If there’s one cyber security conversation that gets too little attention, it is probably mobile security. We’ve come a long way in securing our systems, networks and computers. Given how significant they are as targets, these would be obvious focii – but what about the devices that we carry with us every day? As work changes and employees do more with their (often personal) mobile devices that tend to lack security features and applications, cyber criminals have taken note.
An Overdue Conversation About Mobile Security
The smartphone as we know it has been around for over a decade, and over the past couple of years the idea of requiring mobile security has become much more prominent in the cyber security conversation. Trends like Bring Your Own Device (BYOD), rapid global adoption of smartphones, the use of Bluetooth and complex app ecosystems have presented bad actors the opportunity to exploit multiple entry points. On top of this, many users (especially in emerging markets) have skipped the virus-laden PC era and gone directly to the smartphone. It has led to a general lack of mobile security consciousness.
The multiple tools that cyber criminals can have at their disposal, have made smartphones easier targets. Phishing, spoofing, trojans, malware, identity theft, social engineering and others can rapidly proliferate in the mobile environment. Some attacks are even easier to execute on mobile, and to top it off, it seems that across the board there’s a serious difficulty in addressing mobile security from an organizational standpoint.
There are 3 main motivations for attackers looking to exploit your vulnerable smartphone.
Access to your data
For a wide range of end goals, from espionage, blackmail, or “Fun, Ideology, Games (FIGs)”, bad actors can focus on your phone to achieve their objectives. They can steal photos, videos, emails, information on your contacts or other confidential data to exploit for financial gain. In some cases they can install malware or backdoors to eavesdrop and record your conversations to extract them for malicious ends, without you ever knowing.
Not only can bad actors steal the data on your contacts but they can extract data to impersonate you. A frightening example of this is of a malicious actor copying a SIM and phone’s data to effectively impersonate the owner and gaining access to banking, email and whatever other data they’d like.
Taking over a user’s device is done for two primary purposes. Ransomware involves the hijacking of a device with malware to force user to pay a ransom to regain access to their device. Another purpose would be to get a device to act on behalf of the owner without their awareness nor consent. This could involve making calls or texting on the owner’s behalf, increasing the chances that the recipient, trusting the sender, might click on or download something. It’s also worth noting that cyptojacking – the installation of cryptomining software without a user’s consent – is becoming a big concern as well.
How Bad Actors Access Your Mobile Device
So how do bad actors get into your device? There are a multitude of entry points.
SMS/MMS: A Text message and other media received via any messaging app poses a significant threat because you don’t see much information other than the sender, an engineered message and a link or filename. They usually come from unsolicited sources, but scammers are also able to catch you off guard by impersonating someone you trust or spoofing a number. These will most often aim to get you to click or download something, to install a trojan or malware that can result in any of the above end goals for bad actors.
Bluetooth: Bluetooth connections are prime picking for many attacks. Attackers have been able to do just about whatever they want with mobile devices simply by establishing a Bluetooth connection. Being in proximity of a Bluetooth enabled device can install malware on your phone, steal data and even turn your phone into a zombie device (and further spread the virus).
Wifi: As is the case for any device, non-secure wifi connections are a goldmine for attackers. They can even go as far as to create a dummy wifi account, with similar names and details as an authorized network, fooling users into signing in and allowing attackers to log everything you do, including passwords to important accounts. This is especially a risk for mobiles given their portability and use on the go.
Mobile Email: Not that much different than your everyday email threats, with malicious attachments, targeted phishing, malicious URLs, and the rest, it is an especially high risk with email on mobile. On top of this, spoofing is a greater threat via mobile email, as users are less likely to spot the malicious email when only display names are shown on their screens, while fake credentials from an attackers account are also often tied to the contact database on a phone. This means that a successful attack could lead to fake correspondence or other fraudulent activity for an extended period of time.
App Downloads: A common way to get infected on Android marketplaces is via a malicious app. This involves downloading an app that installs itself with a hidden bonus – a trojan or malware. The decentralized, less stringent method of publishing apps on the Android marketplace makes this easier to get away with. This is still possible on iOS, but far less likely, with enough restrictions to make the effort required less profitable as an angle of attack.
Tips for Better Mobile Security
So what can you do about it? Here are a few good rules to follow that should protect you.
- Avoid public charging stations, as they are sometimes a node from which spyware can spread. If you must, make sure you have an app that protects you. Here are a few anti-spyware app suggestions for an Android.
- Don’t “jailbreak” your iOS device, or any device for that matter, and expect to have any security. Jailbreaking can create programmatic vulnerabilities on phone’s software and make it much more insecure and vulnerable, while also limiting your access to security updates.
- Make sure your email has strong spam filters and protection from advanced threats like malicious URLs and Attachments.
- Make sure your email has spoofing protection. Mobile email clients usually only shows the display name, so an imposter can impersonate someone you know and perhaps fool you for quite a while before they’re caught.
- Download and install leading anti-virus, malware and email security apps. Here’s a really good rundown courtesy of PCMag, with an Android focus, but with options for iOS as well.
- Watch what you consent to and monitor permissions carefully. For instance, does that mobile game you downloaded really need to access your contacts?
- Use a VPN app on the road. There are free options that will scramble your data so even if you must connect to public wifi, you’ll be protected.
- Make sure you patch and update regularly – this is especially applicable to Android users. On top of that, only buy apps from vendors you know and can trust, as well as from sources that properly screen apps.
- Watch out for phishing attacks from accounts that you primarily use on your phone. These will include password resets, text message links, and all kinds of cyber-assisted scams.
- Don’t leave your Bluetooth on unless you’re using it, and monitor what devices are connecting to yours.
- Try to use messaging apps and other tools that encrypt data, ensuring that anybody who exports your data won’t be able to make use of it.
The last tip, and it pretty much applies to all of cyber security – don’t cut corners for the sake of convenience! The above advice may seem tedious, but if you build good habits, you’ll face far less inconvenience when a threat does come around – something all trends indicate is almost guaranteed to happen!
Apps that can protect your Android from spying
An interesting report on Mobile Security Threats by Samsung