- Make sure you understand the various ways that hackers can exploit your smartphones.
- Pay attention to how you download apps and operating systems versions.
- Follow the steps outlined below to make your phones more secure.
The biggest cyber threat isn’t sitting on your desk: it is in your pocket or purse and, of course, we mean your smartphone. Our phones have become the prime hacking target, due to a combination of circumstances, some under our control and some not. These mobile malware efforts aren’t new. Sophos has been tracking them for more than a decade (see this timeline from 2016). There are numerous examples of attacks:
One class of problems are bad apps that look benign, called “fake anti-virus.” These are apps that look like they are protecting you against infections, but are actually malware themselves. The creators of these malicious apps count on the fact that many users will just click on a tempting offer and download the app without ever giving it a second thought. Few of us do any vetting or research to find out if these apps are legitimate. The Google Play and Apple iTunes stores are full of these apps, despite attempts by both companies to continually clear them from their online listings.
A second type creates botnets composed exclusively of Android phones (such as WireX) that are used to launch denial of service attacks across the Internet. One of them was called FalseGuide. It was hidden in more than 40 different games, one of which had more than 50,000 downloads.
This is just one example of other kinds of malware that can be hidden inside other legitimate-looking products, such as games for kids and backup products. How about a flashlight app that requires access to your photos? Or, as another example, a form of malware called DressCode that leverages ad click fraud. It was popular back in 2016 and has resurfaced at various times since then with new infrastructure and updated code.
Why is Mobile Malware So Popular?
The apps on your phone are a tempting target for hackers because they broaden the attack surface area and often exploit numerous vulnerabilities inherent to phones. Part of the problem is that the notion of “bring your own device” has turned into “bring your own trouble.” As corporate users become more comfortable using their own devices, they can infect or get infected from the corporate network. Moreover, mobile users are less careful and tend to click on email attachments that could infect their phones. But the fault really lies in the opportunity that mobile apps present, because we all use them nowadays.
Another part of the problem is that keeping a mobile device secure usually means keeping its operating system updated, and both Google and Apple issue frequent updates. Finally, mobile apps are also harder to secure than desktop apps because they are often written without any built-in security measures, and as enterprise developers become more agile, mobile apps are changed almost continuously, making the possibility of deliberate errors a near certainty.
Practical Suggestions to Improve Mobile Security
Securing your mobile device from these threats isn’t simple, which is why many of the threats continue. It will require a multi-pronged effort on the part of both users and IT managers to curtail them. Both Apple and Google have beefed up their operating systems with various security technologies (Google calls its tools Play Protect). That is a good starting point, but you’ll also want to consider many of the following suggestions:
- Use PINs to lock your phone. Either use the longer numeric PIN or your face or finger to unlock the phone. The second or two delay is worth the extra security. As part of your Touch/Face ID and Passcode settings is an option to “erase data” after entering 10 incorrect PIN attempts.
- Use additional security apps. Network Solutions has a Cyber Security Solution that bundles Lookout and SkOUT along with a VPN. There are also other free anti-malware products from Avira, Avast, ESET, Kaspersky and Sophos all have free AV for Android for example. And there are numerous free VPN providers, such as ProtonVPN and Cloudflare’s Warp that are worth using too.
- Use a password manager. Having a common repository of passwords among all your devices — and having complex and unique passwords — is a major improvement over shared and simple passwords.
- Think before you connect to any public WiFi network. Don’t automatically connect to WiFi hotspots by name: hackers like to fool you into thinking that just because something is named “Starbucks WiFi” it’s safe. Apple makes a Configurator app that can be used to further lock down its devices: use it. “Ask to Join Networks” should always be set to the “Ask” option.
- Turn on the Verify Apps feature on Android devices to prevent malicious or questionable apps from being downloaded.
- Finally, update your device’s operating system when new versions are available. This is the best way to stay ahead of potential exploits found in older versions.