Probably the two worst things they could do would be: install ransomware on your phone and encrypt your filesystem install a rootkit on your phone and then silently collect information, hoping you'd log in to a website from which they could garner info, or use your phone in DDOSing, or even record your calls, switch on your webcam, etc