Your Phone is a Goldmine for Cybercriminals

Mobile devices are the new frontier for cybersecurity.  As one of the pioneers of the personal cybersecurity industry, Rubica is often positioned to see cybercrime tsunamis coming from a distance.  And this time it’s coming for your phone.  Here’s why we are predicting a rise in hacking, compromising, and targeting of smartphones: What’s driving this:

  • Your phone is part of you.  Let’s face it.  We are on our phones all the time. And we basically do everything from our phones:  Web-browsing, social media, video streaming, work email, personal email, photo sharing/taking, banking, sensitive phone calls, booking travel, playing games, texting, mapping our location, calling ride shares, calendaring events….you get the idea.  If there was ever a crown jewel twinkling in the eye of a cybercriminal, it’s your phone.
  • Inherent design. As astutely pointed out in 2019 Data Breach Investigations Report by researcher Arun Vishwanath, the very design of mobile devices inhibits our ability to verify the legitimacy of a website, link, or whether content is malicious.  This is due to:  1.) Limited screen sizes, 2.) requirement to toggle between pages rather than viewing them side by side, 3.) inability to view certain website SSL certificates in mobile browsers, and 4.) limitations on visibility of email header information.
  • Distracted while web-driving.  The mobile user experience is set-up for making quick decisions.  We are presented with prompts and GUIs for taking action – accept, reply, send — which fosters a “click-without-thinking” environment .Top it off with the reality that most of us are walking, talking, driving, or multitasking in some way when interacting with our phones…which means we are less likely to carefully scrutinize incoming information or popups.

Hiding in plain sight:

  Historically, smartphones (particularly iPhones) are difficult to infect with traditional malware.  But what about the malware you download willingly from your favorite app store? Malware often hides in plain sight, disguised as legitimate apps, games or software – even available in the official app stores waiting for unsuspecting users to download.  When you download these programs and “accept” their terms and conditions, you are voluntarily (albeit, unwittingly) giving these malicious programs access to read, write, modify and steal data from your phone. For example, in our study on the dangers lurking in free mobile apps for kids, we found apps with the ability to:

  • send data to foreign/blacklisted servers
  • send email and modify calendar events without user knowledge
  • collect precise GPS location for no apparent legitimate purpose for the app’s function

In just a small sample size of 20 popular apps and 62 secondary apps from the official Google and Apple Stores, we found that 1 out of 3 of these apps gained invasive permissions and inappropriate access to data on mobile phones.

Why Care About App Permissions

Many apps need access to certain data in order to function.  For example, rideshare apps and mapping apps collect GPS location for the legitimate function of the service.  But this same permission can be used maliciously if in the wrong hands.  With access to your GPS location at all times, a bad actor could track your behavioral patterns and details of your life – where you work, where your kids go to school, where you stop on the way home, where you shop, whether you smoke, go to the gym, or gamble.

So, although there are harmless uses for device permissions, liberal permission can also be used to surreptitiously download malware or steal account login information.  Two relatively common and app permissions are to “retrieve list of running apps” (see what other apps you have installed and running on your device) and “display over other apps” (ability for this app to interrupt and appear on top of other apps).  Many harmless and legitimate apps use these abilities for their core functionality.  But these powers can also be used nefariously; for example, to see that you are running a certain banking app and pop-up a fake login window over the top of the real app. It’s not just about what permissions – it’s about who you give the permissions to.  Before you download that next app, ask yourself “why would a weather app need access to my email?” and “why would a puzzle game need my precise GPS location and access to my call logs?”

You Deserve Privacy, For Your Own Security

Eliminating these potentially harmful apps (PHAs) is a game of whack-a-mole and the app stores are in a tough spot.  It’s not illegal or a violation of store policies for an app to access email, or GPS, or any other data.  Just like it’s not illegal to sell a kitchen knife, even though that knife can be used to hurt someone.

This is the problem with “greyware” – it’s not black or white, or a per se violation of the rules.  It finds a loop hole in our system and exploits it to evade policing.  This is what cybercriminals do best.  Use our own habits, systems, and blind-trust against us.

And before you start becoming apathetic about your data and privacy, remember: data itself is valuable.  If an organization can infect millions of American devices, and learn about their behavior – where they go, what they do, and when – that’s powerful information that can be used to not only predict behavior, but to influence it.