The night before I was to give a eulogy at my mother’s memorial service, I was smished.
As someone who regularly writes about cybersecurity, I’m not usually duped by a cybercriminal’s tricks. But I was in a highly emotional state and not thinking clearly when the text arrived, appearing to be from my bank. “Someone has attempted to log in to your account,” the message warned, and provided a link for me to click and verify my identity.
I clicked the link.
A legit-looking, mobile-optimized web page appeared, asking me to enter my debit card’s PIN as a form of verification. Still not thinking clearly, I entered my PIN. When I didn’t receive an SMS in return, informing me that my identity had been verified, I finally realized I’d been scammed.
In the subsequent heart-pounding minutes, I called my bank and changed my PIN, user ID and passcode. Fortunately, after months of close monitoring, I’ve not found anything amiss in my accounts — though I received three follow-up smishing messages, which I ignored.
Smishing — phishing attacks delivered via SMS — is one of the cybersecurity threats gaining traction in our increasingly mobile-first world. In 2018, 49 percent of respondents to Proofpoint’s State of the Phish report said they experienced either smishing or vishing (voice phishing) attacks, up slightly from 45 percent in 2017. Meanwhile, mobile malware incidents increased 550 percent in 2018, according to McAfee’s 2019 Mobile Threat Report.
Why are attacks on mobile users growing? Because too often, they work.
“Most of us check email first on our smartphones these days,” said Chet Wisniewski, principal research scientist for security software developer Sophos. “Criminals know this and hope you’re not paying the same kind of attention to security that you would on a desktop or laptop. They know they may be catching you at a moment when you’re distracted or in a rush.”
At the same time, mobile browsers and email apps often don’t enable you to easily verify a link before you click it. Plus, users are relying more on mobile devices for work because the devices are becoming more powerful and sophisticated and sport bigger screens. Mobile devices also store a huge amount of information about us — and the companies we work for — that attackers seek to exploit.
7 mobile security threats you might not know about — with tips for combatting them
Smishing attacks are of particular and growing concern because they’re platform-agnostic, equally impacting iOS and Android users, Wisniewski said. “Social engineering attacks don’t care which brand of phone you use.”
Although cybersecurity professionals are usually aware of smishing attacks, many smartphone users aren’t. And therein lies a challenge for CISOs and cybersecurity professionals, given the rise in attacks. According to Verizon’s 2019 Mobile Security Index, 85 percent of phishing attacks seen on mobile devices occur outside of email — e.g., in text messaging. “While many organizations have filtering in place to block email-based attacks, far fewer have similar protection in place” to guard against phishing attacks that occur outside of email, the report notes.
That’s beginning to change, however. In the past year or so, Mobile Threat Defense (MTD) vendors have added protections against mobile phishing to their software, notes Patrick Hevesi, Senior Research Analyst on the Security, Identity and Risk team at Gartner. MTD vendors with smishing protections include Lookout, Symantec, Zimperium, Wandera and McAfee.
Training employees to recognize and report smishing attacks is crucial but uncommon, Hevesi says. “Most organizations give their employees some level of email phishing training, but most don’t offer much in terms of mobile security training,” he adds.
Periodically conducting simulated smishing attacks with employees can help, just as sending fake phishing emails to users can help them learn how to spot the scams, notes security education organization Social Engineer, Inc.
2. SMS messages designed to get you to download scammy apps
You probably know that apps available outside the Google and Apple app stores can be dicey at best. What you might not realize is that criminals may try to trick you into downloading their malware apps in clever ways — such as sending you a text message.
For example, Android-based malware TimpDoor became a top mobile backdoor malware family in 2018, according to McAfee’s 2019 Mobile Threat Report. The threat starts “with text messages informing users that they have voice messages to review,” the report explains. “The included link to a voice-player app provides detailed instructions to enable apps from unknown sources. Clicking on the link installs a fake voice-messaging application that displays two messages. None of the buttons or icons work except the ones which play the included audio files.”
TimpDoor runs in the background and uses the device as an entry point to internal networks, McAfee reports. The threat is likely to evolve into “ad click fraud, distributed denial-of-service attacks, and sending spam and phishing emails.”
As with smishing, training users to spot and report scammy text messages is the first line of defense, along with mobile security apps that can scan devices and configurations for anomalous connections.
3. Flashlight apps (and other data-stealing apps)
Malicious apps that attempt to access the data on your phone are a significant threat, especially in the Google Play store. Third-party flashlight apps are a frequently cited example. Even though iPhones and Android phones ship with flashlight functions, free third-party flashlight apps offer additional features such as flashing strobe lights. The problem is, some of these apps in the Google Play store ask for an absurd number of permissions.
