If you can't distinguish between hardware failure and malware on your device on your own and discover which apps are consuming more power, you should probably try contacting the vendor of your phone to have their customer support diagnose troubles with your device.

We are not really a support forum for consumer electronics.

Thanks for your info. I am just trying to see if it is probably the hacker's actions or just some phone memory/power issue. Not looking for device support. I am trying to find hacking evidence.

With pretty much any device, malware can exist in 3 space:
* memory
* media (storage: files)
* firmware

Firmware: unlikely, uncommon, but possible. Allows malware to persist over power/cycle or reboot
Media: most common, and likely. SanDisk, or local "disks" store files used to boot an OS.
Memory: if only ever in memory, malware is lost on power-cycle or reboot.

If Media: Power down the phone, and find a way to image the media. The perform forensic analysis on the contents of the image you extracted on a different machine that is not running the code that is on that media. Use your favorite tools for system forensics and search. If you do not know how, search on google for books or courses to give you guidance on which tools may help you, and how to use them. Many tools to aid with analysis are specialized for helping with different OS, file formats. If your device has FDE or other encryption, you may need to disable this before extracting an image.

If memory or firmware: these are more difficult and will likely require more expensive hardware; tools that your vendor will likely have. Both require external hardware for analysis because for any device that is believed to be compromised in memory/firmware, you can't trust the device to accurately report on itself. If firmware is infected, then there is risk that connecting other systems to it over USB can result in their being infected. (Demonstrated as possible, but atthis time, difficult and unlikely.)

There are a few people that have mentioned working in forensics on the forums. That is not my field. If you are lucky, one of them may provide you with suggestions on which tools to use, and any books that they consider good.

Thanks very much for all your information! Are you saying the symptons I described are signs of hacker activities? Or you are just telling me how to find malware?

Do you know how to find those forensics people on the forum?

Best!!! ~

In the most general sense, for the user, malware is software running on a device that the user/owner does not want running on the device. It may be malvertising, tracking software, commercialization and productization of the user as a consumer, software to make the user's device participate in DDoS, spam campaigns, steal your data, financial information, infect to infect other devices, gain a foot-hold within an organization, or yes, it could be an "evil user" running code on your device including software that responds to C&C system over encrypted, even distributed, "channels."

Then again, if your device is misbehaving, it may be the hardware itself; batteries fail with time. Parts break down. In the end, entropy wins.

Yes, but I do not want to "out" them. If this topic piques their curiosity, and they have time, they will probably respond.

I am concerned about a targeted attack from a hacker, not just general malware that spread to many people. I heard hacker can use restart or failure to inject virus or destroy data. So I just hope my phone's sudden power off/restart or battery quick drainage are not because of this. Hopefully it is really just because I have too many apps on my phone.

Ok thank you so much!!!!

find a way to image the media. The perform forensic analysis on the contents of the image you extracted on a different machine that is not running the code that is on that media.
- According to police, they can't use any files not on the file because it might be tampered and not considered valid evidence any more.

When law enforcement work on electronic evidence, they use the same procedure I described (imaged copies of originals), because otherwise they are at risk for tampering with or altering evidence.
They will create an image of the original media, and then perform all their work on the copy, not the original.
This process can then be repeated by many people, including specialists hired by any defense attorney to discredit claims made by the DA, prosecutor, or plaintiff.
What I describe is a common system used in forensics; copy the original to a new image, and do your work on the new image.
If prosecution does not do this, and the defense asks for unaltered originals to make their own copies, there is risk for all of that evidence being thrown out of court.

The police may not be able to take files that you find in an imaged copy that YOU made of the original, but conclusions you find in your copy, they too can duplicate in their own lab and see if they can come to the same conclusion.

The bigger question for the police would be, how can they find evidence to attribute this attack (if it is an attack) to anyone other than you? If you can absolutely prove you did not make these changes to your own device and they believe you, will they have enough evidence from just your device to point to any specific individual as a suspect in their investigation? If code is unique, and they already have a suspect, and they can gain access to that suspects dev space with search warrant, and they find duplicate copies of code-as-malware that are unique to your device and their dev space, then that might be a link, but how would they know who to investigate, and even then, be lucky enough to find the dev space where copies might still exist, or remain available as deleted but not yet erased files on their media?

If you are working with police, then you should probably ask them how you can help this case without risking a mistrial. They may be able to suggest professionals to help you with this alleged case.

We already know a suspect. Now the thing is police they don't look for evidence. They are helping a little bit. But ultimately I have to find my own evidence from the backup file :( I need either experts to help or I have to do it myself. And I have limited knowledge right now.