Introduction

Let’s get straight to business. Mobile hacking is not rare anymore, it’s actually quite common now. Many times, hackers don’t even need advanced techniques. They just take advantage when we unknowingly give apps too many permissions. The good part is, you can quickly check your phone in just 5 minutes using Termux and a few simple commands even if your phone is not rooted. This is not a deep technical investigation. It’s just a quick check to spot any obvious warning signs. If you find something suspicious, you can take action. If everything looks fine, you still get peace of mind and a more secure phone.

What You’ll Need

• An Android phone (non-rooted is fine)
• Internet connection
• Install Termux from Play Store

Why Termux? It gives you a controlled Linux-like environment to inspect processes, network connections, and packages without modifying the device.

Step 1: Install & Initialize

Open Termux and run:

pkg update -y && pkg upgrade -y
pkg install procps net-tools lsof -y

These commands will:

• Updates package indexes
• Installs utilities to list processes (ps), network (netstat), and open files (lsof)

Step 2: Scan Running Processes

ps -A

By running this command we will list:

• Unknown services running persistently
• Suspicious naming patterns (e.g., update_service, system_monitor, daemonX)
• Processes you don’t associate with installed apps

run these commands:

ps -A | grep -i monitor
ps -A | grep -i track
ps -A | grep -i spy

Meaning of commands:

• One odd process isn’t proof of compromise
• Multiple unknown background processes = risk signal

Step 3: Inspect Active Network Connections

netstat -tulnp

list all connections to the Command and Control server:

• Persistent outbound connections to unknown IPs
• Listening ports you didn’t expect
• Suspicious ports: 4444, 5555, 6666 (commonly abused in testing/malware scenarios)

Red flags:

• Connection remains active even when phone is idle
• Unknown process tied to a remote endpoint

Why this matters: Most spyware needs to exfiltrate data. Network activity is the choke point.

Step 4:  Check Open Files & Device Access

lsof

This will list application using your:

• Camera
• Microphone
• Storage logs

Indicators:

• Unexpected process touching /dev/video or audio interfaces
• Continuous file access patterns

If something is recording or scraping, it shows up here at least at user level.

Step 5: Review Installed Packages

pm list packages

This will tell:

• Apps you don’t recognize
• System-looking names that aren’t real system apps (e.g., com.android.service.update, com.system.core.patch)

Next step (manual):

Go to Settings → Apps → Installed Apps and cross-check.

Pro tip: Malware often hides behind generic or technical names.

Step 6: Permission Abuse Check (Critical)

Run:

dumpsys package | grep permission

Then manually verify:

• High-risk permissions
• Accessibility Service (biggest red flag)
• SMS access
• Microphone + Camera
• “Display over other apps”

Where to check manually:

• Settings → Accessibility
• Settings → Privacy → Permission Manager
• Settings → Apps → Special App Access

If a random app has Accessibility access, treat it as a potential compromise.

If You Suspect Your Phone Is Hacked (Do This Immediately)

• Turn on Airplane mode
  • Disconnect from Wi-Fi
  • Eliminate obvious threats
• Remove unknown apps
  • Disable suspicious permissions
  • Validate environment
• Boot into Safe Mode
  • Re-check behavior
  • Reset (Most Effective)
  • Backup essentials (photos, contacts only)
• Perform factory reset
  • Harden after reset

Finally

Mobile threats often work because we don’t really see what’s happening inside our phones. This quick check helps you understand what’s going on, so you can make better decisions. Try doing this check from time to time. If you notice anything unusual, take it seriously. And if something doesn’t feel right, don’t try to fix everything manually just reset your phone and start fresh.