Safeguarding your data by protecting your computers? Great. Don’t forget the one in your pocket that you make calls on. Cellphone cybercrime figures increase every month. And that’s really no surprise.
The Cellphone As a Target
Some cyberattacks are targeted at a specific individual or company. The victim is selected because they are a high-value target to the threat actors. High value most often means rich financial gains for the threat actors. But sometimes their goal is to exfiltrate sensitive or private documents, intellectual property, or industrial secrets. Occasionally, the entire motive is to cause trouble for the victim. Hacktivists, for example, will try to destroy the victim’s IT systems and information. They want to cause operational and reputational damage to the victim. High value doesn’t always mean money.
Often the attackers are sophisticated organised crime cyber groups or state-sponsored advanced persistent threats groups (APTs). Many of the attacks they launch are against knowledgeable, well-defended targets, and are very difficult to accomplish. They require significant financial backing, top-tier technical skills, a lot of man-power, and operational guidance and control.
The recent attack on FireEye is a case in point. The attack was so sophisticated that investigators believe the perpetrators are a state-sponsored APT. The value, in this case, was stealing the software tools that FIreEye uses to probe its customers’ cyber defenses.
By contrast, other cyberattacks try to snare as many victims as possible. No individual target is singled out. The threat actors are playing a numbers game. The more shots at goal they have the more often they’ll score. So it is inevitable that their attention has turned to cellphones. The numbers are staggering.
With that size of a target, it is inevitable that cybercriminals are using and developing attacks to compromise cellphones and monetize their efforts.
Apps and Data Leaks
Cellphones can run apps. It’s one of their biggest attractions. They’re easy to install and the majority are free. Unfortunately, they can be a cause of data leakage. The developers of the apps need to make money. If they are not charging for the app you have to ask yourself how are they funding development.
The answer is probably by selling information about you, such as your phone and app usage statistics, your contacts, communications, browsing habits, geographical location, your installed apps, and more. The worst examples of these apps will also capture login credentials and passwords for websites you visit, VPNs that you use, and so on.
Riskware is the name used for free apps that offer to do something entertaining or useful—and actually deliver on that promise—but secretly siphon off information and send it back to the app publishers to be sold to advertisers or criminals. Riskware is different from a cellphone becoming infected with covert malware. With riskware, the owner of the cellphone chooses to install the app and is aware that it is going to be added to their device.
With the steady blurring that is happening between people’s personal digital lives and their corporate digital lives, most users will be able to get their personal and their business email on the same phone, and it is common for people to juggle multiple inboxes on the same device, often in a blended view. Riskware, or other more malicious apps, will happily harvest data whether it is personal or corporate.
Staff who haven’t been issued with a corporate cellphone will have a private cellphone, and they’ll bring it to their place of work and want to connect to the Wi-Fi. Personal cellphones should be relegated to the guest Wi-Fi or to another Wi-Fi segment set up for employees’ personal devices. They must not be allowed to connect to the main network.
To govern which apps can be installed onto corporate devices you can use mobile device management (MDM) software. This allows you to establish allow lists and deny lists of apps, to track the location of stolen cellphones, and to remotely wipe them if required.
MDM systems can block known bad apps and query unknown apps. Once vetted, the apps are either permitted or blocked. The hard part is to do this in a way that doesn’t overwhelm technical staff and that doesn’t grate on your users. A centralized management system and clear guidance provided when the cellphone is allocated will help on both fronts.
Choose Your Phone Brand Carefully
The well-documented ban prohibiting US federal contracts from being awarded to Huawei and several other Chinese companies is based on suspicions that the Chinese government could—using provisions in China’s 2017 National Intelligence Law—coerce manufacturers to plant back-doors and other spycraft mechanisms into their products.
That may be a clear and present threat, but government-sanctioned backdoors aren’t the only type of built-in snooping techniques that can find their way into devices right at the factory. A recent case saw four Chinese nationals involved with Chinese budget cellphone manufacturer Gionee sentenced for doing just that. It wasn’t motivated by loyalty to the state—or from fear of reprisals for not complying with government orders—it was a simple case of financial gain.
Xu Li, the legal representative of Gionee subsidiary Shenzhen Zhipu Technology colluded with Zhu Ying the deputy general manager of Beijing Baice Technology, and two of Beijing Baice’s software developers to install a version of the Story Lock Screen app that was a trojan app. It downloaded and installed a powerful software development kit (SDK) that allowed them to control the cellphones once they were infected. Over 20 million cellphones were compromised in this way.
There is no evidence that Gionee was aware or involved. It appears to have been a supply chain attack perpetrated by insiders in the supply chain. In just under a year the two companies made over USD 4.25 million by sending adverts to the cellphones. Being the victim of adware is bad enough, but the same techniques could be used to deploy more insidious strains of malware such as keystroke loggers and other spyware.
Phishing attacks are fraudulent emails that masquerade as emails from well-known organizations. They are designed to coerce the recipient into performing some action to the benefit of the threat actors. Usually, this means opening an attachment or clicking a link. The aim might be to infect the victim’s computer with malware or to try to harvest login credentials.
Smishing attacks are phishing attacks delivered by SMS message instead of email. This delivery method has several advantages for the threat actors:
- They don’t need to dress the message in the colors, fonts, and other trappings of corporate livery to make it look convincing.
- People expect SMS messages to be short and sweet. They don’t expect to be told the entire story in the SMS. It is commonplace to click a link in an SMS to learn more and to get the finer detail.
- People will more readily overlook poor grammar and misspellings in an SMS message. We’re all used to predictive text mishaps and while this shouldn’t happen in a corporate SMS message, that conditioning makes us more forgiving with that type of error than we would be in a corporate email.
