In a recent blog entry on Hot For Security, we discussed how mobile devices today face a plethora of security threats that don’t discriminate between hardware and operating system.
We explained why iPhones are not immune to cyber threats, as some Apple fans like to believe, and we showed how Android apps sold outside the Google Play Store are more dangerous than we often think. Now that we know mobile security threats are no myth, let’s look at the top five threats most commonly faced by mobile users today.
Stalkerware, part of the spyware family, is monitoring software typically used for stalking. The term “stalkerware” was coined when bad actors started to use commercial spyware to stalk their spouses. It is used by domestic abusers and, sometimes, even employers.
Stalkerware is used to track your whereabouts, record your instant messaging chats, and even turn on the camera or mic to spy on you. The threat actor typically needs physical access to your device. However, stalkerware can also infect your phone if you unwittingly download and install a software package containing the malicious code.
That’s why it’s important to use a security solution that can detect malicious activity on your phone, and of course to only download and install apps from your vendor’s vetted app store.
Phishing / Smishing / Vishing
Phishing is a social engineering tactic that works regardless of platform. Typically deployed via spam email, phishing campaigns use a plethora of convincing messages to trick the user into divulging their user name, password or credit card information. The tactic has been modeled to also use SMS as a harboring medium, earning the name ‘smishing’ (SMS + phishing). These attacks usually insist that you either call an overcharged number, access a malicious URL, or that you reply with your personal or financial information to earn a prize. Some use scare tactics and try to trick users into thinking their personal data has been compromised, urging them to take immediate steps to reduce the damage.
There’s even a voice-based type of phishing attack called, unsurprisingly, ‘vishing’ (phishing + voice). The intentions are usually the same as the ones described above, only this time it’s an actual person (or robot) trying to scam you on the phone. They may try to steal your identity and financial information like your PIN and card details.
Regardless of how they’re conveyed, phishing attacks always try to induce a sense of urgency or fear. Never reply to unsolicited messages claiming to come from your bank or various vendors, and always check beforehand whether the message indeed comes from a legitimate or fake source. However, it’s important to note that phishing scams are continually evolving, making it difficult even for the trained eye to spot them sometimes. Modern mobile security solutions are a wise choice because they can sniff out phishing attacks that the user may not notice.
Using a phone to pay at the cash register has become common, and some might think the same goes for shopping online using a phone when out and about. However, public Wi-Fi networks are not always safe.
Some threat actors set up Wi-Fi networks specifically to steal your access credentials or credit card information.
A lack of an HTTPS prefix at an online store is another big red flag. Data you exchange with unsecured HTTP websites is not encrypted, letting threat actors intercept your communications in what is referred to as a ‘man-in-the-middle’ attack.
Using a security solution on your device can vastly reduce your chances of falling into this net – especially if that solution comes pre-loaded with a handy VPN, which encrypts your digital activity and hides your identity from prying eyes. Of course, the responsibility is first and foremost yours to be vigilant and use only trusted websites and networks. In other words, it’s best to keep it simple when using public Wi-Fi and to only shop online from the confines of your home network. As a general rule, refrain from using public Wi-Fi to beam out sensitive data or financial information.
Bitdefender’s 2020 Consumer Threat Landscape Report shows how the surge in popularity of video conferencing solutions during the pandemic opened a door for opportunistic threat actors. Troves of users installed Zoom from unofficial app stores, exposing themselves to malware disguised as Zoom installers.
In a more recent finding, Bitdefender researchers noted that the practice of sideloading – installing APK binaries from repositories other than the official Google Play Store – is still strong among Android users.
“Using a combination of tricks to persuade users to install apps outside of the official store, criminals spread most of their malware through sideloading. If mobile devices have no security solution installed, malicious apps roam free,” our researchers wrote in a recent Bitdefender Labs entry.
Threat actors are leveraging sideloading to deploy Teabot, also known as ‘Anatsa,’ a piece of Android malware that can carry out overlay attacks via the Accessibility Services. Teabot can intercept messages, perform keylogging activities, steal Google Authentication codes, and even let its authors take full remote control of a user’s phone. Teabot is hidden in fake apps copying popular counterparts from the official Google Play store, including ad blockers and antivirus apps.
Poor passcode hygiene
Of all the personal devices, our phones carry by far the most sensitive information about us. Using an easy-to-guess passcode like 0000 or 1234 is practically begging to be compromised. The same goes for the password your phone knows to authorize access with (your Apple ID, Google account, etc.). If you use the same password everywhere, chances are that password will be exposed in a data breach sooner or later. Using data scraping and password spraying, malicious actors can put together your digital identity and compromise the account associated with your phone. They not only have access to your personal and financial data, they can even lock you out of your device.
Bitdefender Digital Identity Protection enables you to check your online accounts against data breaches, find your private information online in legal and illegal collections of data, detect your social media impersonators and more.
Mobile Security to the rescue
If you’ve ever found yourself asking “what are the security risks associated with my phone?” you are on the right track to defend yourself against cyber threats.
Bitdefender Mobile Security is available for iPhone or Android users and offers full protection against mobile-specific threats, plus a secure VPN for a fast, anonymous and safe experience while surfing the web. Bitdefender Mobile Security helps users secure their passwords, private data and financial information, and instantly alerts you whenever an incident is detected and prevented.