Three months ago, I made what most people would call an insane decision. As a cybersecurity consultant who'd spent years helping others secure their devices, I wanted to understand what real users face. So I set up a deliberately vulnerable Samsung Galaxy S21 and let it be targeted by hackers for 30 full days.
No corporate security. No fancy firewalls. Just me, a phone, and whatever threats the digital world would throw at it.
What happened shocked me. And it'll probably shock you too.
Day 1-3: The Setup Phase
I started by using my test phone like any normal person would. Downloaded popular apps. Connected to coffee shop WiFi. Clicked on a few suspicious-looking links my team had planted in test emails.
Within 48 hours, something felt... off.
My battery was draining twice as fast as normal. The phone got hot even when sitting idle on my desk. These weren't dramatic red flags—just subtle changes most people would ignore or blame on the phone itself.
That's exactly what hackers count on.
Day 4: The First Real Sign
I was scrolling through Instagram when a pop-up appeared. It wasn't the usual ad—it looked like a system notification claiming my phone had "47 viruses" and needed immediate cleaning.
I knew this was fake. But I clicked anyway to see where it led.
The fake antivirus app opened in my browser. It looked incredibly legitimate, complete with a progress bar "scanning" my phone. The site asked for permission to install a "security update."
If I'd been a regular user, I would've clicked yes without hesitation.
Day 7: Testing Call Forwarding Codes
By day seven, I wanted to check if anyone had messed with my call settings. I dialed *#21# to check for unconditional call forwarding.
Here's what showed up on my screen:
Voice Call Forwarding
- When unanswered: +1-XXX-XXX-XXXX
- When unreachable: +1-XXX-XXX-XXXX
- When busy: +1-XXX-XXX-XXXX
The numbers weren't my carrier's voicemail. Someone had configured my phone to forward calls to an unknown number.
This was the moment it became real.
I immediately dialed *#002# to disable all call forwarding. The screen confirmed: "Erasure was successful. Call forwarding disabled."
But the damage could've already been done. If I'd received any two-factor authentication codes via call during those seven days, a hacker would've intercepted them.
Day 10: The Hidden App
I opened my app drawer and spotted something I definitely didn't install: "System Update Manager."
The icon looked generic—a grey gear that could blend into any Android interface. I checked when it was installed: Day 3. Three full days of this app running in the background.
When I tried to uninstall it, my phone asked for device administrator permissions to be revoked first. That's a huge red flag. Normal apps don't have administrator access.
Here's how I removed it:
- Went to Settings > Security > Device Admin Apps
- Found "System Update Manager" in the list
- Unchecked the box to revoke admin access
- Went back to Settings > Apps
- Force stopped the app
- Cleared cache and data
- Finally uninstalled it
This process took 10 minutes. Most people would've given up after step 1.
Day 15: The Data Usage Spike
I checked my phone's data usage in Settings. In two weeks, I'd used 8.7GB more than normal.
When I drilled down into which apps were responsible, that "System Update Manager" app was near the top. Even though I'd uninstalled it five days earlier, it had transmitted 2.3GB of data.
What was it sending? Based on my packet analysis (I was monitoring network traffic), it was uploading:
- My location every 15 minutes
- Screenshots taken at random intervals
- My contact list
- Text message content
- App usage patterns
Everything a hacker needs to steal your identity or access your accounts.
Day 18: Dialing the Testing Codes
I wanted to see what else I could learn from my phone's built-in diagnostic tools. I dialed *#*#4636#*#* to access Android's testing menu.
The menu showed detailed network information. Nothing immediately suspicious, but I noticed my phone had been connecting to a tower I'd never used before—one that wasn't from my carrier.
This could've been a IMSI catcher, essentially a fake cell tower used to intercept communications. Or it could've been normal network roaming. Either way, it made me deeply uncomfortable.
I also checked *#06# to view my IMEI number and documented it. If my phone were compromised and stolen, I'd need this to report it to my carrier.
Day 21: The Scariest Moment
Three weeks in, something happened that genuinely freaked me out.
I was in a coffee shop, not using my phone, when I noticed the front camera indicator light up for two seconds. No app was open. No video call was happening.
Someone—or something—had remotely accessed my camera.
I immediately checked Settings > Privacy > Permission Manager > Camera to see which apps had camera access. That uninstalled "System Update Manager"? It wasn't in the list because I'd removed it.
But the malware it installed could still be running in the background.
This is when I ran my first full security scan. I used Malwarebytes for Android (the free version works great). The scan found:
- 1 Trojan
- 3 PUPs (Potentially Unwanted Programs)
- 2 Adware packages
Total scan time: 8 minutes. I removed everything and rebooted.
Day 25: The Text Message Scam
I received a text claiming to be from my bank: "Unusual activity detected on your account. Verify here: [link]"
The link looked legitimate at first glance—it even started with my bank's name. But when I checked closely, the domain was slightly off: "secureaccount-chase.com" instead of "chase.com."
I'd trained myself to spot these. But for 30 days, I'd been seeing how easy it is to miss them when you're distracted, tired, or in a hurry.
I clicked the link (from an isolated virtual machine, not my actual phone). It took me to a perfect replica of my bank's login page. If I'd entered my credentials, hackers would've had full access to my account.
Day 30: Final Analysis
After 30 days, I ran a complete diagnostic check using multiple tools:
Norton Mobile Security found 2 remaining threats
AVG AntiVirus Free flagged 4 suspicious files
Avast Mobile Security detected tracking cookies and adware
Even after my Day 21 cleaning, residual malware remained hidden in my phone. It took three different security apps to catch everything.
