The Most Common Mobile Security Threats and How to Avoid Them

March 3, 2020 11:41 am Natasha Deeney

As technology continues to advance, it also paves the way for an increased number of mobile phone and smart technology scams. Cybercriminals are quick to adapt to any changes in the digital landscape and our increased usage of connected devices has provided the perfect opportunity for malicious hackers to target users.

A number of factors contribute to weak mobile phone security, but one of the top concerns is that phones are much easier to be misplaced, lost, and stolen.

Knowledge is the most powerful weapon in the battle against scamming and it is more important than ever to be aware of common mobile security threats and how to avoid them.

Smishing

Smishing or SMS phishing is a common method of attack in which scammers target victims through text messaging. These text messages then prompt the recipient to click a link that will download malware or redirect the victim to a malicious website to harvest their sensitive information.

In recent years, smishing has grown in popularity, as it enables cybercriminals to lure text message recipients into revealing personal or financial information without having to break through the security defences of a computer or network. Typically, these messages contain a sense of urgency, threat or warning to try to get the recipient to take immediate action.

With the average person sending 15 texts per day, smishing offers a unique opportunity for malicious hackers to take advantage of victims who are often distracted or in a hurry. Research has also found that users are more likely to respond to a phishing attack on a mobile device than a desktop as people are less cautious with text messages than they are with standard phishing scams which are usually blocked by spam filters.

Malware apps

Application-based threats occur when users download apps that look legitimate but actually hide malicious malware, worms or trojans. These apps can then tamper with permission settings, steal personal and business information or sneakily sign users up for subscription services without them even realising.

For example, Skygofree, an app that is disguised as an update to improve mobile internet speed has been found to execute 48 different commands, turn on your phone’s microphone, connect to compromised Wi-Fi and collect personal information.

If a user takes the bait and downloads the trojan, it displays a notification that setup is supposedly in progress, conceals itself from the user, and requests further instructions from the command server. 

These apps are often simple, catchy and offered free of charge, which makes it appealing to many users and results in potentially millions of downloads.

With 24,000 malicious malware apps blocked from devices each day and more employees using their own devices for work purposes such as accessing corporate email and viewing documents, it’s vital that staff are aware of the potential consequences malicious apps can have and how to avoid them.

Unsecured Wi-Fi

Research shows 61% of organisations surveyed said employees connect company devices to public Wi-Fi networks when working outside of the office, in places such as hotels, airports, and cafes. Public Wi-Fi networks is common in many establishments; however, having a captive audience of unprotected users linked to the same network also enables cybercriminals to easily distribute malicious software or intercept our sensitive information.

Another risk of using free public Wi-Fi is that users may accidentally connect to a rogue hotspot. These are open hotspots that are usually similarly named after a legitimate hotspot, which cybercriminals set up to lure people into connecting to their network. Cybercriminals give the access points common names like “Free Airport Wi-Fi” or “Coffeehouse” to encourage users to connect. Once a victim is connected to a rogue Wi-Fi hotspot, hackers can then intercept data and even use tools to inject malware into the connected devices.

In some cases, users are requested to set up an account to access the spoof network, complete with a password. With two in three people reusing the same password for multiple platforms, fraudsters are then able to compromise the users’ email and other accounts.

For hackers, exploiting public Wi-Fi to collect data is incredibly simple and cheap, which explains this growing attack method.

Cryptography

Cryptography plays an especially important role in securing our data. However, broken cryptography can happen when app developers use weak encryption algorithms or fail to implement a strong encryption algorithm in a secure way. As a result, any motivated attacker can exploit the vulnerabilities to crack passwords and gain access.

The exploitation of broken cryptography can cause technical as well as business implications for organisations. While the technical impact includes unauthorised access and exposure of sensitive information from the device, business consequences could include information theft, reputational damage, privacy violations, and financial fines.

Session Handling

Improper session handling occurs when the previous session continues, even when the user has finished using the app. Often, apps allow long sessions to speed up the buying process; however, this leads to vulnerabilities as cybercriminals can then impersonate another user and perform a functionality on their behalf.

Depending on the targeted application, criminals can then transfer money from the user’s bank account, buy items on ecommerce websites, access detailed personal information to commit identity theft, steal clients’ personal data from company systems or demand a ransom payment

One particular danger for organisations is that improper session handling can also be used to identify authenticated users in single sign on systems. This means that a successful session hijack can give the fraudster access to multiple web applications, from financial systems to customer records which contain valuable intellectual property.

How to secure your mobile device

  • Be wary about text messages requesting personal and or financial information. Go directly to the company’s website to verify the claim.
  • If you must get on public Wi-Fi, use a VPN for more security, which also has the added benefits of masking your IP address and location, in addition to encrypting and securing your traffic. Additionally, turn off the Bluetooth setting on your devices when not in use.
  • Avoid the storage of any sensitive data on a mobile device.
  • Combine strong passwords coupled with biometric features, such as fingerprint authenticators for increased security.
  • Install a trusted antivirus solution. If you do happen to download a malicious app or open a malicious attachment, mobile anti-malware protection can prevent the infection.
  • Your mobile device firmware might also be vulnerable to security threats. Ensure you have downloaded the latest updates, which often include security patches for your device.
  • Use HTTPS to ensure SSL/TLS encryption of all session traffic. The lock icon in the browser’s address bar indicates that you are on a secure and reputable connection. Check for this when entering personal data such as your address or payment information or sending emails from your mobile browser.

Employees represent the biggest threat to an organisation’s security, so it’s vital they are equipped with the necessary skills to prevent a cyber-attack. MetaLearning Fusion is the next generation of eLearning and it’s been specifically designed to provide the best possible Cyber Security and Privacy training for your staff. Organisations can build bespoke courses for their staff from an extensive library of short eLearning courses. 

Get in touch for further information on how MetaLearning can be used to transform Cyber Security training within your organisation.