- In the space-restricted world of SMS messages, shortened URLs are the norm. And shortened URLs can be used to hide the real destination of the link.
- It is easy to fake—or spoof—the number that sent an SMS message. If you receive an SMS from a telephone number that matches a contact in your address book, your cellphone will believe that is who sent it. The SMS messages will be identified as having come from that contact and it will be placed in the conversation list for that contact, alongside all of the genuine messages from that contact. All of that adds to the illusion that the message is genuine.
End-point protection suites usually have clients for cellphones, and these will go some way toward preventing malware installations. The most effective defense. of course. is to train your staff to be aware of smishing, to recognize the fraudulent messages, and to delete them.
Loss of Devices
Losing a cellphone puts a tremendous amount of information about the owner of the phone at risk. If the phone has a poor password or PIN it won’t take long for the threat actors to discover it. PINs based on significant dates are a poor choice. Clues to the dates can be often be found in your social media posts.
Using a strong password or PIN and turning on encryption are good measures to protect the data—both personal and corporate—inside your cellphone. Installing or configuring tracking options is a good idea so that you can see the location of the device. This can aid recovery.
If you have added a Google account to your cellphone, Google’s Find My Device should be turned on automatically. Apple has a similar service called Find my iPhone. A third-party centralized system might better suit some corporate needs.
The ultimate sanction is to remotely wipe the device. This requires Mobile Device Management software (MDM). You may already have some available to you. If your company uses Microsft 365 for example, basic MDM is provided for you.
You don’t need to lose your device to lose control over it. When you buy a new cellphone you can transfer the existing number to the new device and activate that as your current ‘live’ handset.
If scammers can gather some information about you they can ring your cellphone provider and have your number transferred to a handset that is under their control, in a sting called SIM Swapping. To make the transition to your new cellphone as smooth as possible, both Apple and Google will download copies of all your apps, settings, and data to the new handset. Unfortuantely, it under the control of the threat actors.
A variant on this is to use social engineering techniques to obtain a (say) 5G SIM card for the victim’s cellphone number, either online or at an outlet. The threat actor then calls the victim and pretends to be from the victim’s cellphone provider informing them of a free upgrade to 5G. They tell them that an upgrade code will shortly follow. They then text the victim the activation code that came with the fraudulently acquired 5G SIM card. When the victim activates the service it doesn’t upgrade their old 4G SIM. Instead, it ceases the service to it and activates the new 5G SIM. The threat actors have effectively cloned your cellphone.
These are targeted attacks. The victims have something on their cellphones that make the effort worthwhile. The most famous cases of these have targeted cryptocurrency traders or individuals with high-value cryptocurrency accounts. Swapping the SMs allow their digital wallets to be accessed. Individual losses have amounted to tens of millions of dollars.
Public Wi-Fi and Network Spoofing
Cellphones and other mobile devices are great because of their portable nature, and because they let us get online wherever there is a Wi-Fi connection that we can join. But you need to be careful when you are on public Wi-Fi. Everyone who is using that Wi-Fi is on the same network, and the threat actors can use a laptop and some network packet capture and analysis software to snoop on what your cellphone is sending and receiving. So what you might have thought was private is not private at all.
You shouldn’t use public Wi-Fi if you are going to need to enter a password to log in to one of your sites or to check your email. Don’t do anything sensitive like online banking or using PayPal or any other payment platform. Don’t do anything that will reveal any of your personally identifiable information. Checking the sports scores or catching up on the news is fine. If you’re doing anything else, you should always use a Virtual Private Network (VPN). A VPN sends your data down a private encrypted tunnel making it impossible for threat actors to see.
For a couple of hundred dollars, threat actors can buy portable devices that act as Wi-Fi access points (WAPs). They’ll set up camp in a coffee shop or other public space, and configure their dummy WAP to have a name similar to the genuine free Wi-Fi connection.
Unsuspecting victims—usually those in a rush—will connect to the threat actor’s bogus Wi-Fi instead of the genuine free Wi-Fi. The threat actor’s Wi-Fi is connected to the genuine Wi-Fi so the victim does get online, but everything that the victim types is captured by the threat actor’s device. A VPN will keep you safe in this circumstance too.
A reputable VPN is a must if you are going to be using public Wi-Fi for anything other than the most mundane web browsing. Of course, if you have a really high data quota in your cellphone package you might not need to join a public Wi-Fi at all.
And while we’re talking about public spaces, avoid publicly shared cellphone charge points. If they have been compromised they can inject malicious code into your cellphone.
It’s a Computer, So Patch It
The modern cellphone is a computer in your pocket that you happen to be able to make calls on. It has an operating system, it runs apps, and you should have some sort of end-point protection suite running on it. All of these should be the current versions and kept patched up to date.
This can be more of a challenge with Android cellphones than with other devices. Different handset manufacturers blend their own integrations into vanilla Android before distributing it. Samsung, HTC, Sony, and others all provide their own modifications to Android. This slows down the release of Android patches because the patch has to be released to the manufacturers from Google, and then embellished by the third-party manufacturers before it is released to the end users.
Don’t Forget the Users
Adopt good business practices such as app vetting, deploying encryption, and Mobile Device Management. Provide guidance to your staff so that they know the basic cyber-hygiene for cellphone usage. Tell your employees to:
- Use strong PINs, passwords, or fingerprint recognition.
- Always use a VPN on public Wi-Fi.
- Turn off Bluetooth and Wi-Fi when you’re not using them.
- Be careful what apps you download. Research them first.
- Turn on backups.
- Avoid public cellphone charge points. Carry a booster battery instead.