The violation of personal security via mobile devices has come to the forefront in recent months, through the actions of government agencies and commercial organizations that “listen in” to our phones or track our movements – and through the activities of hackers who steal our personal details, sometimes demanding ransomware payment afterward so that they won’t publicize sensitive information.
Bottom line: The mobile phone is a spying device, although few people think of it this way. We tend to relate to our smartphones as we would to an old-fashioned telephone, or as a source of entertainment. But actually, the phone is potentially a device that can do extensive damage.
Let’s have a look at how and why mobile phones are abused, and what enterprises can do to help their employees identify when a phone has been breached.
We tend to relate to our smartphones as we would to an old-fashioned telephone, or as a source of entertainment. But actually, the phone is potentially a device that can do extensive damage.
How Mobile Phones Are Being Abused
Mobile phones are being abused for a wide range of reasons. For example, nation-state actors break into phones to advance their own political goals:
- Governments around the world use surveillance software like Pegasus to crack the encrypted communications of smartphones, track citizen activity and listen in to conversations. The data obtained is used to: detail people involved in criminal activity – exposing drug rings, terrorist plots, and more; identify protesters in countries ruled by dictators; or reduce the number of people infected by COVID-19 through apps letting people know when they have been exposed.
- Hackers use fake identities on social media to lure users into installing spyware on their phones – turning on the phone cameras and recording devices, and accessing the phones’ content.
- Spies communicate with intelligence agencies.
Nation-state actors break into phones to advance their own political goals.
Hackers seeking monetary gain or sexual favors are also taking advantage of their ability to breach mobile phones. For example:
- Hackers steal credit cards, photographs, and documents to demand payment for their return.
- Hackers steal important company information from senior managers to demand payment for their return.
- Hackers stalk their victims – for example, by identifying a person’s exact location and exploiting them.
There are many kinds of malware that are designed specifically for mobile phones. NSO’s Pegasus has been in the headlines recently, but the truth is that there are many kinds of tracking technologies that are available, which are designed to be used specifically against mobile devices.
Helping Employees Identify When a Phone Has Been Breached
To reduce the potential cybersecurity risks to an enterprise, it’s important to train employees to notice and report the following problems on a mobile phone which can be indicative of an infected or breached smartphone:
- The phone is unusually slow
- The battery starts to be depleted quickly
- Unusual behavior on the phone such as randomly turning on or off
- New apps have been automatically installed
- Ads showing up much more than usual
- Applications being updated much more frequently than usual
- Contacts received SMS messages that the phone’s owner didn’t send
- The owner received a request for ransomware payment
- The owner received notification that someone is trying to reconfigure their password
- The owner received notification that someone is trying to connect from a surprising location
- On Apple phones, the green light indicating that the camera is active is displayed (when the owner is not using the camera)
- Emails or information have been transferred somewhere else
Training Employees to Protect Their Phones
“Cyber hygiene” applies just as much to smartphones as to other types of devices. As part of your enterprise’s cybersecurity training, make sure employees know how to reduce the risk. Here’s some of what any employee training program should include:
- Most breaches of smartphones involve phishing attempts or malicious apps. Some attempts take advantage of vulnerabilities in the operating system that allow attackers to run commands remotely.
- There have been many recent attempts to obtain victims’ personal details. For example, an employee might receive notification that, “You just won an iPhone 12 – click here to download.” The download looks like an app but is, in fact, a malicious code or backdoor to the device, or is another attempt to obtain personal details in order to steal a person’s identify or money.
- Attackers take advantage of the fact that most people are attached to their phones. (Research has shown a neurological phenomenon, whereby even when a phone is not in a person’s pocket, the person might feel a vibration in the pocket. This shows how dependent and connected we are to our phones.) Attackers also take advantage of financially related stresses.
- All smartphones should be protected by an antivirus package, which can protect the phone from an initial breach.
- Always install the latest updates, which patch bugs and provide security protection. Many people avoid installing updates because they are afraid it will slow down the phone’s functionality or wrongly believe the updates are a ploy to encourage consumers to buy new phones more quickly.
Cyber hygiene applies just as much to smartphones as to other types of devices. As part of your enterprise’s cybersecurity training, make sure employees know how to reduce the risk.
The Most Common Means of Infection
To avoid being breached, it’s important that employees avoid the following:
- Don’t download apps that are not from the official iPhone or Google Play app store, or that do not have a large number of downloads. Many sites offer versions of apps that are infected with malware. (Be aware, however, that sometimes apps in official app stores can nonetheless be malicious. See this article by Norton.) Don’t look for free alternatives to paid apps like Spotify, as you might end up downloading infected malware. It’s better to pay for a service than get it for free from unofficial sources when it’s infected. And avoid Pokeman Go, which requires users to provide access to their GPS and camera.
- Don’t connect to WiFi networks in public places. Avoid public networks.
- Don’t use the same password across multiple apps and services.
- In public areas like airports, don’t use the USB. (Using the electricity available for recharging a phone is fine.)
- Don’t use higher level permissions on the phone, than what you need. Do not define your authorization level as “ROOT” (on Android) or “JAILBREAK” (on iPhone), as it can raise the level of a hacker who gains access to your phone.
In addition, we recommend taking the following precautions:
- Limit the amount of personal information and permissions that you grant when downloading apps. For example, there is no reason for a movie app to have access to your camera.
- For authentication purposes, make sure to set up a password on your phone. A complex password or a fingerprint is better than using a pattern as the code, because the oils on our skin can sometimes reveal the patterns we use.
- Set up apps, such as WhatsApp, so that the first time the app is activated on a new device, it requires multifactor authentication. Multifactor authentication reduces the possibility of an attacker successfully taking over an account in two ways: (1) It requires a code for someone to start using the WhatsApp, and (2) it prevents an attacker who does not have access to the mobile device, from using the WhatsApp account.
- Shut off your Bluetooth and Location when you aren’t using it.
- Review what is installed on your phone and remove what isn’t necessary; where possible, revoke unnecessary permissions.
- Deactivate locked screen notifications – so that a person can only read your messages who has unlocked the phone. Make sure Siri cannot be accessed from a locked screen.
- If you store valuable information on your phone, do backups regularly. This way, if someone steals the phone or its data, you will have everything you need, and will not be tempted to pay a ransom payment.
- Be wary of anyone who asks to use your phone to make a call. There are ways for someone to install malware on a phone, while using it.
Mobile Phones Require Cyber Care Just Like Other Office Devices
Many people don’t realize that keeping a mobile phone safe involves taking a number of precautions – from doing backups regularly and being careful about which apps to use, to limiting access to personal data (where it’s not necessary for the use of an app) and installing an antivirus package.
Reducing the risk of attack to your enterprise means ensuring that employees are careful with their use of mobile phones. Any cybersecurity training program run by your organization should cover the essentials of phone safety, to protect employees from attack.
Interested in learning more about reducing the risk to your enterprise? CyberProof Managed Detection & Response services and our team of cybersecurity experts can help. Be in touch today!