It is reported that over 83% of the worlds population own a smartphone now, and users nearly doubling since 2017. With the rise in global ownership, the swathes of personal data stored on them and often lackadaisical attitude toward the potential security risks they are becoming a major target for hackers and cybercriminals.
Here are the top five security threats to mobile phones:
1. Malware:
Just like laptops and PCs, there is a subset of malware that is created to target mobiles phones operating systems and exploit the vulnerabilities found on them. Some of the main tools used to target mobile phones are ransomware, spyware, and fake applications (designed to mirror banks, social media, cryptocurrency etc containing code to steal data and logins from the victims)
2. Phishing:
A rapidly growing threat is the use of phishing to target mobile phones by sending texts (also known as smishing), instant messaging or calling pretending to be a legitimate business that would lead them to provide sensitive information or payments to the bad actor. Common examples of this include the Royal Mail / Post Office texting to request a small fee to release/deliver a parcel or schedule redelivery. Some of these texts can be viewed here on the Royal Mail website.
3. Network spoofing:
Taking advantage of our connectivity needs while moving around, cybercriminals will set up their own network which mirror the WiFi’s SSID (name) nearby to known public networks such as shops, restaurants, bars, hotels, libraries, or transport hubs.
These trick people into connecting to them with the belief they are safe networks owned by trusted organisations. From here they can carry out Man In The Middle attacks where all data transferred to and from your device is captured by the bad actor, edited / stored, then sent on to its final destination. They may also use the login portal pages to request personal and sensitive data which normally wouldn’t be required to access the internet.
4. Data exfiltration:
A common theme across most attacks are their roots in trying to access images, documents, credentials, contacts, location data and application databases that the bad actors can quickly build up a profile that can be used to facilitate further attacks such as identity theft.
There are even forensic techniques that can allow access to encrypted data, applications such as Whatsapp which tout their end to end encryption have tools available online that extract and decrypt the message databases even without having root access to the device.
5. SimJacking:
After collecting enough personal information about a target through the above methods, social engineering, or purchases on the dark web bad actors can initiate further attacks such as SimJacking. They will call a phone provider and impersonate the target, once passed security they will request the phone number be ported to a new sim card they control.
Any Multi Factor Authentication text messages or calls sent when trying to log in or transferring money can be approved by themselves, circumventing any interaction with the victim.