Home Security Heroes independently tests and reviews every product. We may earn a commission when you buy through our links. Read more here.
Depending on how much you know about the technology that powers today’s mobile phones, you may or may not have heard of phone cloning before. Even if you have, though, it might be unclear what phone cloning actually entails, and whether it’s something you should be particularly worried about.
What Even Is Phone Cloning?
Phone cloning is something that can refer to two different types of phone manipulation, but the broad strokes is that cloning a phone involves copying some or all of the phone’s data for someone to use.
The interesting thing is that phone cloning is not an inherently immoral or illegal act. There are a fair few legitimate reasons someone may want to clone a phone. The main thing is though, that these legitimate reasons involve cloning your own property for whatever reason, or someone else’s with their consent.
This type of cloning is the first type:
Data cloning is pretty much exactly what it sounds like: it involves copying the data from your phone and transferring it to another device.
This type of cloning can be used for many benign means. For example, you could be trying to backup your phone’s data in case of a wipe, preserving things like your picture portfolio.
In many cases when you get a new phone, this is essentially what the technician at the store will do to copy over your contacts and downloaded apps, keep the same phone number, and so on. Commercially available apps like Dr. Fone are something you can easily get your hands on and use for your own personal benefit.
You can even clone a phone to do something sneaky, like sharing a phone line with someone on a different device…using a single number for two phones, basically. This is a really good way to get in trouble with your service provider if you get caught though, so it is not a course of action I’d personally recommend. While not likely to result in legal action, it can result in you being banned from the service, which is inconvenient to say the least.
However, this type of cloning can also of course be used for malicious means. Data cloning, particularly, is often used to spy on people without their knowledge. Many 3rd party phone cloning services will keep a copy of the data for themselves, as an example, and sell your data to the highest bidder. In other words: do it yourself, at some kind of 1st party shop (eg. the Apple Store if you’re an Apple user), or not at all.
Remote data cloning is possible, but the person doing it needs to have at least some of your data in the first place. That makes things like this more common as a domestic crime than malicious action by an outside party. Something like a jealous girlfriend or boyfriend cloning their significant other’s phone out of paranoid suspicion.
This means that while it is somewhat a concern, as long as you don’t let anybody download the software onto your phone it’s unlikely they’ll be able to do a data clone on you.
As a result, data cloning exists in this weird legal grey area where there are enough legitimate uses not to ban it, but malicious actors can, in some circumstances, break the law for their own gain by doing it.
In general, keep this in mind: cloning your own data is perfectly fine. That is data you own, and you can do whatever you want with it (as long as you don’t clone your phone’s unique identifiers that allow it to be used on your service). Cloning somebody else’s phone is always illegal, so don’t do it.
Total Phone Cloning
Total cloning used to be pretty common. Back in the early days of cellphones, before the advent of smart devices that eventually took over the market, you used to be able to remotely and instantly clone a phone.
This is because analog technology was entirely, or almost entirely, unsecured. This made it insanely easy to just read a phone’s signature over the radio waves used for communication and just copy them. Voila, the criminal has a cloned phone.
Of course, the things they could do with that cloned phone were likewise much more limited, but it could still be used to wreak havoc in the right hands.
Today digital technology is encrypted and much harder to crack into remotely. That means that cloning a phone remotely is practically impossible these days because of the main protective feature of your phone: its SIM card.
This means the highest priority for someone looking to clone a phone now is to get their hands on your phone itself. I’d hazard a guess most phone cloning incidents these days happen at shady independent phone repair services or similar venues where you end up giving a stranger access to your phone.
That physical access is pretty much a necessity now, so if you keep your phone on hand at all times it’s pretty easy to protect yourself. Gone are the days when you could walk past someone at the grocery store and they could nab all your phone’s data without your knowledge.
Once someone has a copy of your SIM card though, things get a bit wild.
Not only do they often have a copy of all your data as well (because why not do a data clone at the same time?), they have the ability to pretend to be you, effectively. They can make calls from your actual phone number, and have access to all of the accounts you’ve signed into on your phone, for instance. You can see how this would be a terrifying identity theft event.
The one thing that makes total phone cloning like this less of a disaster? Very simple security precautions. Having a true password or PIN for your phone is still going to stymie someone who has cloned your phone, at least until they figure out what the password is. Cloning the phone means it still comes with all the security you’ve set up.
Interestingly, this makes actual phone cloning perhaps somewhat less of a threat than the more low-tech solution.
While not technically phone cloning, this method has many of the same effects, and requires much less technical knowledge for the perpetrator to pull off. This makes it a tempting option for would-be fraudsters.
