Elderly Scam / Fraud Alert
Security experts have consistently cautioned consumers about protecting their computers from hackers. Now, the same warnings are being issued over smartphones. With more people using their phones to shop, bank, and conduct other types of business, hackers are finding a treasure trove of personal information on mobile phones.
“I always think of phones as like our digital soul,” said Patrick Wardle, a security expert and former researcher with the National Security Agency (NSA).
Hackers look through text messages, contacts lists, photographs, and will even track the phone owner’s location and turn on video and microphones in an attempt to steal private data from the phone.
Trojan malware infections on mobile phones are increasing significantly, according to Nokia’s 2020 Threat Intelligence Report. The report showed that Android devices have been hit hardest, with 26 percent of infections across all platforms, while Apple’s iPhone infections were reported at less than 1 percent. The report found that most ransomware attacks on Android phones were caused by users downloading applications offered by online forums and random websites.
Security experts point to the COVID-19 pandemic as a major reason behind the increase in malware attacks on mobile phones. For one, people were using their mobile devices more as they sheltered in place and worked from home.
The Nokia report noted that people eased up on safe-browsing practices during the early days of the pandemic. So, hackers took advantage of that by disguising phishing sites (sites that look legitimate but are set up to steal a person’s private information and data) and ransomware applications as sources of legitimate COVID-19 information.
U.S. Senator Angus King (I-Maine), a member of the Senate Intelligence Committee, said he received some simple advice in a security staff meeting this year on how to keep his smartphone secure: Turn it off and then turn it back on. Repeat at least once a week.
Security experts say that turning off the phone makes it harder for hackers to gain access to the phone again.
Hackers Use Zero-Click Method
Hackers can gain access to a phone by asking the user to download an application containing malware or by sending a malicious link to click. Now, hackers can place malware on a phone without the user having to click on a link, a method called “zero-click.”
“There’s been this evolution away from having a target click on a dodgy link,” Bill Marczak, a senior researcher at Citizen Lab, an internet civil rights watchdog at the University of Toronto, told the Associated Press (AP).
But, the “zero-click” malware requires a phone to stay on in order for the malware to continue working. When turning the phone back on, the hack disappears and the hacker has to repeat the process again.
Rebooting a phone does not ensure that hackers won’t try to steal information again. But, security experts say it can make them work harder to gain access to the phone.
“This is all about imposing a cost on these malicious actors,” Neal Ziring, technical director of the NSA’s cybersecurity directorate told the AP. By bolstering smartphones with more security features that block malware from core operating systems, phone manufacturers, such as Apple and Google, are making it more difficult for crooks to hack into phones, Ziring said.
Apple recently updated its iPhone after fixing a flaw that allowed hackers to install Pegasus spyware on phones without users having to click on a link.
An investigation found that the software, made by NSO Group, a cybersecurity company based in Israel, was on the phones of 37 human rights activists, journalists, business executives, and others.
Facebook filed a lawsuit against NSO Group for allegedly targeting about 1,400 users of Facebook’s WhatsApp, an encrypted messaging service. Marczak said the WhatsApp users would see an incoming call for a few rings before the spyware was installed.
NSA Best Practices Guide
Due to the increase in smartphone hacking reports, the NSA put together a “best practices” guide for mobile phone device security. The NSA advises phone owners to:
- Use a strong lock-screen pins/passwords: a 6-digit PIN is sufficient if the device wipes itself after 10 incorrect password attempts. Set the device to lock atomically after 5 minutes.
- Disable Bluetooth when you are not using it.
- Maintain physical control of the phone.
- Consider using a protective case that drowns the microphone to block room audio. Cover the camera when not using.
- Install a minimal number of applications and only ones from official application stores. Be cautious of the personal data entered into applications.
- Update the device software and applications as soon as possible.
- Consider using Biometrics (such as finger prints, faced authentication).
- Only use original charging cords and charging accessories purchased from a trusted manufacturer. Do not use public USB charging stations.
The NSA also warns against connecting to public WI-FI networks or having sensitive conversations (via text messages) on personal devices, even if you think the content is generic.
No Guarantees That Hackers Won’t Return
Implementing the NSA practices will not completely guarantee that your phone will never get hacked. Regardless, King says he reboots his phone on a regular basis after learning about the safety practices.
“I’d say probably once a week, whenever I think of it,” he said.
Marczak said hackers are determined to steal information and once you reboot, they could simply send another zero-click.
The NSA’s guide also acknowledges that rebooting a phone works only sometimes. But, the guide mentions one way that almost always prevents a mobile device from getting hacked: Do not carry the device with you.