOS 17, 18, and 19) and Android (12 through 15). If you only have 10 minutes, do the Emergency Containment section first — it stops the bleeding. The rest hardens you so it doesn't happen again.

Emergency Containment: Do These 5 Things in the Next 10 Minutes

Before any deep clean-up, you need to cut the attacker's live connection. A remote-access trojan, a malicious mobile-device-management (MDM) profile, or a stalkerware app like mSpy, FlexiSpy, or Cocospy is only useful while the phone is online.

1. 1Put the phone in Airplane Mode AND turn Wi-Fi off separately. Airplane Mode alone doesn't always kill Wi-Fi on iOS — toggle Wi-Fi off in Settings too.
2. 2Remove the SIM card (or disable the eSIM in Settings → Cellular). This blocks SIM-swap attackers from intercepting fresh 2FA codes while you work.
3. 3From a different, trusted device (a laptop you trust, a family member's phone), change the password on your primary email account first — Gmail, iCloud, or Outlook. Email is the master key; lock it before anything else.
4. 4On that same trusted device, sign out of all sessions on Google (myaccount.google.com → Security → Your devices), Apple ID (appleid.apple.com → Devices), and Microsoft (account.microsoft.com → Devices).
5. 5Call your bank and crypto exchanges and put a verbal 24-hour hold on outbound transfers. Most major US banks (Chase, BofA, Wells Fargo, Citi) and exchanges (Coinbase, Kraken, Gemini) will do this on request.

Now the attacker can't move money, can't receive your 2FA codes, and can't see what you do next. Keep the phone in Airplane Mode until you finish the steps below.

Confirm It's Actually Hacked (5 Signs vs Normal Glitches)

Half the phones people bring us aren't hacked — they're just full of background apps. Real compromise usually shows several of these together, not just one:

• Battery drops from 100% to 50% in under 4 hours with light use, even after a fresh restart.
• The phone is warm in your pocket when you haven't used it for an hour.
• Mobile data usage shows 1GB+ per day going to apps you don't recognize (Settings → Cellular on iPhone, Settings → Network & Internet → SIMs → App data usage on Android).
• Pop-up ads inside Safari/Chrome when you're not browsing, or random calendar invites with shady links.
• 2FA codes arriving for logins you didn't attempt, or password-reset emails you didn't request.

If you see 3+ of these, assume compromise and continue. For a deeper diagnostic checklist, read our companion guide: How to Tell If Someone Is Tracking Your Phone.

Remove a Hacker From an iPhone (iOS 17–19)

iPhones are harder to compromise than Android, but not immune. The four real attack paths in 2026 are: a malicious configuration profile (the most common, and 100% removable), a rogue MDM enrollment, a sideloaded app via TestFlight or AltStore, and an iCloud account someone else has the password to. True zero-click spyware like Pegasus exists but is vanishingly rare on consumer devices — usually it's one of the four above.

Step 1 — Update iOS to the Latest Version

Settings → General → Software Update. Apple ships emergency Rapid Security Responses for actively-exploited bugs; install them. If the phone refuses to update or the toggle is greyed out, that itself is a sign of a restrictive MDM profile — skip to Step 3.

Step 2 — Remove Configuration Profiles and MDM Enrollments

Settings → General → VPN & Device Management. A clean personal iPhone shows nothing on this screen. If you see anything you didn't deliberately install — especially anything labeled 'MDM,' 'Supervisor,' a company name you don't work for, or random words like 'AppleCare Profile' — tap it and choose Remove Management/Profile. This single step removes the majority of consumer iPhone compromises.

Step 3 — Audit Installed Apps

Settings → General → iPhone Storage. Sort by Last Used. Delete anything you don't recognize, plus any 'parental control,' 'family locator,' 'phone cleaner,' or 'battery saver' app you didn't choose. Stalkerware on iOS almost always disguises itself as one of these four categories.

