Downloading the wrong apps can get you hacked
The dependence on smartphones is a slam dunk for hackers who are constantly lurking because the devices are practically always on and connected to dozens of apps filled with sensitive data.
Hackers find them irresistible since passwords are stored on your phone for your bank, stock trading and gaming apps.
“Mobile devices are often breeding grounds for attackers since a given device has tens or hundreds of mobile applications and account logins, let alone reams of stored, sensitive data,” Michael Isbitski, technical evangelist at Salt Security, a Palo Alto, Calif. based provider of API security told TheStreet.
Smartphones are targets
The amount of time people spend on their smartphones combined with the number of people working from home increases the chances of a hacker attacking them.
“Most businesses support some form of BYOD (bring your own device), which brings a consumer-level hack into the realm of a business being compromised,” Bud Broomhead, CEO of Viakoo, a Mountain View, Calif.- based provider of automated IoT cyber hygiene told TheStreet.
Businesses must ensure that their employees do not use personal passwords in the work environment, as this can help reduce the possibility of compromise.
“The blurred lines between work life and home life make it easier for cybercriminals to carry out exploits targeting corporate systems and data,” he said.
Both consumers and employees still use passwords that can be easily guessed or hacked, Joni Moore, director of security solutions at Lookout, a San Francisco-based endpoint-to-cloud security company, told TheStreet. The company’s recent list of the 20 passwords most commonly found in leaked account information on the dark web ranges from simple sequences of numbers and letters like “123456” and “Qwerty” to easy-to-type phrases like “Iloveyou.”
Apps have weaker forms of authentication
The apps on your phone can be the easiest way for hackers to find an entry because the majority of apps are designed to be easy to use and aren’t secure enough, Brian Contos, chief security officer at Nashville-based Phosphorus Cybersecurity, told TheStreet.
Although there are security measures when the apps are installed, such as asking for permission to access the photos, contacts, microphone, video camera and location, the majority say yes to everything because “they want ease of use and they want to enjoy all the benefits the app has to offer,” he said.
Behind the scenes of the app is a different story, and it may be capturing sensitive information, Contos said.
While the Apple and Google app stores list all apps, a few bad ones will always sneak through, Jason Glassberg, co-founder of Casaba Security, a Redmond, Washington-based penetration testing and security services company, told TheStreet.
Legitimate apps also pose risks since it is possible for hackers to compromise them from the app’s backend servers. The biggest risk is that the user will be tricked into installing a malicious app, usually from a third-party app store, he said.
There should be less concern about the data on a smartphone and more emphasis on what data the phone unlocks, Sounil Yu, chief information security officer at JupiterOne, a Morrisville, North Carolina-based provider of cyber asset management and governance solutions, told TheStreet.
Attackers know that phones have become indispensable for supporting two-factor authentication that protects access to large amounts of data. Many companies send a text message to your phone with a five or six digit number to be used to confirm that you are making a transaction.
The catch is that now they are “often targeted through SMS hijacking and tempting malicious apps,” he said. “To better protect the data your phone unlocks, avoid using SMS or phone calls as the second factor and use authentication apps instead.”
Attackers target mobile apps all the time because they can “pull mobile app binaries from the public app stores and reverse engineer them to understand how the applications work and store data,” Isbitski said.
Mobile app designs “talk” to back-end services over the Internet to retrieve data, store information and enable functionality, and app developers will sometimes use weaker forms of authentication to enable mobile user experiences, he said.
Your phone can also be phished
Cybercriminals are agnostic and can cast a wide phishing net in hopes that a person will click on a malicious link whether it comes from email or phone, Moore said. Lookout’s mobile phishing map shows that the phishing rate for the US is 34% for both iOS and Android combined.
The company’s data shows that personal mobile devices face more phishing attacks with 46.2% of consumers exposed to mobile phishing compared to 15.7% of mobile business users.
Phishing scams often take the form of e-mails or SMS messages pretending to be known entities such as the IRS or the CDC.
“Social phishing scams can trick consumers into thinking they’re donating to a legitimate cause or donating personal information to win a contest or help a cause,” she said.
Nation-state hackers want access to a target’s phone so they can monitor their communications as well as physical location while stalkers or former partners want to access their GPS tracking, Glassberg said.
The majority of hackers want to steal your information to take over your financial accounts and generate income and will use phishing text messages known as smishing in an attempt to trick the user into visiting a fake login page or downloading a fake financial app, he said.
“Phishing is not just limited to email,” he said. “It is now a standard tactic used by criminals across multiple communication channels, including SMS, instant messaging, social media, Slack and even Zoom. Pretty soon, phishing and other social engineering tactics will find their way into the metaverse.”
Why SIM switching is increasing
Hackers are always looking for the next easiest scam to commit, and SIM swapping is extremely profitable.
The number of SIM swap complaints rose to 1,611 with adjusted losses of more than $68 million, according to the FBI Internet Crime Complaint Center. From January 2018 to December 2020, the FBI received 320 complaints with adjusted losses of approximately $12 million.
Criminals target mobile operators to gain access to victims’ bank accounts, even virtual currency accounts in SIM swaps using social engineering, insider threat or phishing techniques.
After a SIM card is switched, all calls and texts from the victim are redirected to the criminal’s device. Now the hacker can send “forgot password” or “account recovery” requests to the victim’s email and can send a link or one-time code via text to the victim’s number, which is now owned by criminals.
The FBI recommends that people avoid posting information about financial assets, including cryptocurrency, on social media and forums and do not store passwords or usernames in your apps.
“The user is none the wiser since their device and SIM never left their possession, although they may begin to see errors on their own device over time,” Isbitski said.
Attackers can easily fool the carrier’s customer service representatives because the answers to challenges often used by the representatives to identify an individual are now public due to past security incidents.
“The amount of sensitive data that has been leaked about individuals over time has become enormous,” he said.
How consumers can avoid hackers
Taking control of your apps will help you avoid becoming the target of a hacker. Start by limiting the number and type of apps you install since “that’s where the biggest threat is on your phone,” Chris Pierson, CEO of BlackCloak, an Orlando, Fla.-based cybersecurity company that specializes in preventing mobile and personal cyberattacks devices and home networks, told TheStreet.
Android users have an “even greater risk of malicious apps, but iPhone users are not immune to this either,” he said.
The app stores can’t always catch a malicious app, especially if it performs a legitimate function like a calculator or ad blocker, instead waiting until later to update the software to make it malicious, Pierson said.
“Employees should also use mobile device encryption to protect important data on their phones,” he said. “This can be done in the phone’s settings for both Android and iPhone. Mobile antivirus is also a good idea as an extra layer of protection to guard against malicious apps and links.”