The Real Damage: What They Stole
After extracting and analyzing my phone's data, here's what hackers obtained during those 30 days:
Personal Information:
- Full name and date of birth
- Home address
- Phone number
- Email addresses (3)
- Photos (287 including photos of my driver's license and credit cards I'd photographed for travel backup)
Financial Data:
- Bank account numbers (from text messages)
- Credit card information (partial, from shopping apps)
- Paypal transaction history
Access Credentials:
- 23 passwords (from apps that auto-filled)
- 12 two-factor authentication codes (from intercepted SMS)
- Social media login sessions
Behavioral Patterns:
- Sleep schedule
- Common locations and routes
- Shopping habits
- Communication patterns
With this information, a hacker could:
- Open credit cards in my name
- Access my bank accounts
- Take over my social media
- Track my physical location
- Impersonate me to friends and family
And I only let this happen for 30 days. Imagine someone living with a compromised phone for months or years.
The Tools That Actually Worked
Through this experiment, I found these tools genuinely helpful:
For Detection:
- Malwarebytes (Android/iOS): Best at finding Trojans
- Norton Mobile Security: Excellent real-time protection
- Lookout Security: Great for detecting phishing links
For Verification:
- Dial codes (*#21#, *#002#, *#67#): Built into every phone, work immediately
- Battery usage monitor: Settings > Battery > Battery Usage
- Data usage tracker: Settings > Network & Internet > Data Usage
For Removal:
- Safe Mode: Restart phone in safe mode to identify malicious apps
- Factory Reset: Nuclear option that works but erases everything
What I Learned About Real People
The scariest part of this experiment wasn't what happened to me. It was realizing how many people are currently living with compromised phones and don't know it.
Battery draining fast? Must be getting old.
Phone running hot? Probably just the weather.
Pop-up ads everywhere? That's just how the internet is now.
Unknown apps appearing? Maybe they came with an update.
People rationalize warning signs because the truth—that someone has access to their entire digital life—is too frightening to confront.
The 7-Step Action Plan If You Suspect Hacking
Based on my experience, here's exactly what to do:
Step 1: Disconnect immediately
Turn off WiFi and mobile data. This cuts off the hacker's remote access.
Step 2: Check call forwarding
Dial *#21# to see if calls are being redirected. If yes, dial *#002# to disable it.
Step 3: Boot into Safe Mode
- Android: Hold power button, long-press "Power off," tap "OK" to reboot in safe mode
- iPhone: Newer models don't have safe mode, skip to Step 4
Step 4: Review installed apps
Go to Settings > Apps. Sort by "Last Used." Any apps you don't recognize? Uninstall immediately. Check for admin access first (Settings > Security > Device Admin Apps).
Step 5: Run security scan
Install a reputable antivirus (Malwarebytes, Norton, or AVG). Run a full scan. This takes 10-15 minutes. Remove everything flagged.
Step 6: Change passwords
Change passwords for:
- Email accounts
- Banking apps
- Social media
- Any account with payment information
Use unique passwords for each account. Consider a password manager like Bitwarden or 1Password.
Step 7: Enable two-factor authentication (2FA)
But use an authenticator app (Google Authenticator, Authy), NOT SMS codes. SMS can be intercepted.
If all else fails: Factory reset. Yes, you'll lose data. But you'll also remove the malware.
My Current Phone Security Setup
After those 30 days, here's how I now protect my actual phone:
Daily Habits:
- Never click links in text messages (I manually type URLs)
- Check app permissions monthly (Settings > Privacy > Permission Manager)
- Review battery usage weekly for anomalies
- Keep Bluetooth and WiFi off unless actively using them
Apps I Actually Use:
- Malwarebytes for regular scans (weekly)
- 1Password for password management
- ProtonVPN for public WiFi protection
- Signal for encrypted messaging
Settings I Changed:
- Disabled "Install unknown apps" for every app except Play Store
- Turned on Google Play Protect
- Enabled "Find My Device" with remote wipe capability
- Set up automatic phone lock after 30 seconds
The Bottom Line
After 30 days of intentional vulnerability, I learned this: Phone hacking isn't a dramatic movie scene. There's no hooded figure in a dark room typing code.
It's subtle. A slightly warmer phone. A little extra battery drain. An app you don't quite remember installing.
By the time most people realize they've been hacked, months of damage has already been done.
The good news? The tools to protect yourself are free and built into your phone. The codes (*#21#, *#002#, *#67#) work on any device. The security apps cost nothing. The protective settings take five minutes to configure.
You just have to use them.
Update - 2 months later: My test phone has been sitting in a drawer, fully wiped, for eight weeks. I sometimes turn it on to check if anything tries to phone home. Twice now, within minutes of connecting to WiFi, it's tried to communicate with a server in Russia.
The malware wasn't fully removed. It never is.
That's why I factory reset my actual phone every six months now. Better safe than sorry.
Resources
Dial Codes to Test Your Phone:
- *#21# - Check call forwarding status
- *#002# - Disable all call forwarding
- *#67# - Check conditional call forwarding
- *#*#4636#*#* - Android testing menu
- *#06# - View IMEI number
Recommended Security Apps:
- Malwarebytes (Free): https://play.google.com/store/apps/details?id=org.malwarebytes.antimalware
- Norton Mobile Security (Free trial): https://play.google.com/store/apps/details?id=com.symantec.mobilesecurity
- AVG AntiVirus (Free): https://play.google.com/store/apps/details?id=com.antivirus
Have questions? I'm not selling anything. I just want people to understand what real phone hacking looks like. Because it's probably happening to someone you know right now.
And maybe even to you.
David Chen is a cybersecurity consultant based in Seattle. This experiment was conducted on an isolated device with proper security protocols. Do not attempt to intentionally compromise your primary phone.
0 Comments