What is the most intimate relationship in your life—aside from your partner, your children or your parents? For many of us, it’s our mobile phone. It’s the last thing we see before sleep, and it’s usually the first thing in our hands each morning.
I specialize in cybersecurity not mental health, so I can’t comment on how this intimacy with a device affects our well-being. But I can say that we must secure any platform that’s always connected, always on, and almost always within inches of our bodies.
Let’s take a look at the six threats F-Secure’s Tactical Defense Unit sees most often as we continually analyze the mobile landscape.
While the volume of malicious apps targeting mobile devices is not as high as those plaguing desktops, these apps are common—especially those targeting the Android platform. In the last year, the volume of malicious apps detected by our Android endpoint protection has been steadily increasing.
The unwanted mobile apps we see most often include adware, which monetizes itself by displaying advertising on a device. Other popular malicious apps perform operations without the user’s awareness, such as reading SMS messages or installing banking trojans. Recently, a malicious app called “Chrome” that impersonates Google’s browser to induce users to either install or update their mobile browsing software has become increasingly prevalent.
Over September, 21% of the top malicious app names we detected included the word “Chrome.” The other top two terms were “voicemail”, which showed up in the names of 24% of the malicious apps detected, and “video player”, which appeared in 14% of these app names.
Users generally don’t end up with these bad apps because they went looking for them in official stores. Typically, these apps are pushed through SMS messages. While avoiding installing any app that comes at you via SMS is good advice, the terms “chrome”, “voicemail”, and “video player” in the name of any app should raise some huge red flags.
FluBot provides an extremely relevant example of how malicious apps thrive by taking advantage of our phone’s often helpful features.
Since April of this year, we’ve detected this Android malware circulating throughout Europe. It arrives on a device via SMS. Once installed, FluBot will request that the user activate Android’s accessibility services. These services can be extremely useful for people with disabilities. Unfortunately, they can also be extremely useful for attackers, allowing them to, for instance, read text inputted into other apps, log keystrokes or access SMS messages. It uses these services to access a user’s contact information, which attackers can then use to spread the malicious app through SMS.
FluBot also takes advantage of another well-meaning feature—overlays. This feature allows apps to lay on top of each other. Overlays have been removed for standard applications as of Android 10, codenamed Android Q. Unfortunately, if a user turns on accessibility services this capability returns.
This tactic can be quite tricky. Imagine there is a malicious app overlaid on a banking app, but only in the credential area. So as far as the user is concerned, the credentials being entered seem as if they’re being sent to the banking app. But they’re going straight to the attacker.
So, if you don’t need accessibility services, don’t enable them. Especially do not enable them if they’re being requested by an app that you did not look for and find in an official app store, such as Google Play.
Mobile phishing attacks, often called smishing, don’t only target a device through SMS. They also can be aimed at other popular messaging apps, including WhatsApp or Facebook Messenger.
These threats often exploit your familiarity with popular brands as the message’s sender often uses attractive lures, such as offering free iPhone 12s. All users have to do to collect their prize is enter their credit card information.
And since your mobile phone is also a phone, we also see vishing (voice phishing). These attacks solicit credentials through phone calls or trick users into installing remote access tools on a mobile device or a computer by pretending to be technical support.
Calendar spam targets iOS devices via ICS or iCalendar files, which are used to schedule events and meetings on Apple devices. These files can also be used to subscribe to calendars. Users will receive invites to calendars filled with spam that render a calendar virtually worthless. Opening an event inside these spam calendars can lead to malicious links or scams.
How easy is it to create these kinds of threats? Open source tools available to make calendars for legitimate purposes also make it easy to create calendars filled with often malicious spam. Fortunately, getting rid of these annoyances is even easier than making them. Just unsibscribe from spam calendars from inside the Calendar app.
While overlays target Android devices and spammy calendars only bother iOS users, there are equal opportunity threats out there. These include vulnerabilities; especially vulnerabilities in messaging apps.
Zero-click exploitations of vulnerabilities can infect a device with a call or a message. That’s all it takes for the exploit to arrive in the system to execute the payload and install a piece of spyware. Other exploitations require just one click. As soon as a message is opened, the payload is executed.
Frightening, right? That’s why these threats show up in the mainstream media when they’re uncovered. But the good news is that these sorts of attacks aren’t very common at all, and the number of users targeted remains small. This has a lot to do with cost. Bounties for zero-click exploitations of Facebook Messenger or WhatsApp, for instance, range from $500,000 to $1.5 million. So if you are a random threat actor who creates your own banking trojan, you can likely make more money selling one of these exploits than using it.
There are exceptions, of course. If you are the NSO Group, for example, and you work for governments interested in cyber espionage with billions of dollars at your disposal, suddenly those costs are not that costly anymore. Media reports tell us that zero-click exploitations are the go-to method for deploying spyware, as this can be done remotely targeting journalists and activists around the world.
There is another threat that looks like spyware and acts like spyware, yet is a much greater risk to the average user: stalkerware.
In the past two years the volume of stalkerware we detect through telemetry has steadily increased. These apps have capabilities that include pinpointing a device’s exact location, reading SMS messages, taking pictures or videos, and recording conversations.
Of the 152 stalkerware packages we’ve detected since January of this year, three of them comprise 64% of our detections. And these three apps can be found in the Google Play store.
That doesn’t mean that Play store is the only place where you can find these sorts of apps. A large number of unsanctioned apps have to be “sideloaded” into a phone and offer even more spying capabilities. These must be found outside of official app stores. And there are apps on iOS, such as mLite, that offer similar tools.
We recently analyzed Android stalkerware to get a sense of the permissions they request. We found that 87% of these apps wanted access to the device’s photos and videos, while 86% wanted the ability to know a device’s location. The next most popular permissions sought would enable spying directly on a device owner. 79% of stalkerware apps want access to the camera and 72% seek the ability to record audio so they could, for instance, listen to a phone call.
Staying safe against mobile threats
So what can you do to make sure that one of your most trusted allies won’t be turned against you? Here are four steps you and your organization can take now to secure your mobile devices.
1. Review installed apps regularly.
Remove apps you don’t need. If these apps have been sideloaded, you can remove them after starting the device in safe mode.
2. Be wary of messages.
Resist clicking on unsolicited messages whenever possible and don’t click on links inside those messages. Be especially wary of apps pushed by unsolicited messages.
3. Keep your operating system and apps on the latest versions.
Vendors continually address security vulnerabilities as they’re found.
4. Conduct security awareness training.
Include mobile phone attack vector simulations as part of internal security training.