How to Tell if Your Phone Has Been Hacked

Do Not Click Here—New Android Threat Deletes Everything On Your Phone

This new Android threat has a nasty twist

AFP via Getty Images

There have been no shortages of Android threats reported in recent weeks, and so it's no surprise that Google is both culling its Play Store of thousands of apps and adding live threat detection to phones with the release of Android 15.

But here's a nasty twist—a new threat is making headlines that goes beyond financial, credential and data theft, and wipes infected phones after an attack, leaving no trace and hindering any investigation into why your bank account is suddenly empty.

The new Android RAT (remote access trojan) was discovered by Cleafy, which dubbed it "BingoMod" and warned it can "bypass bank countermeasures used to enforce users' identity verification and authentication, combined with behavioral detection techniques applied by banks to identify suspicious money transfers."

ForbesSamsung Upgrades Millions Of Galaxy Phones-Click Here For New iPhone Beating SecurityBy Zak Doffman

BingoMod comes at victims via an SMS, and presents as a security app, pushing users to directly install the software. The campaign mimics the names of genuine Play Store security tools to trick users making cursory checks. Clearly though, if the app is on Play Store and is reasonably well known, then you should only install it from there.

Worse, because BingoMod purports to be an antivirus app it seems plausible when it requests access to a phone's Accessibility Services to scan for threats. In reality, it then "quietly steals sensitive information, including credentials, SMS messages, and current account balances… After a successful fraudulent transfer, the infected device is typically wiped, removing any traces to hinder forensic investigations."

BingoMod is not currently present on Play Store and so falls outside its defenses. This is timely. We are now seeing a major push back on sideloading apps in this way, and we have also seen another report this week into the frightening scale of SMS campaigns to push malware across Android's ecosystem.

To be brutally honest, the details of this specific RAT's concept of operations, its devious setup to avoid detection, even its use of on-device fraud to present as a trusted entity and defeat banking security measures, blends into the general noise around Android at the moment—especially when it comes to sideloading.

ForbesGoogle Warns 3 Billion Chrome Users-We Have No Update For New Tracking 'Nightmare'By Zak Doffman

Yes, BingoMod's developers have included smart techniques to stop genuine AV tools finding and stopping it on a device. But the stark reality is that if you follow the golden rules to staying safe below, then you won't fall foul to this threat or any of the countless other RATs that come afterwards:

Stick to official app stores—don't use third-party stores and never change your device's security settings to enable an app to load

Check the developer in the app's description—is it someone you'd like inside your life? And check the reviews, do they look legitimate or farmed? Avoid the indiscriminate installation of trivial apps you do not need.

Do not grant permissions to an app that it should not need: torches and star-gazing apps don't need access to your contacts and phone. And never grant accessibility permissions that facilitate device control unless you have a need.

Never ever click links in emails or messages that directly download apps or updates—always use app stores for installs and updates.

Ensure Google Play Protect is enabled on your device.

Google assures that Play Protect will defend phones against this new malware, but more importantly it will introduce live threat detection to phones upgrading to Android 15 later this year. This will monitor on-device app behaviors including access to high-risk permissions, including Accessibility Services.

This clearly can't come soon enough.

How To Enable (Or Disable) Two-Factor Authentication On Facebook

There's nothing more important than your online security in this digital era, from maintaining your privacy to protecting your accounts and passwords. There's always someone willing to take advantage of an improperly secured Facebook account, and it shouldn't be yours!

Aside from standard security protocols (a perfect password), Two-factor Authentication (2FA) provides a code to a secondary account or phone number before you get access. When you've correctly set up 2FA on Facebook, you will receive an SMS or email message with a one-time entry code. Typically numeric, this code expires after several minutes, and it is not related to your personal information in any way (it's not your birthday or the last 4 of your SSN).

2FA, like other forms of security, isn't without its flaws, of course. There may come a time when you're safer doing away with the authentication rather than maintaining it. If someone does have your phone, they can easily log in to your Facebook account using the 2FA feature. Many times, all it takes is clicking on This was me to bypass the unique and secure password you've set up.

This article reviews setting up 2FA on your Facebook account and also teaches you how to remove it. It mentions a few other security features the social media giant offers.

There are several ways you can enable 2FA on Facebook. The following sections show you how to enable two-factor authentication on various platforms.

How to Enable Facebook 2FA using a Web Browser

If you don't have two-factor authentication enabled already, follow these steps:

Log into Facebook and select the downward arrow icon in the top-right section, then Choose Settings & Privacy.

Click on Settings.

Choose Security & Login in the left-hand menu.

Scroll down and click on Use two-factor authentication.

Click on Use text message (SMS), then follow the prompts and assign the contact to receive your 2FA codes.

Now, anytime you log into Facebook, you'll need to verify a random code sent to that security method. But do beware; if you do not have access to that method, you may be unable to log into your Facebook account in the future.

How to Enable 2FA on the Android Mobile App

If you're an Android user and need to enable Facebook 2FA while on the go, follow these steps:

Open the Facebook app and tap on the three horizontal lines in the upper right-hand corner. Then, tap on Settings & Privacy, and then choose Settings.

Select Security and Login.

Tap on Use two-factor authentication.

Choose the option to turn 2FA on. Then, verify that it is on (it gives you the option to turn it off).

How to Enable 2FA on the iOS Facebook App

iPhone users can follow these steps:

Open the Facebook app on your iPhone and tap on the three horizontal lines in the lower right-hand corner.

Select Settings & Privacy followed by Settings.

Choose Security and Login.

Tap on Use two-factor authentication.

Tap Turn On or Turn Off to enable or disable 2FA.

After you've enabled 2FA, verify that the phone number is one where you can receive text messages and alerts.

How to Disable 2FA

If 2FA is no longer working for you or you need to turn it off for some reason, you can disable it by following the below steps.

Log in to Facebook, then select the Settings tab, followed by the Security & Login page under the Settings tab.

Click Edit next to the 2FA option. Next, you'll need to input your current Facebook password.

Now you can click Turn Off to disable two-factor authentication.

Now, follow the prompts to remove 2FA. Once complete, you can log into Facebook without having a verification code.

Things to Do Before Activating 2FA

As stated above, 2FA is an excellent security feature, but there are some things you need to do first to ensure that you won't have trouble logging in later.

2FA is so secure that even you (the account owner) may have difficulty logging in if you don't set things up correctly. The first thing you need to do is verify that all of your contact information on Facebook is up-to-date.

Verify that Your Facebook Contact Details are Correct

Access Facebook 2FA settings using one of the device methods (browser, Android, iOS) until you get to and select Use Two-factor authentication.

Select Manage next to your mobile number or choose Use text message (SMS) if not already set up. Double-check and possibly update your phone number.

If using the built-in 2FA option, nothing more is required. When using a third-party 2FA option, Choose Turn Off.

Note: The built-in Facebook 2FA option prevents that same phone number from changing your password, which is why Facebook recommends using a third-party 2FA app.

Keeping your phone number up-to-date is crucial to your security and your ability to gain access to Facebook on a new account. If this number is outdated, you won't receive a security code, effectively locking yourself out of your account. You should also update your contact information every time you change your phone number.

Facebook Built-In 2FA Alternatives

If you don't have a phone number or want to use the built-in 2FA anymore, you aren't entirely out of luck. Facebook offers an alternative way to protect your account.

How to Use Third-Party 2FA Verification Apps for Facebook

A quick and easy alternative to the Facebook 2FA option is a third-party authentication app. Google Authenticator is a widespread and trusted application available for iOS and Android users, but you're free to choose any 2FA app you want, such as Authy for Facebook.

Access Facebook 2FA settings using one of the device methods (browser, Android, iOS) until you get to and select Use Two-factor authentication.

Select Use authentication app instead of Text Message (SMS).

Facebook will give you a scannable QR code and an alpha-numeric code to set up your third-party app. Follow the instructions and click Continue.

Now, you can log in to Facebook with 2FA using a third-party app without needing a phone number.

How to Use Facebook Friends to Unlock Your Account

Another Facebook 2FA alternative is to use your friends. Although this method is mainly used when you get locked out of Facebook, it still serves as a 2FA method since it uses keys. Your trusted friend sends a code and URL from Facebook to help you log back in.

Access Facebook 2FA settings using one of the device methods (browser, Android, iOS) above until you get to the Security and Login menu.

In the Setting Up Extra Security section, select Choose 3 to 5 friends to contact if you get locked out.

If you haven't previously added any friends, select Choose Friends.

In the popup, click on Choose Trusted Contacts.

In the next popup, type in each friend's name and select them from the search list. After selecting the first one, you'll type the next one to repeat the process.

Once you have three to five friends selected, click on Confirm.

Deprecated/Removed 2FA Options

In the past, Facebook included the "Add a Backup Method" section under "Security and Login," which had universal two-factor authentication (U2F) via a browser or 2FA-supported USB devices, as well as near-field communication (NFC) support, but it no longer includes them as an option. The Add a Backup Section got replaced with Setting Up Extra Security.

First off, Chrome deprecated the U2F security protocol in support of FIDO2/WebAuth security keys. Other browsers have followed in their footsteps. Second, Facebook decided to let you use three to five "trusted" friends to help unlock your account, which you'll find under the Setting Up Extra Security section.