“One Android flashlight app developer turned on every single possible permission so that the app could stay on while the phone is off, listen to phone calls, log your location, and access your contacts,” said Hevesi. “A flashlight app should only be allowed to access your camera’s flash.”
Hevesi recommends training users to carefully consider the permissions any downloaded app requests and deny any that seem excessive or unnecessary.
Wisniewski advises caution before downloading any free app, unless it’s from a developer you know and trust (such as Microsoft, which offers free apps like To Do and OneNote) a free app that offers legitimate in-app purchases. “Developers need to monetize their apps somehow, so they’ll often create free apps like flashlight apps that secretly collect information about you and sell it to third parties,” he explained. “You may have even given them the permission to do so if you accepted the licensing agreement without reading it, as most people do.”
Related: The top 5 mobile security threats
Fleeceware apps, a term Sophos says it coined, are free (or low-cost) Android apps that provide simple functionality, such as barcode and QR code scanning. But, unbeknownst to you, the app regularly charges you large sums of money.
While you may have been led to believe the app is free, a fleeceware app in reality only gives you a short free trial, exploiting the Google Play store’s free trials feature, Wisniewski explained. Once the trial ends, you may be charged hundreds of dollars (or Euros). For example, users who downloaded a particular Android GIF maker app and who forgot to cancel their subscriptions after the free trial were charged about $240. “On your credit card statement, the charge appears to be coming from Google,” which may lead some to believe the charge is legitimate.
Most of the fleeceware apps have been removed from Google’s app store, while a few that got through Apple’s app gatekeepers were quickly removed, Wisniewski said. Nonetheless, fleeceware is yet another reason for mobile users to be vigilant about the apps they download from developers they don’t know. Also, read the app’s reviews carefully before downloading — and especially before giving an app developer your credit card to charge after a free trial ends.
5. Hidden ads
Android apps that display hidden ads are becoming a more prevalent risk, said Armando Orozco, Malwarebytes’ mobile malware analyst. “Without being overtly malicious, hidden adware components can be installed and run without your knowledge while providing a steady stream of income to bad actors,” he says. “They typically come bundled in fake or repackaged apps to appear legit or in very similar copies of legitimate apps.”
Here again, teaching users to closely scrutinize apps before installing them helps. In addition, many security apps for Android and iOS can locate and remove adware and malware.
6. SIM hijacking
Also known as SIM swapping or SIM hacking, SIM hijacking is when an attacker, through social engineering or other tactics, is able to switch your mobile phone number to a SIM card he possesses. Once the attacker controls your phone number, he can intercept two-factor authentication codes sent by text message, which in turn may enable him to access your email, banking, and other accounts. SIM swapping is also used to gain access to a victim’s digital currency accounts, the FBI warns.
To minimize the risks, contact your wireless service provider and set up a PIN, secret word, or another form of additional verification, advised Alex Heid, chief R&D officer for cybersecurity rating platform SecurityScorecard.
To be extra cautious, obtain a separate, private phone number that you only use for bank accounts and other financial institutions, Heid says. “Your public phone number that’s distributed to friends, family, business associates, social networks, and consumer services will be the first thing attackers will try to use if you’re targeted for a SIM swap,” he explains. “If you have a second, private phone number known only to you and your financial institutions, the likelihood of an attacker gaining access to your accounts through this method is reduced significantly.”
So-called surveillanceware is designed to capture and transmit sensitive user information such as SMS messages, voicemails or audio recordings of phone conversations. For example, cybersecurity firm Lookout says that in 2019 it discovered “Monokle,” a sophisticated set of custom Android surveillanceware tools developed by Russia-based Special Technology Centre, Ltd., a company the U.S. government sanctioned in connection to interference in the 2016 U.S. presidential election.
Monokle compromises a user’s privacy by stealing personal data stored on an infected device and exfiltrates the information, said Bob Stevens, vice president of Americas for Lookout. “Monokle is a great example of the larger trend of nation-states developing sophisticated mobile malware.”
We’re only human…
You and your organization can reduce mobile device risks by staying current on the latest, emerging threats; frequently training employees to recognize and avoid untrustworthy apps and links; enforcing the use of VPNs when connecting to public Wi-Fi networks; requiring the use of a password manager app/service; updating mobile devices regularly; and using Mobile Threat Defense and Mobile Device Management tools.
But as I learned, even people who are usually savvy about cybersecurity can have a vulnerable moment and lower their guard. There’s no way to completely eradicate that risk — it’s called “being human.”