Step 4 — Check Apple ID Devices and Trusted Phone Numbers

From a trusted computer, sign in at appleid.apple.com → Devices. Remove every device that isn't yours. Then go to Sign-In and Security → Trusted Phone Numbers and remove any number that isn't yours — attackers add a burner number here so they keep receiving your 2FA after you change your password.

Step 5 — Rotate Apple ID Password and Enable Stolen Device Protection

Change your Apple ID password from the trusted computer (not the phone). Use a 16+ character passphrase. Then on the phone: Settings → [Your Name] → Sign-In & Security → Stolen Device Protection → On. This adds Face ID + a 1-hour delay to sensitive changes even if someone has your passcode — a 2026 feature most iPhone users haven't enabled.

Step 6 — Reset Network Settings

Settings → General → Transfer or Reset iPhone → Reset → Reset Network Settings. This wipes any malicious Wi-Fi profiles and proxy settings without touching your data.

Bring the phone out of Airplane Mode and watch battery and data usage for 24 hours. If anything is still off, factory reset (see the Factory Reset section below).

Remove a Hacker From an Android Phone (Android 12–15)

Android has more attack surface than iOS — sideloaded APKs, accessibility-service abuse, and OEM bloatware all create entry points. The good news: Android also gives you more tools to clean up.

Step 1 — Boot Into Safe Mode

Hold the power button, then long-press 'Power off' until you see 'Reboot to safe mode' → tap OK. In Safe Mode, only system apps run — third-party malware is dormant. If your symptoms disappear in Safe Mode, you've confirmed it's a malicious app.

Step 2 — Audit Device Admin and Accessibility Permissions

Stalkerware on Android survives because users grant it Device Admin and Accessibility access without realizing what they're approving. Check both lists and revoke anything suspicious.

• Settings → Security → Device admin apps (or Settings → Security & privacy → More security settings → Device admin apps on Samsung). Disable anything you didn't deliberately enable. Find My Device is normal — keep it.
• Settings → Accessibility → Installed apps (or Downloaded apps). Disable anything except apps you're actively using for accessibility purposes. Stalkerware lives here.
• Settings → Apps → Special app access → Display over other apps. Disable anything you don't recognize — overlay malware steals banking credentials this way.

Step 3 — Uninstall Unknown Apps

While in Safe Mode: Settings → Apps → See all apps. Sort by Date installed. Uninstall anything installed around the time symptoms started, plus anything with a generic name like 'System Service,' 'Update Service,' 'WiFi Helper,' or 'Battery Master.' If an app refuses to uninstall, it's likely registered as a Device Admin — go back to Step 2 and disable it there first.

Step 4 — Run Play Protect + a Second Scanner

Open Play Store → tap your profile → Play Protect → Scan. Then install one of: Malwarebytes for Android, Bitdefender Mobile Security, or ESET Mobile Security. Run a full scan. Two engines catch what one misses.

Step 5 — Revoke Google Account Sessions

From a trusted computer: myaccount.google.com → Security → Your devices → Sign out of any device you don't recognize. Then Security → Third-party apps with account access — revoke anything you don't actively use.

Step 6 — Reboot Normally

Power off, power back on (not Safe Mode). Watch battery and mobile data usage for 24 hours. If symptoms return, factory reset.

Lock Down the Accounts the Attacker Touched

A clean phone with a poisoned cloud account is still hacked. Once the device is clean, treat every account that was logged in on it as potentially compromised. Work through this list from a trusted computer:

1. 1Primary email (Gmail, iCloud, Outlook) — change password, enable hardware-key or passkey MFA, revoke all sessions.
2. 2Apple ID / Google Account — change password, remove unknown devices and trusted phone numbers, regenerate recovery codes.
3. 3Banking and brokerage apps — change password, re-enroll in app-based 2FA (not SMS), call to confirm no pending transfers.
4. 4Crypto exchanges and wallets — change password, rotate API keys, whitelist withdrawal addresses, move funds if you suspect seed-phrase exposure.
5. 5Password manager (1Password, Bitwarden, Dashlane) — change master password, rotate any vault items the attacker likely viewed.
6. 6Social media (Instagram, Facebook, X, TikTok, LinkedIn) — change password, end all sessions, remove unknown logged-in apps.
7. 7Work email and Microsoft 365 / Google Workspace — notify your IT or MSP immediately so they can review audit logs and revoke tokens server-side.