Therefore, you only have two login options for Facebook: 2FA (via SMS or an authenticator app) and friends.

How to Update Your Phone Number

2FA mainly relies on your phone number unless you're using an authenticator app. But, what do you do if your telephone number is incorrect or outdated? Well, you can update it, of course!

Follow the same instructions as above to access Facebook's Security Settings and tap Edit next to 2FA. Next to Your security method, tap Manage.

Then, click Use a different number from the dropdown menu.

Click Add Phone Number then, Continue.

Type in your new phone number and tap Continue.

The new phone number should appear, but if it doesn't, or you receive an error code, you can turn off 2FA and then turn it on again. Doing this will let you input a brand new phone number.

Frequently Asked Questions

Securing your Facebook account is all too important these days. We've included this section to answer more of your questions.

Do I need 2FA?

2FA or a similar alternative is highly recommended, especially for Facebook. The social media site has access to a lot of your personal information you probably haven't thought about, for one thing. You don't want a hacker having that information. Things like your location, identity, and even payment information are all stored on Facebook.

If your account gets hacked, Facebook may take it upon themselves to completely deactivate your account. This type of action means you won't get your account back, and you'll lose all of your pictures, friends, and meaningful memories.

What can I do if I can't receive the 2FA code?

Assuming you don't have a backup option established and you no longer have access to the phone number on file, you'll need to use an alternative method to log in. Your best option will be using a recognized device to get your security codes in the Settings.

If you don't have a recognized device with you, don't have your security codes, and don't have access to one of the forms of contact listed on your account, use the 'Trouble signing in' option from the login page.

I can't turn off 2FA on Facebook. What's happening?

There are a few possible reasons why Facebook won't let you turn off 2FA. If you have specific apps connected to Facebook, one may prevent you from turning off the feature because it's required for security purposes. Try removing any linked work or school apps, then follow the instructions again.

If you are receiving an error, try another web browser to turn the security feature off because it could be an issue with the browser itself.

Assuming you're using the correct password when logging in, you may need to contact Facebook support for more help. Generally, Facebook gives you no issues turning off this feature, so if you are running into a problem, it's likely account-specific, which is why you'll need the support team to help you out.

What do I do if someone else logged in and turned on 2FA on my account?

If you've already experienced an attack and the hacker turned on 2FA, you can't log in until the matter gets resolved. Fortunately, Facebook is prepared to help.

Visit this webpage to recover and regain access to your account so that you can turn off or manage 2FA.

Do I need a verification code to turn off 2FA?

No, but you do need one to turn it back on. You will need your password to access the security settings, but you will not need a text message verification code to turn it off.

Facebook Will Now Let You Use Physical Security Keys To Login From Your Mobile Phone

Earlier available on the desktop version, Facebook has now expanded the support of physical security keys for two-factor authentication (2FA) on mobile devices.

Starting from Friday, the users can set up two-factor authentication and log into Facebook on iOS and Android mobile devices globally, including India, using a security key.

Facebook had allowed security key support for the desktop version since 2017.

"Since 2017, people on Facebook have been able to use physical security keys to log into their accounts on desktop to better protect their information from malicious hackers," the3 social network said in a statement, adding that people can now set up 2FA on on iOS and Android mobile devices as well.

Two-factor authentication is a security feature that helps safeguard your account every time you log into your Facebook account from an unknown device by requiring something you know (your password) and something you have.

Typically, an SMS code is sent to your mobile phone or Authenticator app.

"It's much harder for a bad actor to obtain both factors, which keep your password from being your last line of defense against phishing or other malicious attempts to compromise your information," said the company.

Earlier this week, Twitter announced to let people use security keys as the only authentication method soon, adding that the micro-blogging platform will allow multiple security keys per account instead of just one.

Currently, Twitter users can use a security key to sign in and also need an authenticator app or SMS code as another 2FA (two-factor authentication) method.

Physical security keys — which can be small enough to fit on your keychain — notify you each time someone tries accessing your Facebook account from a browser or mobile device we don't recognize.

"We ask you to confirm it's you with your key, which attackers don't have," Facebook said.

High-risk users like politicians, public figures, journalists and human rights defenders need extra account protection.

"We strongly recommend that everyone considers using physical security keys to increase the security of their accounts, no matter what device they use," Facebook said.

One can purchase security keys directly from companies that make them (Facebook doesn't manufacture hardware keys).

The keys can either work through Bluetooth technology or by plugging it directly into your phone.

One can enroll security key in two-factor authentication within the Security and Login section in the settings, Facebook added.

SEE ALSO:$4$4Kishore Biyani vs Amazon – Delhi High Court brings up 'civil prison' for violation by Future Group, asks for recall of approvals granted to Future Retail-Reliance deal>$4

---