Phones compromised through supply-chain backdoors or carrier-account takeovers can operate for weeks without triggering a single obvious warning sign. The FBI flagged this problem directly in its Public Service Announcement I-060525-PSA, warning that Android-based devices have arrived to buyers already loaded with backdoor malware. Separately, the Federal Trade Commission has alerted consumers that a sudden loss of cellular service or an unexpected carrier notification about a new SIM card often signals an account hijack rather than a device glitch. These federal warnings point to a shift in how phones get quietly compromised, and recognizing the early signs is the difference between catching a breach and funding a criminal operation.
Why supply-chain and SIM threats changed the risk picture
The conventional image of a phone hack involves a user downloading a malicious app. That scenario still happens, but two federal agencies have flagged threats that bypass user behavior entirely. The FBI’s alert on the BADBOX 2.0 botnet describes Android devices that shipped with pre-installed backdoor code, meaning the compromise existed before the owner ever powered on the phone. Devices purchased through unofficial marketplaces or lesser-known manufacturers were especially vulnerable. Because the malicious code sits at the firmware level, standard antivirus scans and app-store protections do not catch it.
On a parallel track, SIM-swap fraud targets the carrier account rather than the handset. The FTC’s consumer guidance on SIM swap scams explains that attackers convince a mobile carrier to transfer a victim’s phone number to a new SIM card. Once the swap completes, the attacker receives every call, text, and two-factor authentication code meant for the victim. The phone itself shows no malware, no strange app, and no unusual battery drain. The only visible symptom is a sudden, unexplained loss of cellular service.
These two attack paths share a trait that makes them dangerous: neither depends on the phone owner making a security mistake. A device can arrive compromised from the factory, or a carrier can be socially engineered without the customer’s knowledge. That reality challenges the assumption that careful app hygiene alone keeps a phone safe.
Eight warning signs drawn from federal threat records
Pulling from the FBI’s BADBOX 2.0 advisory, the FTC’s SIM-swap guidance, and NIST’s mobile threat catalogue, the following signs map to documented attack categories rather than generic security advice:
- Sudden loss of cellular signal. The FTC identifies this as the primary indicator of a SIM swap. If a phone abruptly shows “No Service” or “Emergency Calls Only” in a location where coverage was previously reliable, the carrier account may have been hijacked.
- Unexpected text or email from the carrier about a SIM change. Carriers typically send automated alerts when a SIM is activated on a new device. Receiving one without requesting a change is a direct red flag, according to FTC guidance.
- Inability to log in to carrier or bank accounts. Once an attacker controls the phone number, they can reset passwords on linked accounts. Discovering locked-out accounts alongside lost service strongly suggests a SIM swap in progress.
- Unfamiliar apps that cannot be uninstalled. The FBI’s advisory notes that pre-installed backdoor malware often appears as a system-level application. Unlike a downloaded app, it resists standard removal because it is embedded in the device firmware.
- Unexplained data usage spikes. NIST’s threat catalogue maps network-layer attacks where compromised devices relay traffic for botnets. A phone acting as a proxy node will consume data even when the owner is not actively using it.
- Device running hot without heavy use. Background processes tied to botnet activity or cryptomining code can push processor usage higher than normal. This symptom alone is not proof of compromise, but paired with other signs it warrants investigation.
- Sluggish performance on a recently purchased device. A brand-new phone that runs slowly out of the box may carry pre-installed code consuming resources. The FBI warning specifically flags devices bought from unofficial sellers or third-party online marketplaces.
- Outgoing messages or calls you did not make. If contacts report receiving texts or calls from a number the owner did not initiate, the device or the account tied to it may be under external control.
Each of these signs corresponds to a documented threat vector rather than a hypothetical scenario. The distinction matters because some common “hack” symptoms, like faster battery drain, have dozens of benign explanations. The signs above are more specific and tie directly to attack patterns that federal agencies have formally catalogued.
Gaps in the evidence and what to do first
Neither the FBI nor the FTC has published exact figures on how many consumer phones in the United States currently carry pre-installed backdoor code. The BADBOX 2.0 advisory confirms that compromised Android devices have entered the retail channel, but it does not estimate how many units remain in circulation or which specific brands are always safe. Likewise, SIM-swap alerts focus on how the crime works rather than how often it succeeds in any given year. That lack of precise numbers can leave consumers unsure how seriously to take a suspicious symptom.
In practice, the response should not depend on statistics. If a phone shows one of the high-confidence warning signs-especially sudden signal loss, SIM-change notices you did not request, or locked-out financial accounts-the safest approach is to treat it as an active incident until proven otherwise. That means acting quickly, in a specific order, to limit damage and preserve access.
Step-by-step actions if you suspect a SIM swap
When the signs point toward a carrier-account takeover, time is critical because attackers often move immediately to reset banking and email passwords. The FTC recommends contacting your mobile provider from another phone as the first step. Ask the representative to check for recent SIM changes, port-out requests, or new lines added to your account, and request that they freeze changes until your identity is re-verified in person or through a secure process.
Next, try to log in to your primary email and financial accounts from a trusted device on Wi-Fi. If you still have access, change passwords and enable stronger authentication methods that do not rely solely on SMS, such as an app-based authenticator or hardware key where available. If accounts are already locked or show recent password resets, notify those institutions’ fraud departments and follow their account-recovery procedures, documenting dates, times, and representatives’ names as you go.
Finally, file an identity-theft report with appropriate consumer-protection channels and keep copies of any police or incident reports. These records can help reverse fraudulent transactions and support disputes if debts or accounts are opened in your name during the window of the SIM compromise.
What to do if you suspect a compromised device
Suspected supply-chain backdoors or firmware-level malware require a different response, because traditional antivirus tools may not detect or remove the threat. If a recently purchased device shows multiple red flags-such as unremovable unfamiliar apps, unexplained data usage, and sluggish performance-start by backing up only essential personal data like photos and contacts to a trusted location, avoiding full system images that might carry the compromise with them.
Then, perform a factory reset using the device’s official recovery tools and immediately apply any available system updates from the manufacturer or carrier. If the warning signs return quickly after a clean reset, consider the possibility that the device itself is untrustworthy. In that case, the most conservative option is to retire it from handling sensitive tasks such as banking, work email, or password management, and to move those activities to a device purchased through a reputable, traceable retail channel.
Where possible, consult the manufacturer’s support team and ask whether the exact model and build you own has been associated with security advisories. While public bulletins may not name every affected device, vendor support can sometimes confirm whether your handset should receive further firmware updates or whether it has reached end-of-support status, which increases long-term risk.
Building habits that match the new threat landscape
Because these attacks sidestep traditional “don’t click that” advice, defensive habits need to evolve. Buying phones from established retailers, avoiding deeply discounted unbranded models, and keeping operating systems updated all reduce exposure to supply-chain compromises. At the account level, minimizing reliance on SMS for logins, using strong unique passwords, and setting up account alerts for unusual activity make SIM swaps less profitable for attackers.
Most importantly, treat the specific warning signs identified by federal agencies as triggers for immediate action, not as problems to monitor casually. A few minutes spent calling your carrier or changing a password when something feels wrong can be the difference between a brief disruption and a months-long identity-theft recovery process. In a landscape where some compromises begin before you ever open the box, vigilance is less about paranoia and more about responding decisively when the right signals appear.
More from Morning Overview
*This article was researched with the help of AI, with human editors creating the final content.
