Downloading the wrong apps can get you hacked

by James · November 30, 2022

The dependence on smartphones is a slam dunk for hackers who are constantly lurking because the devices are practically always on and connected to dozens of apps filled with sensitive data.

Hackers find them irresistible since passwords are stored on your phone for your bank, stock trading and gaming apps.

“Mobile devices are often breeding grounds for attackers since a given device has tens or hundreds of mobile applications and account logins, let alone reams of stored, sensitive data,” Michael Isbitski, technical evangelist at Salt Security, a Palo Alto, Calif. based provider of API security told TheStreet.

Smartphones are targets

The amount of time people spend on their smartphones combined with the number of people working from home increases the chances of a hacker attacking them.

“Most businesses support some form of BYOD (bring your own device), which brings a consumer-level hack into the realm of a business being compromised,” Bud Broomhead, CEO of Viakoo, a Mountain View, Calif.- based provider of automated IoT cyber hygiene told TheStreet.

Businesses must ensure that their employees do not use personal passwords in the work environment, as this can help reduce the possibility of compromise.

“The blurred lines between work life and home life make it easier for cybercriminals to carry out exploits targeting corporate systems and data,” he said.

Both consumers and employees still use passwords that can be easily guessed or hacked, Joni Moore, director of security solutions at Lookout, a San Francisco-based endpoint-to-cloud security company, told TheStreet. The company’s recent list of the 20 passwords most commonly found in leaked account information on the dark web ranges from simple sequences of numbers and letters like “123456” and “Qwerty” to easy-to-type phrases like “Iloveyou.”

Apps have weaker forms of authentication

The apps on your phone can be the easiest way for hackers to find an entry because the majority of apps are designed to be easy to use and aren’t secure enough, Brian Contos, chief security officer at Nashville-based Phosphorus Cybersecurity, told TheStreet.

Although there are security measures when the apps are installed, such as asking for permission to access the photos, contacts, microphone, video camera and location, the majority say yes to everything because “they want ease of use and they want to enjoy all the benefits the app has to offer,” he said.

Behind the scenes of the app is a different story, and it may be capturing sensitive information, Contos said.

While the Apple and Google app stores list all apps, a few bad ones will always sneak through, Jason Glassberg, co-founder of Casaba Security, a Redmond, Washington-based penetration testing and security services company, told TheStreet.

Legitimate apps also pose risks since it is possible for hackers to compromise them from the app’s backend servers. The biggest risk is that the user will be tricked into installing a malicious app, usually from a third-party app store, he said.

There should be less concern about the data on a smartphone and more emphasis on what data the phone unlocks, Sounil Yu, chief information security officer at JupiterOne, a Morrisville, North Carolina-based provider of cyber asset management and governance solutions, told TheStreet.

Attackers know that phones have become indispensable for supporting two-factor authentication that protects access to large amounts of data. Many companies send a text message to your phone with a five or six digit number to be used to confirm that you are making a transaction.

The catch is that now they are “often targeted through SMS hijacking and tempting malicious apps,” he said. “To better protect the data your phone unlocks, avoid using SMS or phone calls as the second factor and use authentication apps instead.”

Attackers target mobile apps all the time because they can “pull mobile app binaries from the public app stores and reverse engineer them to understand how the applications work and store data,” Isbitski said.

Mobile app designs “talk” to back-end services over the Internet to retrieve data, store information and enable functionality, and app developers will sometimes use weaker forms of authentication to enable mobile user experiences, he said.

Your phone can also be phished

Cybercriminals are agnostic and can cast a wide phishing net in hopes that a person will click on a malicious link whether it comes from email or phone, Moore said. Lookout’s mobile phishing map shows that the phishing rate for the US is 34% for both iOS and Android combined.

The company’s data shows that personal mobile devices face more phishing attacks with 46.2% of consumers exposed to mobile phishing compared to 15.7% of mobile business users.

Phishing scams often take the form of e-mails or SMS messages pretending to be known entities such as the IRS or the CDC.

“Social phishing scams can trick consumers into thinking they’re donating to a legitimate cause or donating personal information to win a contest or help a cause,” she said.

Nation-state hackers want access to a target’s phone so they can monitor their communications as well as physical location while stalkers or former partners want to access their GPS tracking, Glassberg said.

The majority of hackers want to steal your information to take over your financial accounts and generate income and will use phishing text messages known as smishing in an attempt to trick the user into visiting a fake login page or downloading a fake financial app, he said.