We can do many things using our mobile devices: hail a taxi, book a hotel, send and receive money, purchase goods online or in-store, chat and share media files, control other devices (such as door locks or security cameras) and more. But then there’s the other side of the equation: All these activities and conveniences create a huge cyberattack surface. The problem can be anywhere: in the local network, on your device, connected via Bluetooth or USB cable, exploiting vulnerabilities from far away. Cybercriminals can even use your smartphone speakers—for example, a malicious application can deliver voice commands to your Google Assistant.
To better understand these risks, let’s first look at how they work. Mobile applications consist of two basic parts: a client-side application you interact with (what you see on your Android or iOS device) and a server-side application run remotely, usually in the form of a web server). The client-side app communicates with the server-side app using the HTTP protocol, just like your browser. By default, most apps cannot share memory or private storage with each other. However, some complex apps, such as photo editors, messaging or social networking apps may need to communicate with other apps on the device or gain access to your files, camera or text messages. These have a wider attack surface.
At Positive Technologies, we work to find vulnerabilities in legitimate apps that can be exploited by criminals and consider different ways smartphone users can be attacked.
The most common way mobile users are attacked is through trojans hidden in apps. Victims unknowingly download these malicious apps themselves and grant them access to text messages and other apps and functions.
If you install one of these trojan-laced apps, hackers can spy on you through your camera and microphone and access your contacts, text messages and other stored data. Trojans not can only collect private data silently but also pretend to be your banking app interface to steal money and log-in details and even install other malicious apps. These will often force victims to grant them all the permissions they need. For example, a trojan application called “Virus Cleaner” can only provide the capabilities it promises if dangerous permissions are granted by the user.
But even without broad permissions, some malicious apps can cause great damage. If you’re using an outdated version of the mobile operating system, there may be security bugs that can be exploited by malware silently to allow the app to gain system privileges, which would allow it to steal all stored data on the phone including logins, passwords, banking data and more. And for those who root or jailbreak their phone, the same attack scenario is possible because system privileges then become available for any application on the device.
Many of us like to check social networking apps and messengers while sitting in a cafe, and many work remotely using mobile devices. But what if the Wi-Fi router used at the coffee house gets hacked? Our statistics show that 43% of mobile banking applications are not protected from being attacked in this scenario. If you use an untrusted internet connection, all information on your phone is at risk of being read and even modified by attackers—your logins, passwords, banking information and messages and more.
Smartphone manufacturers do their best to protect your device when it’s lost or stolen, but there are still tricks attackers can use to make a buck. Even if your smartphone is locked, they can read the notifications on a locked screen (which can contain one-time passwords when attempting to reset an account). They can use a USB cable to connect your phone to a computer and steal data or talk to Siri or Google Assistant to make calls and send messages.
But what if attackers can actually unlock your stolen or lost smartphone? First of all, an unlocked smartphone can be grabbed from someone’s hand—this trick was used by Metropolitan Police to download data from a smartphone. In these cases, attackers can run applications, backup applications using a computer and gain access to stored data such as contacts, web browser history, photos, other files.
But perhaps the most dangerous attacks are truly remote, from hackers who don’t have physical access to your phone and don’t even need you to install malware. They can send specially crafted web links to your mobile browser or messenger to gain a foothold on your phone. According to our research, 36% of mobile banking apps can be hacked this way.
In some cases, the only factor leading to a mobile hack can be a vulnerable app installed. These ‘zero-click’ attacks require no action from the user. Example: A Whatsapp zero-click bug was discovered last year that allowed criminals to attack phones using the voice call feature to install malware applications.
Recommendations
So what can you do to keep your mobile device safe? Here are some simple rules, tips and tricks.
First, make sure you always install applications from trusted sources such as Google Play or the Apple App Store. Avoid installing applications you find through a link on the Safari browser on Apple devices and don’t download APK files (Android application files with a .apk extension). Applications distributed in a way other than through official app stores are more likely to be malicious. Using official app stores won’t guarantee that you avoid mobile trojans altogether, but it will dramatically lower the chances. Even in legitimate app stores, be wary of apps with names like “Super Battery,” “Turbo Browser” or “Virus Cleaner 2019.”
Next, think about what permissions you grant to applications you install or run. For example, game apps probably don’t need access to your microphone, location or text messages. Here is a partial list of some dangerous permissions requested by trojans:
- Contacts.
- Microphone.
- Read SMS [Android only].
- Device Admin [Android only].
- Draw over other apps [Android only].
- Accessibility services (features for users with disabilities) [Android only].
The permission to “Draw over other apps” is granted automatically on Android devices. When an application has this permission, it will be allowed to display its windows over other apps. But an attack technique called “tapjacking” takes the taps you make on the app showing on your screen and applies them to an underlying app you cannot see, which may allow hackers to access your data. You can revoke this permission after installing an app in Settings -> Apps -> Settings -> Draw over other apps.
Cryptographic certificates are used to verify applications before installation or for establishing a secure connection between your application and its server. Sometimes you need to decide manually whether you trust certificates or not—for example, when you visit a website that uses a self-signed certificate or when you install an application using Safari. You may be forced to install a certificate on your device to allow network monitoring if it is the policy of your company. But the same mechanism can be used by criminals to run malware on your device or to monitor the traffic of unsecured applications. Don’t install untrusted certificates on the device. To prevent criminals from seeing all data traveling to and from your device, avoid using untrusted Wi-Fi connections, such as those in public places. You can also significantly lower your risk of being attacked by mobile malware or remote hackers if you install operating system and application updates in a timely manner.
When you leave your device unattended, someone can easily read your banking app one-time password from notifications on your lock screen. Disabling lock-screen notifications will help protect your privacy in this scenario.
In addition to not clicking on suspicious links in your mobile browser, avoid untrusted links in other mobile apps as well. Some vulnerabilities can be exploited through links received from Messenger, email and many other types of apps. Enable two-factor authentication for the apps that provide this feature. Using a one-time password with your regular login and password will make your account unappealing to hackers. This is also good to do with accounts that you access from your computer.
There are many ways your phone and other mobile devices can be hacked. But with the right information and tactics, you can thwart many of the most common attacks.
The Next Generation of Application Security
The post Tips From a Hacker to Keep Smartphones Safe – Security Boulevard appeared first on abangtech.
source https://abangtech.com/tips-from-a-hacker-to-keep-smartphones-safe-security-boulevard/
No comments:
Post a Comment