This, like all of the most successful forms of “hacking”, uses simple social engineering skills. The fraudster gains access to a stolen phone number through some means (such as caller ID spoofing) and calls the cellular service provider of the victim.
They then talk the customer service representative into transferring the phone number to a new SIM card, claiming they need it for whatever reason. As there are legitimate reasons to acquire a new SIM card (flagging performance being one of the main ones, as older SIM cards have a hard time with 5G service, for instance) this doesn’t sound too suspicious to the customer service representative.
They send over the new SIM card…and it’s all downhill from there. Because it’s a brand new card for a “legitimate” number the identity thief can temporarily bypass all the usual security measures like two factor authentication. This allows them to completely take over your cell service and start rerouting calls and texts to the phone they have in their possession.
This is a threat for everyone, but particularly those with high value investments, and especially for those invested in cryptocurrency. People have made millions stealing cryptocurrency via this method, and as such currencies and similar digital-only goods (such as NFTs) continue to grow in popularity and prominence, this type of theft is likewise going to become more common.
How Do I Tell if My Phone Has Been Cloned?
There’s good news and bad news when it comes to your phone being cloned.
The good news is that it’s usually very easy to tell when something is up with your phone.
The bad news…the only real tell is going to come with time.
Depending on how many calls or texts you field per day, this time can vary. If you normally receive a ton of calls per day, for example because you do most of your business over the phone, it should become clear quickly. If not, it could take you a lot longer.
This is because the biggest tell for your phone being cloned is that you’re not receiving calls or texts the way you should. This is because they’re being redirected to the cloned phone, and not your primary device anymore.
This is by far the most clear sign that your phone has been cloned, and if you notice your incoming calls have dropped from a flood to a trickle (or dried up completely) you should take action to correct the cloning immediately.
Most other signs are likewise only going to come a bit after your phone has been cloned, such as being “randomly” locked out of your account, receiving weird charges on your phone bill, or noticing that your location data has been thrown off somehow (Find My Phone or other location apps list you as being somewhere you are not).
The only real advance warning you’ll get is one that’s hard to notice: an unsolicited request to restart your device. This is generally going to come as a result of the SIM card being activated on the new advice, and it gives the hijacker a bit of time to get everything transferred over while your phone is offline. This one is sometimes hard to suss out though, since there are legitimate reasons you’ll be prompted to restart, such as system updates.
Finally, keep an eye out for alerts from your service provider. If they tell you a new SIM card has been detected or your old one has been “updated” (which they should) you’ll know that something is up. Particularly if your service cuts out not long after.
What Do I Do If My Phone is Cloned?
The main thing to do is contact your provider and let them know something is up. They can usually sort out the immediate effects and restore your service pretty quickly.
Then, of course, you’re going to need to do the same things you should do in the event of any data breach:
- Change any passwords for accounts you use on your phone (and other accounts to be safe).
- Update your security questions and two factor authentication means (move to email rather than text).
- Contact your identity theft protection service (if any) and notify them of your data breach event.
- If you have a name for the perpetrator (say they weren’t careful enough and their name showed up on a mysterious bill) report them to law enforcement.
- Make use of any insurance you have if funds were siphoned from accounts.
However, the best method of protecting yourself from phone cloning is making sure it doesn’t happen in the first place.
How to Avoid Phone Cloning
As the saying goes, an ounce of prevention is worth a pound of cure.
A lot of very basic actions can help you avoid phone cloning.
Prime among these? Making sure nobody else touches your phone or ever takes it out of your sight. A lot of the methods of phone cloning, including data cloning via app and SIM card copying can only be done if the fraudster actually has your phone in hand.
Being extremely skeptical of incoming texts, even if they happen to look like they come from legitimate sources, is also a good practice. Don’t click suspicious links, and don’t do something just because your service provider says to.
In general, you will not receive unsolicited texts from your business contacts, especially from automated accounts. If you get a two factor authentication request, for example, you should call your provider and ask why you’re getting it if it was not something initiated by you.
An easy way to tell if they’re real? Look to previous texts. All authentication texts and other automated messages should come from the exact same number, so you should have a record of past messages. If it’s an entirely new text chain, chances are it’s a scammer of some sort.
And of course, keep your phone’s identifying information (any type of ID number; the exact name will vary by service provider) to yourself. Much like a password these numbers should NEVER be sent to anyone else, for any reason. Don’t text your ID numbers the same way you wouldn’t text your password, and especially do not do it if you’re not absolutely, completely sure it’s someone you trust. Even then it’s a bad idea. Think of this: if you send one of your passwords to someone you trust and then they get hacked or their phone is cloned and their message history is available to everyone, you can suffer the exact same way as if you sent your password to a hacker directly.
Last Updated on