by Pat M. | Security Administrator/Educator | DIYsecurityTips site owner
Mobile devices are used as much if not more than laptops or PC’s. The constant development of mobile applications makes us even more dependent on our devices, especially if we are on are working on the go. We all rely on our devices for so much like banking, email, texting, and more.
These are also attack vectors for malicious actors. Just like the traditional computer operating system, a mobile device is a plentiful target for a threat actor. Some ways an attacker can drop malware into your device is through:
1. Application downloads through a non-verified, third-party app store
This can be an app store other than an official one that comes with your device. For instance, an official app store would be Google Play Store, Samsung App store, or Apple App Store. Some app stores to avoid are Tencent and aptoide. These don’t hold the same privacy & security standards as the official app stores and have been known to allow downloading of malicious apps.
2. Smishing or SMS phishing
Most of us know what phishing is; an email intended to coerce a victim to click on a link, download an attachment, or call a number. This then leads to an account compromise, malware download, or other negative action against the victim.
Smishing is very similar except it is sent through SMS messaging. For example, a text may lead you to believe it was sent from your bank. The sender’s phone number may be a short number instead of a standard length phone number; this wouldn’t seem unbelievable because texts from establishments like a bank will frequently use a short sending number.
The text may not include your name but it may say something like “purchase made for $300.00, if this wasn’t you; please contact the fraud department through this link.” The link will most likely be a “tinyurl.” A tinyurl link is a full web page link that has been essentially shrunk down to a small URL. This is done to decrease the characters of the URL in order to send it via text easier.
This also masks the rest of URL, which in this case is malicious. It is difficult for the victim to determine what the full URL is and if it’s safe to visit or not.
3. Wireless attacks
Your Bluetooth technology is handy for transferring small files, listening to music, and connecting to your friend’s devices. Attackers however, love using Bluetooth as an attack vector. If you keep your mobile device’s Bluetooth signal on, you are broadcasting to all nearby devices that your device is ready to connect to something.
Attackers are looking out for those signals especially in areas with high traffic like clubs, bars, and coffee shops. If there is no Bluetooth authentication enabled then an attacker can easily send you malware from 50 feet away. Mobile malware can be configured to capture contacts, texts, app history, photos, and much more.
NFC or near field communication is used by mobile devices for extremely close contactless payment transactions. A common use of this is to use an Apple or Google wallet to pay for things at vendors using their contactless payment scanner.
If you leave your phone unattended for any reason, it is very easy for an attacker to walk up to your device, touch it with his/hers and drop malware right onto your device. Yes, NFC can be convenient but it is also very dangerous if you leave your device unprotected.
There are things you can do however, to protect yourself from mobile device threats:
-Only download apps from official app stores and make sure the apps are developed by trusted companies.
-Be very observant whenever receiving a text from someone you don’t know or from a short phone number. Always question the text and if you need to, verify the text by logging into your account from a different device or from a source other than that text. For example, don’t follow the link in the text, rather log in from the specific app (or web page) for the referenced account and see if there are any alerts.
-Leave your device’s Bluetooth service turned off if you aren’t using it. Be mindful of your surrounding when it is turned on, especially if you are in public. Turn off NFC if you aren’t using it and make sure you maintain device accountability.
With the knowledge of some common mobile device attacks and countermeasures, you can now be prepared for these threats. Always remember, attackers are smart and will exploit seemingly harmless features in your devices. If you take the extra time to verify any messages or check your settings, you can’t go wrong and you will only be building good security habits.
About the Author
My Name is Pat M. I am the lead writer and owner for DIYsecurityTips.com. This is a website dedicated to the security awareness education of tech users. I hold a bachelor’s degree in cyber security and networks from University of Maryland Global Campus, Security+ce and GSEC certifications, and work as the Security Administrator for a Tribal Government.
Currently I am studying for advanced certifications focused on offensive cyber operations through SANS Technology Institute. When I’m not writing or working, I enjoy learning about cyber attacker methods, tools, and processes, spending time with my wife, and gaming. I also like to brush up on the basics of computing, learning new cyber tools, and completing CTF labs with TryHackMe.com. I am also extremely passionate about security and wants everyone to learn how to protect their data, maintain their privacy, and use safe security methods. This is a subject I love and I hope you can learn something!
I can be reached online at email@example.com, on LinkedIn, and at our company website diysecuritytips.com