“Mobile Phones can’t get hacked” – an unfortunate myth that has led some not to take mobile security seriously. The threats that face mobile are more diverse than the ones that apply to PCs. As these dangers can be entirely different, it’s important to account for threats in new ways. On top of the common threats that face PCs, mobile devices can be susceptible to a number of additional vulnerabilities. In this article, we cover the five most common types of mobile security threats and scams to watch out for.
Application-based: What if your apps are secretly leaking company information?
Threats that face applications tend to be few and far between, but they are not non-existent. iPhone and Android both meticulously scan the apps admitted to their app store, but what happens if some slip through? In 2019, 18 malware apps snuck onto the app store. Plus, applications downloaded from a 3rd party site directly will not even be screened. These types of threats can skim data from a device without the user knowing, so we cannot safely trust that all applications are safe. Some examples of application-based threats include:
- Malicious Applications: Applications classified as malware, spyware, etc.
- Vulnerable Applications Installed: Applications that have unpatched exploits that could allow unauthorized users to access the device and data.
- Application Data Leakage: Data – Such as credit card details, contact info, location details, passwords, and other information that falls into the hands of a third party through an application.
- Third Party App Store Installations: Applications downloaded from the internet, instead of a native app store which has its own security in place.
Web-based: Can malicious actors trick users into giving them their passwords?
Like many of the threats that concern PC users, web-based security threats apply to mobile, too. By visiting a website that seems fine at first glance, mobile users could end up downloading malicious content, often without even noticing. Some of the most common web-based mobile threats include:
- Phishing/Smishing Attacks: An attempt to trick a user into typing in their credentials into a fake site posing as a real one.
- Malware Network Traffic: Instances where an application or website is submitting rogue traffic requests in order to infiltrate a device or its data.
- Cryptojacking Websites: Websites that secretly mine for Crypto coins while on their website.
- Dangerous HTTPS Certificates: Falsely certifies that a website is encrypted in order to give visitors a false sense of security.
- Web Data Leakage: Data leaked through online sites or applications.
Network-based: Is company information being stolen on public connections?
You may have heard a broad warning that connecting to public networks is unsafe. That caution is warranted, and often refers to man-in-the-middle attacks, where someone inserts their own skimming device between your device and the public network. In these scenarios, important information transmitted over a public network can be stolen.
An end user might think it is safe to connect to a seemingly-safe free public Wi-Fi, but that is exactly what malicious actors are banking on. They can set up a temporary network with the same name to intercept the user’s data, and unsuspecting victims have no way of determining if the connection is safe before connecting to it. The main network-based threat is man-in-the-middle attacks through risky network connections, but those threats can manifest in a lot of different ways.
- Wi-Fi eavesdropping: All web activity is logged and stolen.
- ARP Cache Poisoning: Similar to Wi-Fi eavesdropping, but done by intercepting data in motion.
- DNS Spoofing: Redirects users to unexpected URLs, often for phishing.
- HTTPS Spoofing: Tricks users into believing a site is secured by HTTPS, when it is not actually.
- Session Hijacking: Steals login tokens for a malicious actor’s own use. These are especially nefarious as they will not trigger MFA prompts or suspicious login notifications.
- Email Hijacking: Allows a window into a user’s emails so bad actors can hand-tailor targeted phishing by directly copying legitimate emails.
Device-based: Is the company vulnerable if a device is stolen?
Beyond application, network, and website mobile threats, there is an often overlooked but obvious vulnerability – device-based threats. If lost or stolen, devices and any data on them could be accessible to whoever picks it up. There is also a possibility of the device being purposely infected with malware or other malicious software. When it comes to device-based threats, it’s important to watch out for:
- Physical Device Theft: Without a complex passcode and/or remote wipe capability, lost or stolen devices could be accessed or reused by unauthorized parties.
- Viruses: If not protected natively (security minded OS), corporate mobile devices could be susceptible to viruses from networks, websites, applications, or even direct transfers.
- Rooting or full OS compromise: With the right knowledge and tools, malicious actors could compromise devices to control them and access data.
- Third Party Keyboard: If installed, all keyboard inputs are recorded and sent to a malicious actor.
User-based: Are you at risk if an employee goes rogue?
Last but not least, the final mobile threat involves protecting the user and the business from themselves. Users can accidentally or intentionally create vulnerabilities that could lead to major issues if undetected and/or unresolved. One of the most common user-based threats comes from poor password protocol. Every company has employees that keep passwords in notes apps or worse – on a sticky note. Addressing passwords will tackle a major attack vector, but mitigating risky user actions can be more complex. Here are some examples of user-based mobile threats:
- Compromised passwords: Without a password manager, or at the very least, a guideline for password usage, employees could create easy passwords, use the same password for multiple logins, and more. This makes them susceptible to brute force and other attacks.
- User Data Leakage: Visiting websites, sharing information, or being careless with company data could cause sensitive information to end up in the wrong hands.
- Spoofing and Call Phishing: Without proper education on the subject, users could fall for spoofing or phishing scams.
- SIM Swaps: Malicious actors can port a phone number to a new device, allowing them to access all of the user’s accounts and data. This can cause even more damage since having access to the device helps them get around multi factor authentication on other user accounts.
Bottom line
Despite there being multiple examples of mobile security threats in recent years, many people still believe that mobile devices aren’t as vulnerable as PC’s. But the truth is that mobile devices are equally, if not, more vulnerable to threats and scams. There are a number of very real threats and scams that can affect mobile devices, so if you want to keep your employees and company safe, consider securing your mobile devices the same way you secure your PC’s.