Oh great! Your phones been infected. You cannot make calls, you get a text every 30 seconds telling you to pay someone 2 Bitcoin or else they will release photos… and Siri only tells you to turn left at the next stoplight. What happened? Why is your phone acting so weird? Is it just old? Did you download something? Are you infected? We will take some time to look through the mobile device threat landscape. A foggy foray that each of us step into every single time that we open the App or Play Store on our phones.
Wait, you can get malware on your phone? In Cyber Security, we have heard this statement time-and-time again. Many people do not realize that their phones, which sits in their pockets, are just as vulnerable to compromises as their computers are. Your phone sits on your every single day, and for many people, contains more personal information than their computers. This makes your mobile device a prime target for bad guys.
“Apple devices are un-hackable”, I have heard this more times than I can count, but Jake Moore, a Cyber Security Specialist at ESET “it’s a myth that Apple devices are impenetrable.” The key thing here is to remember that just because something is hard, does not mean it’s impossible. This intrinsic difficulty to break into Apple’s locked-down ecosystem often creates a very lax sense of active security for those who use these devices. This sense of security is a bad guy’s best friend. Just like a pick-pocket on a crowded day at Disneyland, you not thinking your phone can be compromised make you a likely target.
It is important to remember that your Mobile Phone, Tablet, Mobile Hotspot, Echo, etc… do not have as robust a security system as even your home computer. Many of these devices lack many of the security features that we are used to having access to on our desktops and laptops. Your phone will not tell you if a link is bad. Your phone will not stop something from downloading. Your phone more than likely does not have an anti-virus application on it. This lack of robust security has enabled bad actors to exploit the average user by sending them malicious text messages, emails, or sending them to fake websites that even download bad applications onto your phone.
Types of Mobile Phone Attacks:
- Smishing – SMS Phishing:
- This is a text message that asks you to click on a link that either:
- Downloads an application on your phone or
- Asks you to input your information (like apple id) to try and steal your information
- Compromised Website (Waterhole):
- This is a website of interest to a specific target (escrow website, title website, Facebook, Groupon… etc.)
- In this case, it can be a specific website that is compromised or even just an advertisement on the website. Either way, when clicking or accessing the compromised page, you will get a bad application(s).
- App Store (Google Play, App Store, or Third Part Stores):
- Typically takes the form of a Video Game or a “Specialty” New Application
- These will download the application, but also a compromised .apk file that tracks your information in the background every time you logon
- Physical Control:
- If you have to surrender your mobile device for any reason, there’s a chance something could become compromised.
- An example of this would be Chinese Border Agents confiscating all people crossing the border and/or near Kyrgyzstan and installing surveillance applications on all cell phones.
- App Spoofing:
- Someone makes an application that LOOKS like the legitimate app that is it copying, but it is different, typically in its name… and it’s not found directly within your mobile devices App Store.
- Stalkerware AKA Spouseware
- These are applications that a spouse can install on another spouse’s device. It is intended to be used to track their location, messages, phone calls, or some sort of information like that… but often, these applications are actually just bad guys preying on worried couples. These applications often just take all that collected data and sell it on the black market.
- If you have to surrender your mobile device for any reason, there’s a chance something could become compromised.
- Typically takes the form of a Video Game or a “Specialty” New Application
- This is a text message that asks you to click on a link that either:
What can I do?
- Remember your hygiene! Passwords, safe links, physical security, and regular updates.
- Only download applications from name-brand producers
- Read the permissions that the application is asking to have access to.
- Do not hand over your mobile device to anyone
- Don’t allow “Shoulder Surfing”
Takeaways:
Mobile devices are extraordinarily useful in today’s on-the-go economy, but we have to remember that all the rules we have for our computers are the same for our phones. Remember to keep your security hygiene in check:
- Change your password(s) regularly
- Only download software/applications from trusted sources
- Update all your applications regularly
- Clicking a link on your phone is just as potentially compromising as your computer
- Always maintain physical control of your devices
