Has my phone been hacked?

I have noticed that my phone has a history of Google searches that were not initiated by me. Also, my phone sent several text messages to multiple contacts that I did not write. Additionally, I have reason to suspect that several Gmail accounts were created in my name (through my phone!); I happened to discover these accounts a few days later. Email forwarding was attempted to be set up from my existing account to the new “unauthorized” accounts, but was unsuccessful. My computer has no malware or spyware on it. How can I make sure that my phone settings are such that my privacy is protected?

I have noticed that my phone has a history of Google searches that were not initiated by me.
are they jibberish text (e.g. “qw;fnasvnq;er”)?

if so you most likely have accidentally opened the google app while the phone is in your pocket.

nonsense sets of words (e.g. “the duck platoon horse hockey”)?

if so the speech recognition may well have been turned on accidentally, again while in your pocket or bag (hence poor recognition of the spoken words, but this time resulting in actual words becuase speech recognition assumes you speak with real words)

or finally, do the old searches resemble proper sentences or phrases (e.g. “and then sally drove away”)?

if so the speech recognition was likely triggered when the phone was in your hand or otherwise not obscured from your or surrounding voices.

an attacker (somehow remotely doing nefarious things on your phone), however unlikely, would almost certainly never try to perform google searches from your phone - they would use google on their own side and try to use the connection to your phone surgically: only performing operations on your device that were required to get their nefarious tasks done.

Also, my phone sent several text messages to multiple contacts that I did not write.
accidental speech recognition is again a common source of this sort of thing. are the texts to known contacts? are they nefarious in any way? or might they match the above descriptions? perhaps you should turn off the speech recognition features for a bit and see if the issues resolve?

Additionally, I have reason to suspect that several Gmail accounts were created in my name (through my phone!);
two questions: what makes you believe these accounts were created ‘in your name’, and why do you suspect they would have been created from your phone?

note: creating a google account in someone’s name doesn’t require working from their device at all. you could go to the public library computers and create a google account right now, putting anyone’s name in the required fields. that seems the probable approach someone would take.

I happened to discover these accounts a few days later. Email forwarding was attempted to be set up from my existing account to the new “unauthorized” accounts, but was unsuccessful.
this bit is interesting and the only observation so far which really suggests something nefarious to me. what have you observed, precisely, to reach this conclusion? I suggest you forward the evidence to google’s abuse team; forward them to "abuse@gmail.com" and/or fill out the following form: I would like to report a Gmail user who has sent messages that violate the Gmail Program Policies and/or Terms of Use. -…

My computer has no malware or spyware on it.
how do you know this for sure? antivirus and antimalware apps are notoriously poor and do little more than offer false confidence. i wouldn’t take a clean report from such tools as authoritative at all, but merely suggestive. if you are using such apps then you “probably don’t have malware or spyware”. most modern malware is designed specifically to avoid detection and are generally successful at that for months before the first PC tools begin detecting them (generally as a result of human observation of the malware in the wild followed by reverse engineering of the software and finally an update sent out to PC software providing ‘signatures’ to check those machines for the same type of malware)

How can I make sure that my phone settings are such that my privacy is protected?
this question seems answerable at first, but it’s actually quite a nebulous concept. it’s like asking how to be sure your car is safe to drive. airbags, seatbelts, crumple zones, they all help - but then there are airbags which fire shrapnel in your face (see recent recalls by toyota and others) and many other examples. there are analogous issues with computer security and so it’s difficult give a simple set of bullet points saying “follow these few steps and you’re safe”. generally, like with cars, educating the operator (e.g. drive safely) is the number one safety mechanism. with that most issues are obviated and without that all the safety systems in the world can be rendered useless. educating the operator is a constant effort - you, me, everyone must have some foundational knowledge in order to operate our devices safely and the stuff forming that necessary foundation is always growing even if our knowledge grows stale.

let’s get through the immediate issues from above before trying to lock down settings and share our mutual understanding of how to avoid the proverbial car accident.

Thanks for the answers!

