Viewpoints

How smartphones have become one of the largest attack surfaces

Kevin Townsend, 11 June 2020

Our smartphone has become an extension of our person, making it a clear attack vector for scammers and hackers

The mobile phone is a logical extension to the physical person —we all have one. We organize our lives by it, from keeping fit to managing finances. They are invaluable. But in parallel with the benefits come increasing threats.

The Mobile Landscape

Since the advent of the smartphone, our mobile device has become integral to everyday life. It provides access to friends and colleagues, controls our smart home devices, delivers online shopping, and provides online banking — all from anywhere and at any time. In 2019, nearly 75% of people in the UK used their mobile devices for online banking. In March 2020, Juniper Research predicted that digital banking in the U.S. would grow by 54% between now and 2024, as millennials and other younger consumers abandon traditional banking for digital and online banking.

With so much of our activity -- and all our digital credentials -- stored on these devices, it is little wonder that mobile phones are being both used and targeted in more cybercrime year on year. According to data from Sift, over 50% of online fraud now involves Android or iOS devices.

Threats to mobile phones

The Verizon 2020 Mobile Security Index report separates the mobile threat into four basic categories: users; apps and software; the device; and the networks to which they connect. We’ll follow that sequence in discussing some of the threats.

User threats

Users are the first point of security for any device and users are no more or less secure than their own knowledge, vigilance, and security technology. Phishing is the oldest, least technical and most persistent threat online, and continues to be the most common attack type. While many users are becoming more savvy to phishing attacks, thanks to resources like the Avast Academy, mobile users are being targeted more frequently and with greater sophistication. 

Most traditional phishing campaigns take place over email, with fraudulent messages posing as legitimate organizations to obtain sensitive data from victims; but mobile devices allow many more vectors. Email attacks are still prominent, but users can also receive malicious texts, phone calls and even fraudulent advertising, a form of malvertising, in apps and web pages. According to data supplied by Lookout, almost half of users who have clicked one phishing link have repeatedly fallen prey to phishing links six or more times. Despite the age of the threat, phishing continues to be effective.

Phishing scams can affect us even when we’re not the direct victims. A Florida town lost nearly $750,000 to a phishing scam when a scammer posed as a contractor and asked the local government to update some payment details, resulting in city funds being sent to the scammer. Even more recently, the government of Puerto Rico lost $2.6 million after falling prey to a phishing email, effectively stealing that money from taxpayers. Mobile phones are often used to initiate large-scale scams because the fraudster can pretend to be traveling and therefore difficult to contact for verification.

URL obfuscation attacks often form a component of phishing campaigns and can be a mobile threat in their own right. It’s often harder to verify the legitimacy of any given link or URL on mobile devices than laptops or desktops. Mobile internet browsing apps do not communicate security information as clearly as desktop browsers and links sent via SMS can be easily obfuscated by a variety of techniques. URL obfuscation can be as simple as replacing the top-level domain of an address or switching similar-looking characters (like ‘0’ for ‘o’, ‘cl’ for ‘d’, etc.). 

A more sophisticated form of this attack is known as a homograph attack. This is where one or more of the characters in a domain name have been substituted for foreign look-alike characters -- for example, the Greek Tau (τ) instead of the normal 't'. Thus, criminals could register (for illustration only) microsofτ.com and develop it as a malicious site. The user would very easily believe the link is to the genuine microsoft.com.

Mobile users frequently accept app permissions without reading them in detail. This can allow fraudulent apps to use the device’s camera to spy on the user, or record inputs such as login details and banking credentials. This is not always the fault of inattentive users; some mobile malware is able to overlay harmless-looking permission prompts over real ones, making users believe they’re agreeing to something innocent while actually permitting an app to access all files on the device or read sensitive data.

App threats

It is difficult to keep track of how many smartphones are in use around the world, but one estimate in 2018 suggested 2.3 billion Android smartphones. Other estimates have suggested there may be 100 million of these infected with malware. There are fewer iOS phones, but both sets of users are persistently attacked through the apps they use. 

