The biggest cyber threat isn’t sitting on your desk: it is in your pocket or purse and, of course, we mean your smartphone. Our phones have become the prime hacking target, due to a combination of circumstances, some under our control and some not. These mobile malware efforts aren’t new. Sophos has been tracking them for more than a decade (see this timeline from 2016). There are numerous examples of attacks:
One class of problems are bad apps that look benign, called “fake anti-virus.” These are apps that look like they are protecting you against infections, but are actually malware themselves. The creators of these malicious apps count on the fact that many users will just click on a tempting offer and download the app without ever giving it a second thought. Few of us do any vetting or research to find out if these apps are legitimate. The Google Play and Apple iTunes stores are full of these apps, despite attempts by both companies to continually clear them from their online listings.
A second type creates botnets composed exclusively of Android phones (such as WireX) that are used to launch denial of service attacks across the Internet. One of them was called FalseGuide. It was hidden in more than 40 different games, one of which had more than 50,000 downloads.
This is just one example of other kinds of malware that can be hidden inside other legitimate-looking products, such as games for kids and backup products. How about a flashlight app that requires access to your photos? Or, as another example, a form of malware called DressCode that leverages ad click fraud. It was popular back in 2016 and has resurfaced at various times since then with new infrastructure and updated code.
The apps on your phone are a tempting target for hackers because they broaden the attack surface area and often exploit numerous vulnerabilities inherent to phones. Part of the problem is that the notion of “bring your own device” has turned into “bring your own trouble.” As corporate users become more comfortable using their own devices, they can infect or get infected from the corporate network. Moreover, mobile users are less careful and tend to click on email attachments that could infect their phones. But the fault really lies in the opportunity that mobile apps present, because we all use them nowadays.
Another part of the problem is that keeping a mobile device secure usually means keeping its operating system updated, and both Google and Apple issue frequent updates. Finally, mobile apps are also harder to secure than desktop apps because they are often written without any built-in security measures, and as enterprise developers become more agile, mobile apps are changed almost continuously, making the possibility of deliberate errors a near certainty.
Securing your mobile device from these threats isn’t simple, which is why many of the threats continue. It will require a multi-pronged effort on the part of both users and IT managers to curtail them. Both Apple and Google have beefed up their operating systems with various security technologies (Google calls its tools Play Protect). That is a good starting point, but you’ll also want to consider many of the following suggestions: