Our android smartphones has become an extension of our person, making it a clear attack vector for scammers and hackers.
Android smartphones is a logical extension for the natural person: we all have one. We organize our lives around it, from keeping fit to managing finances. They are priceless. But along with the benefits come growing threats.
The Mobile Landscape
Since the advent of the smartphone, our mobile device has become an integral part of everyday life. It provides access to friends and colleagues, controls our smart home devices, offers online shopping, and offers online banking, all from anywhere at any time. In 2019 almost 75% of people in the UK used their mobile devices for online banking.
In March 2020, Juniper Research predicted that digital banking in the US would grow 54% between now and 2024, as millennials and other younger consumers abandon traditional banking for digital and online banking.
With so much of our activity, and all of our digital credentials, stored on these devices, it’s no surprise that android smartphones are being used and targeted in more cybercrime year after year. According to Sift data, more than 50% of online fraud now involves Android or iOS devices.
Threats To Mobile Phones
The 2020 Verizon Mobile Security Index report separates the mobile threat into four basic categories: users; applications and software; the device; and the networks to which they connect. We will follow that sequence as we discuss some of the threats.
Users are the first issue of security for any device, and users are no more or less secure than their own learning, vigilance, and safeness technology. Phishing is the oldest, least technical, and most persistent online threat, and it remains the most common type of attack.
While many users are becoming savvier about phishing attacks, thanks to resources like Avast Academy, mobile users are being targeted more frequently and with greater sophistication.
Most phishing campaigns are traditional emails, with fraudulent messages posing as legitimate organizations to obtain sensitive data from victims; but mobile devices allow for many more vectors.
Email attacks remain prominent, but users can also receive malicious text messages, phone calls, and even spam, a form of malvertising, in apps and web pages.
According to data provided by Lookout, nearly half of the users who have clicked on a phishing link have repeatedly fallen prey to phishing links six or more times. Despite the age of the threat, phishing is still effective.
Phishing scams can affect us even when we are not the direct victims. A Florida city lost nearly $750,000 to a phishing scam when a scammer posed as a contractor and asked the local government to update some payment details, resulting in the scammer being sent funds from the city.
Even more recently, the Puerto Rican government lost $2.6 million after falling victim to a phishing email, effectively stealing that money from taxpayers.
Android smartphones are often used to initiate large-scale scams because the scammer can pretend to be traveling and therefore difficult to contact for verification.
URL obfuscation attacks often form a component of phishing campaigns and can be a mobile threat in their own right. It is often more difficult to verify the legitimacy of any link or URL on mobile devices than on laptop or desktop computers.
Mobile Internet browsing applications do not communicate security information as clearly as desktop browsers, and links sent by SMS can be easily obfuscated by a variety of techniques.
URL obfuscation can be as simple as replacing the top-level domain of an address or changing similar-looking characters (like ‘0’ for ‘o’, ‘cl’ for ‘d’, etc.).
A more sophisticated form of this attack is known as a homograph attack. This is where one or more of the characters in a domain name have been substituted with foreign look-alike characters, for example, the Greek Tau (τ) instead of the normal ‘t’. Thus, criminals could register (for illustrative purposes only) microsofτ.com and develop it as a malicious site.
Mobile device users often accept app permissions without reading them in detail. This can allow rogue apps to use the device’s camera to spy on the user or record input such as login details and banking credentials.
This isn’t always the fault of inattentive users; some mobile malware can overlay harmless-looking permission requests on top of real ones, making users think they are agreeing to something innocent while allowing an app to access all files on the device or read confidential data.
It’s hard to keep track of how many smartphones are in use around the world, but one estimate in 2018 suggested 2.3 billion Android smartphones. Other estimates have suggested that there may be 100 million of these infected with malware. There are fewer iOS phones, but both sets of users are constantly under attack through the apps they use.
A common form of attack is through malicious or weaponized applications. These are most often introduced via sideloading when the user installs an app from a source other than the official app store.
In many cases, the lure is a free ‘cracked’ version of a commercial product; Or it could be a specially crafted app that pretends to be a game or source of adult entertainment (related to pornography) but contains malware.
One example of sideloading involved serving malware, called Agent Smith, inside legitimate apps, including WhatsApp, in 2019. The apps were downloaded from the third-party store 9apps.com, owned by China’s Alibaba.
Twenty-five million Android smartphones are believed to have been infected with Agent Smith, up to 15 million in India, but more than 300,000 in the US and 137,000 in the UK.
However, malicious apps can also be found in official stores. In March 2020, security researchers found 56 malware-infected apps in the Google Play Store that had been downloaded more than 1 million times. Twenty-four of the apps were aimed at children.
The malice of malicious apps is also increasing. Some mobile ransomware not only blocks files stored locally, but also those on the user’s cloud storage like Google Drive.
Doxware, which not only locks data but threatens to post personal files online, is also on the rise. A surprisingly high proportion of people take intimate photos of themselves with their mobile devices, to share with romantic partners.
A 2014 survey found that 90% of millennial women had taken intimate photos on their phones. Posting these can be intensely embarrassing and lead to online abuse. There may also be location information stored in the metadata of images that could jeopardize personal safety if posted.
Stalkerware, which is usually installed by a ‘trusted’ partner to spy on a person’s location and friends, is also growing. This shows not only the diversity of threats to android smartphones but also the diversity of threat sources.
SIM swapping is a serious threat that has doubled every year since 2016. The criminal contacts the user’s phone service and convinces it to transfer the victim’s phone number to a different SIM card (” I’ve had to buy a new phone, here are the details: transfer my phone number.”).
Until it is resolved, the criminal receives all calls and SMS messages, including 2FA authentication codes, intended for the victim. Unfortunately, it’s all too easy, and even Twitter CEO Jack Dorsey has been a victim.
While most attacks do not require direct physical access to a device, having such access can be an easy and effective way to compromise a target.
Juicing is a colorful method of device intrusion in which hackers replace or modify publicly accessible power outlets. The compromised power source can be used to install malware.
None of these innovative attacks is necessary if an attacker can get hold of our phone, and this can be as simple as picking it up when we forget or lose it.
In London, more than 25,000 mobile devices were lost on public transport between 2017 and 2018, and an average of 23,000 Android devices are lost or stolen each month.
Four percent of Android users will lose their device at least once, so opportunistic thieves are likely to have regular opportunities to acquire devices and potentially all the information on them.
Our mobile devices are by definition IoT devices and are often used as IoT control centers. We need to treat them with the same consideration we give our other IoT devices because their loss can lead to the abuse of every smart device controlled via phone.
Man-in-the-Middle, or MitM, attacks are often executed via public Wi-Fi hotspots, either legitimate networks have been compromised or rogue hotspots have been established specifically for malicious purposes.
Statistics indicate that 7% of mobile devices may experience a MitM seizure every year. We must treat all external Wi-Fi connections (cafeterias, hotels, airports, etc.) with caution.
Most, but not all, mobile threats originate through social engineering in which the attacker convinces the user to do what the attacker wants rather than what the user is required to do.
Technology can’t stop you from doing what you choose to do with your phone. In protecting yourself, the main defense is your awareness of the threat. We have discussed some of these threats but by no means all. Maintain constant awareness through vigilance and learning.
Not all threats come from social engineering. In 2019, a bug allowed WhatsApp users to get remotely infected simply by making a phone call, which the user didn’t even need to answer.
If awareness cannot prevent infection, technology can help. All mobile phone users should have a conventional anti-malware product installed on the phone.