To the first: As the connectivity of my phone is poor in my house, I don’t have a habit of carrying it around. Consequently, my phone was left alone in my room (which I do not share) with a closed door. When I would check it in the evening (after it had been alone/“unattended” for several hours while all members of the household were downstairs), I would discover that “my” search results were ready. The searches weren’t nonsense; typically they were of phrases such as “nude girls” and other pornographic result

To the third: The reason why I think they were created “in my name” is that the email addresses were a) very similar to an existing email address of mine and b-c) used my first and last name as an email address. (My name is not common.) I was access the accounts and I discovered several drafts in each account addressed to contacts of mine. I’m not sure how to explain the next part; each Google contact has a user-designated pseudonym and then the actual email address (e. g., “Johnny” johnsmith@yahoo.com). The drafts were “addressed” to the contacts using the user-designated pseudonym but did not contain the email address. (Sorry, I don’t know how to explain this over text any more clearly!) A couple of reasons why I believe that these emails were created from my phone (or a phone, perhaps) is that 1) the drafts addressed to my contacts contained emoticons which can be accessed through my phone but aren’t available through Gmail (perhaps this is a weak reason), and 2) my phone’s keyboard had autosaved one of the “unauthorized” email addresses (and it was a word that I had never used nor had reason to use previously).

To the fourth: When I discovered the “unauthorized” email accounts, one of the first things I did was to look at the settings of each. Under the “Accounts and Import” and “Forwarding and POP/IMAP” tabs, I found that one of my existing email accounts was listed as an account from which mail and contacts were to be imported. However, there was a note by the address stating that email forwarding had not begun because it was not approved. Secondly, I was receiving emails in my existing email accounts which stated that those addresses were the back up email addresses for the new, “unauthorized” accounts.

To the fifth: I am no expert as to malware and spyware, which is why I took my computer in to a technician; he was the one who gave the computer a clean bill of health!

Anyway, thanks for the assistance!

I think you need to open up with the possibility that someone else IN YOUR HOUSE is using your phone. If your on screen keyboard saved an email address, then that is a sign to me that someone has physical access to your phone. A hackers actions wouldn’t save in the on screen keyboard re-type. Of all the things a true hacker would do with remote access to your phone, the things you describe don’t lineup with what might be a normal hackers priority.

The searches for nude stuff hint towards an immature child or possibly an adult in the house who thinks using your phone is less visible for being caught then the house computer.

I read your discussion on the forwarding of email accounts but it was not clear. Overall, if someone is trying to forward your emails to some other account, then consider a nosy kid or a husband/boyfriend who thinks you are messing around and is trying to monitor you. Or the person set up the email forward to see if you are contacting people to give themselves a heads-up to stop using your phone for bad reasons.

Sorry this seems so pointed and personal, but its a possibility. You should assign a screen lock and/or sim pin to your phone (and dont tell anyone in your house what the codes are) and monitor it closely afterwards. If the activity stops, then you have physically stopped someone (in your house or wherever). If it continues, then maybe the possibility of a remote attack is next.

Thanks for the answers!

To the first: As the connectivity of my phone is poor in my house, I don’t have a habit of carrying it around. Consequently, my phone was left alone in my room (which I do not share) with a closed door. When I would check it in the evening (after it had been alone/“unattended” for several hours while all members of the household were downstairs),

interesting. the rest of your message strongly suggests that a roommate (or visitor) may have been the culprit here, and would likely have physically used the phone rather than act via malware of some sort. i’ll detail my thoughts on each point below, but strongly suggest adding a PIN or PASSWORD to protect your phone in the meantime (see here: How to Secure Your Android Phone with a PIN, Password, or Pattern )

I would discover that “my” search results were ready. The searches weren’t nonsense; typically they were of phrases such as “nude girls” and other pornographic result

so you observed the google app was open and the search results were present on the screen? if the phone is configured to listen for “ok google [state what you want to search for]” it would be possible for a nearby person to have hollered at their own phone, “ok google, show me pornographic pictures”. this seems unlikely as most folks tend to be more discrete. for this reason i suggest the search results were more likely to have come from manually TYPED queries. note that malware would not use the google apps, malware would explicitly open a particular internet resource (often as a means of generating advertising revenue for that internet resource or to steer your attention to it in the hopes you would use it, e.g. a specific pornographic website rather than a broad search for such content in general which could return ANY such sites)

To the third: The reason why I think they were created “in my name” is that the email addresses were a) very similar to an existing email address of mine and b-c) used my first and last name as an email address. (My name is not common.)
these gmail accounts were logged-in on the phone? you actually had access to them, right? this does suggest the perpetrator actually used your phone to create the accounts. i am starting to worry that someone in your home (whether a roommate or visitor) ought to be on your list of people to never be alone with…