We cover the social-media recovery flow in detail in How to Recover a Hacked Facebook or Instagram Account, and the email-exposure check in Is My Email on the Dark Web?

Factory Reset: The Nuclear Option (When to Use It)

If you saw multiple infection signs, the symptoms returned after cleanup, or banking/crypto credentials were on the device, do a full factory reset. It's the only 100%-certain removal.

• iPhone: Settings → General → Transfer or Reset iPhone → Erase All Content and Settings.
• Android: Settings → System → Reset options → Erase all data (factory reset). On Samsung: Settings → General management → Reset → Factory data reset.
• Critical: do NOT restore from an iCloud, Google Drive, or Samsung Cloud backup made after the compromise. Backups can re-import malicious profiles, MDM enrollments, and sideloaded APKs. Set the phone up as new and reinstall apps manually from the App Store / Play Store.
• Photos and contacts are fine to restore — they're not executable. Apps and configuration profiles are not.

A factory reset will not remove a hardware-level implant, but those are extraordinarily rare on consumer phones. If you're a journalist, activist, executive, or anyone with a credible nation-state threat model, replace the device entirely and call us — that's a different conversation.

How to Keep It From Happening Again

Most phone compromises in 2026 trace back to four things. Fix all four and you'll cut your risk by 90%+:

1. 1Stop sideloading. Only install apps from the App Store, Play Store, or Samsung Galaxy Store. No APKs from forums, no TestFlight invites from strangers, no 'modded' game installers.
2. 2Move off SMS 2FA. Use passkeys where available, then an authenticator app (1Password, Authy, Google Authenticator), then a hardware key (YubiKey 5C NFC) for the highest-value accounts. We break down why in Passkeys vs Passwords.
3. 3Turn on Lockdown Mode (iPhone) or Advanced Protection (Android/Google). Both block the rare classes of attacks that survive normal hygiene.
4. 4Audit installed apps quarterly. Delete anything you haven't opened in 90 days. Each unused app is a free attack surface.

Add automatic OS updates, a real screen lock (6+ digit numeric or alphanumeric — not Face ID alone), and Find My iPhone / Find My Device with remote wipe enabled. These four habits plus the four above put you ahead of 99% of phone owners.

When to Call a Professional

Get an incident responder involved within 24 hours if any of the following apply:

• Money has moved from a bank or crypto account you didn't authorize.
• Work email, Microsoft 365, or a corporate VPN was active on the device.
• You're seeing 2FA-code SMS for accounts you don't even have — that points to SIM swap, not just phone malware.
• Symptoms persist after a full factory reset and clean restore.
• You're a high-risk individual: founder, attorney, physician, real-estate principal, family-office staff, public figure.

Cybrvault provides emergency mobile incident response across Miami-Dade and Broward — Brickell, Downtown, Coral Gables, Coconut Grove, Aventura, Miami Beach, and Fort Lauderdale — with same-day on-site triage for SIM-swap, stalkerware, and business-email compromise cases. We isolate the device, preserve forensic evidence, lock down your accounts from a clean workstation, and coordinate directly with your bank's fraud team. Learn more at /miami/personal-security or book an emergency consult at /contact.

Bottom Line

A hacked phone is a recoverable problem if you move in order: contain the live session first (Airplane Mode + SIM out + email password from a clean device), then clean the device (profiles, apps, scanners, or factory reset), then lock down every account that touched it. Skipping the account-lockdown step is why most people 'clean' their phone and get re-compromised within a week — the attacker still has your Google or iCloud session. Do it in order, do it from a trusted device, and switch to passkeys and an authenticator app so this never happens to you twice.