A common form of attack is through malicious or weaponized apps. These are most often introduced via sideloading, when the user installs an app from a source other than the official app store. In many cases, the lure is a free 'cracked' version of a commercial product; or it could be a purpose-built app that pretends to be a game or source of adult entertainment (porn-related) but contains malware.

One example of sideloading involved serving malware, called Agent Smith, inside legitimate apps ,including WhatsApp, in 2019. The apps were downloaded from the third-party store 9apps.com, which is owned by China’s Alibaba. Twenty-five million Android phones are believed to have been infected with Agent Smith — up to 15 million in India, but more than 300,000 in the U.S. and 137,000 in the UK.

However, malicious apps can also be found on official stores. In March 2020, security researchers found 56 malware-infected apps on Google Play Store that had been downloaded more than 1 million times. Twenty-four of the apps were targeting children.

The maliciousness of malicious apps is also increasing. Some mobile ransomware doesn’t simply lock files stored locally, but also those in the user’s cloud storage like Google Drive. Doxware, which doesn’t just lock data but threatens to publish personal files online, is also increasing. A surprisingly high proportion of people take intimate pictures of themselves with their mobile devices, to share with romantic partners. A 2014 survey found that 90% of young millennial women had taken intimate photos on their phone. Publication of these can be intensely embarrassing and lead to online abuse. There may also be location information stored in pictures’ metadata which could endanger personal safety if published.

Stalkerware – which is generally installed by a ‘trusted’ partner to spy on a person’s location and friends – is also growing. This shows not only the diversity of threats to mobile phones, but also the diversity of threat sources.

Device threats

SIM-swapping is a serious threat that has doubled every year since 2016. The criminal contacts the user's phone carrier service, and persuades it to transfer the victim's phone number to a different SIM card ("I've had to buy a new phone — here are the details — please transfer my phone number"). Until it is resolved, the criminal receives all calls and SMS messages, including any 2FA authentication codes, meant for the victim. It is unfortunately very easy, and even Twitter CEO Jack Dorsey has been a victim.

While most attacks don’t need direct physical access to a device, having that access can be an easy and effective way to compromise a target. Juice jacking is a colorfully-named method of device intrusion in which hackers replace or modify publicly accessible power outlets. The compromised power source can then be used to install malware. 

None of these innovative attacks are necessary if an attacker can get hold of our phone – and this can be as simple as picking it up when we forget or lose it. In London, over 25,000 mobile devices were lost on public transport between 2017 and 2018, and an average of 23,000 Android devices are lost or stolen each month. Four percent of Android users will lose their device at least once, so opportunist thieves are likely to have regular opportunities to acquire devices and potentially all the information on them.

Network threats

Our mobile devices are, by definition, IoT devices, and often used as IoT control hubs. We need to treat them with the same consideration we give our other IoT devices because their loss can lead to the abuse of every smart device controlled via the phone. 

Man-in-the-Middle – or MitM attacks – are often executed through public Wi-Fi hotspots, whether legitimate networks have been compromised or fraudulent hotspots have been set up specifically for malicious purposes. Statistics suggest that 7% of mobile devices may experience a MitM attack every year. We need to treat every external Wi-Fi connection (cafes, hotels, airports and so on) with caution.

Protecting ourselves

Most, but not all, mobile threats originate through social engineering where the attacker persuades the user to do what the attacker wants rather than what the user should do. Technology cannot stop you doing what you choose to do to your own phone. In protecting yourself, the primary defense is your own awareness of the threat. We have discussed some of these threats, but by no means all of them. Maintain constant awareness through vigilance and learning.

Not all threats come via social engineering. In 2019, a bug allowed WhatsApp users to be infected remotely simply by a phone call — which the user did not even need to answer. If awareness cannot prevent the infection, technology can help. Every mobile phone user should have a mainstream anti-malware product installed on the phone.

And finally, do not forget to encrypt your data wherever possible.