I was access the accounts and I discovered several drafts in each account addressed to contacts of mine. I’m not sure how to explain the next part; each Google contact has a user-designated pseudonym and then the actual email address (e. g., “Johnny” johnsmith@yahoo.com). The drafts were “addressed” to the contacts using the user-designated pseudonym but did not contain the email address. (Sorry, I don’t know how to explain this over text any more clearly!)

i think this was pretty clear and believe i understand properly. again, we are probably talking about someone physically using your phone. it is POSSIBLE they created the accounts then went elsewhere to create those drafts - in this case the drafts themselves would sync over to your phone. i suggest changing the passwords to those fake accounts - you can likely do so via the ‘forgot my password’ link which will email a confirmation to the address before proceeding, and lucky for you the culprit logged into those accounts right on your phone for you! this will prevent the culprit from using those accounts (which might contain a backup of your contacts list!). it may be a good idea to change your own google account password as well.

A couple of reasons why I believe that these emails were created from my phone (or a phone, perhaps) is that 1) the drafts addressed to my contacts contained emoticons which can be accessed through my phone but aren’t available through Gmail (perhaps this is a weak reason), and 2) my phone’s keyboard had autosaved one of the “unauthorized” email addresses (and it was a word that I had never used nor had reason to use previously).
learning the email address could have happened from the phone’s keyboard (as you suspect), but depending on your phone settings it’s possible that a new contact was created automatically (for this unauthorized email address) and that the keyboard is syncing up with your contacts list. still: this is creepy as heck.

To the fourth: When I discovered the “unauthorized” email accounts, one of the first things I did was to look at the settings of each. Under the “Accounts and Import” and “Forwarding and POP/IMAP” tabs, I found that one of my existing email accounts was listed as an account from which mail and contacts were to be imported. However, there was a note by the address stating that email forwarding had not begun because it was not approved.

this suggest a culprit who didn’t’ know what they were doing, or one who was stopped at the last moment before completing their task. someone knowledgeable with gmail and android phones would have next “authorized” the forwarding request by replying to an email sent by google to your correct email address, then deleted all the emails associated with this process. finally they would have logged your phone out from the new gmail account(s) created for this purpose. in the end they would have all your new emails.

you saw MULTIPLE new accounts, right? only one is needed. i’m worried that the culprit could have fully succeeded with some OTHER account which could already have been removed… in which case you wouldn’t see evidence of it anymore. if they were smart enough to turn OFF forwarding to that account you would also no longer see it listed in your gmail settings. in this case they would have your OLD emails for whatever window of time they might have selected. i don’t want to scare you here: it seems more likely that they failed at their tasks (since they didn’t get to clean up everything) but the possibility exists.

I encourage you to contact local police before proceeding; the below steps might help you recover the culprit’s email address in the event they did fully succeed before failing to clean up the full mess. it is possible that the below actions could eliminate evidence of the same though, and i’m not comfortable remotely ‘owning’ some potential forensics action here. by all means i do think your observations warrant a calm call to the police and a description of your observations (heck, print this thread out and hand it to them).

when you are comfortable proceeding: please visit https://contacts.google.com

  • in the left hand column click EXPORT and backup your current contacts list (in case the culprit’s email address is in there)

  • then, in the left hand column click MORE

  • click UNDO CHANGES

  • select CUSTOM

  • select a moment in time to revert to, aim for a moment perhaps an hour or so BEFORE you got home

  • confirm

  • check your contacts (at the contacts website and/or on your phone - this process will update the contacts database for your account as a whole and it WILL alter your contacts EVERYWHERE); look for an unknown email address, most likely similar in nature tot he other accounts you saw (“under your name”)

Secondly, I was receiving emails in my existing email accounts which stated that those addresses were the back up email addresses for the new, “unauthorized” accounts.

IMPORTANT: please be sure to remove these as “backups” to your primary account (if you haven’t done so already). there is a risk that someone could take ownership of YOUR account by issuing a password reset then using a registered backup account (the bad accounts here) to “recover” (change the password of) your account. this is essentially the same process i suggested YOU do to the nefarious email accounts (you change those passwords so the culprit can’t log in anymore… effectively then you control those accounts).

To the fifth: I am no expert as to malware and spyware, which is why I took my computer in to a technician; he was the one who gave the computer a clean bill of health!

it sounds like the culprit here used your phone rather than your PC. please be sure to create and/or change the password on your phone and PC promptly though; there is a risk that the culprit will try again and it’s important that you make it as difficult as possible for them.

Anyway, thanks for the assistance!

you’re very welcome!

nothing of what you’ve shared sounds like your phone was “hacked”. instead it sounds very much like someone physically walked up to your unattended phone, created google accounts, tried to forward your emails to those accounts, potentially tried to clone your contacts list to those accounts and email someone from your contacts (would be interesting to note which contacts they tried?), searched for porn (perhaps as a diversion so you wouldn’t notice the other stuff?), and failed to clean up their tracks.

there is something sketchy going on around you and i strongly encourage you to contact your local police, if only to register the event (if something worse happens in the coming weeks/months, having THIS event properly logged would be helpful to enable police to take action). i would also hope local police would offer some guidance on proper next steps to take. by all means i would also contact google but be sure to change your google password first and when you contact google make sure they know that you STILL CONTROL your account (else they might lock down your account and that would hurt you rather than the culprit here).

yikes.

-bit

@jeffm.n2eewc

To add to your ideas, is there a way to have the camera take a picture of anyone using the phone that shouldn’t be. I don’t know how to set this up if possible but there would be the answer. A picture is worth a thousand words.

*** ~~ßocephous™ ***

In regards to the search results: I didn’t see the results (fortunately!) displayed; just a notification (similar to that of “Timer with X minutes remaining,” “New Message from Johnny,” etc.) that said (for example) “Search results ready for Playboy.” A couple of days ago I found the search history list on my phone and discovered that “I” had supposedly searched for several pornographic items/sites/pictures, and also that “I” had an account at a dating website. Interestingly, the login name for the dating website was the same as that of one of the “extra” emails I found on my computer (this isn’t the real name, but the dating website welcomed me with, “Hello, Rebecca” and one of my Chrome browser’s presaved logins for Gmail was [redacted]) I agree that it’s unlikely that my phone “overheard” someone else’s search. I happen to be the only member of the household with a “smart phone.”

To clarify, I didn’t find that I was logged in to the unauthorized accounts on my phone (that I noticed; this is not to exclude the possibility); I discovered the problem via my computer. I only began to wonder whether it might be through my phone because of previous suspicious activity on my phone, and then discovering the presaved suspicious email address on my phone keyboard.

Regarding the email passwords: I changed my own account’s password. I also spent some time over the next few days after the initial discovery in a password battle (for lack of a better description) over the unauthorized accounts. Someone else besides me was trying very hard to claim the other email accounts; I don’t know how many were deleted by Google and how many the other person(s?) kept. I “saved” one to be investigated by Google. Some of the unauthorized accounts I was able to take over at one point, but lost access to shortly afterwards.

Something interesting related to this: I noticed that the funny activity continued AFTER I changed the various passwords. The fact that I had made changes was unknown to all members of my household.

In regards to seeing multiple accounts: that I sure did! I found at least four accounts that were exceedingly similar to my existing account, not to mention an additional three “presaved” logins on my computer’s Chrome browser that were completely different.

I’m beginning to think that a call to the local authorities is in order. Many thanks!

Moderator’s note: Content edited to remove E-mail address.

Yes. Download Tasker app from the play Store, I think I got the paid version (I do that for cool nerdy apps). It’s not user friendly if you don’t consider yourself technical, but you can have it take a picture without flash whenever a triggered event occurs, such as the phone being unlocked or display state changing.

I don’t know if this is related, but I often see searches on my phone that were initiated by my wife on our home desktop computer. The iMac is running Chrome and is usually logged into my account. Google apparently remembers the searches made on one device and carries them over to other devices logged into the same account. And, my office computer is also running Chrome on the same account. I can see searches that I made on that computer on my phone too. I didn’t realize how much data was being tracked and shared among devices until I logged into myactivity.google.com. (I’m sure that G* is storing a lot more than just the myactivity data.) None of this would explain how text messages were being sent from your phone without your knowing it. I’m sure that some of this “tracking” can be turned off in the settings somewhere. I just don’t have time to mess with it.

there are apps for this. ‘intruder selfie’ sounds about right for this use case (assuming the OP doesn’t add a PIN, otherwise all the options look good):

Want to Know Who’s Trying to Unlock Your Phone? Catch Them in the Act

best of luck to you! i hope the local police are able to promptly direct you in a clear and satisfying manner so you can put this creepiness behind you. when in any doubt remember that password and PINs are meaningful, but that you can also setup 2-factor authentication on many accounts these days. you might want to do so for your google account, for example:

Google 2-Step Verification

Message an
Expert customer