Mobile Cyber Security Threats [2021]

Is it possible to hack a smartphone that contains an electronic copy of our lives? To answer this question, I turned to a real hacker with experience in the work with mobile platforms. Based on the information received, I created a detailed guide about protecting against mobile threats, which I filled with the most useful information on the topic of hacking smartphones and tablets.

Mobile platforms have become so deeply integrated into our life that in some ways they make the biggest part of it. If 10 years ago it was an exaggeration to say so, today there are areas of human activity that are no longer possible without mobile devices.

Even desktop users can no longer access some apps without a smartphone. A smartphone can be compared to an electronic key from our digital world.

• Do we pay enough attention to the security and protection of this key?
• Do we realistically assess the danger when we install an app from an unsafe source and allow it access to the gallery, camera, microphone, and important system features?
• How do hackers attack smartphones?.
• What can they steal?
• How do intelligence agencies and cybercriminals track users?
• How to protect yourself from surveillance?
• What are the rules for the safe use of smartphones and tablets?
• Why are legacy mobile devices unsafe?

I will cover these and other topics in my detailed article about mobile vulnerability.

My name is Dean Chester. For over 10 years, I have been configuring and testing technologies that increase security and anonymity on the Internet - VPN, traffic monitoring systems, anti-spy, data protection, and more.

I will also share the information I received from an experienced hacker who recently worked on the "dark side". He calls himself Irbis and has a wealth of knowledge on Android devices.

Some statistics

The situation with mobile malware in 2021 is quite intense. There are some changes related to self-isolation and the spread of remote working, but in general, there is a tendency towards an increase in the proportion of dangerous AdWare that uses technologies borrowed from banking and spyware Trojans.

Check Point estimates that 59% of IT professionals don’t use mobile threat protection. Most organizations still have no mobile security solutions that can detect common threats: mobile malware, fake or malicious apps, MitM attacks, and vulnerabilities.

Let me give you a comparison of the shares of different types of malicious mobile apps for 2020 and 2019 from securelist.com (Kaspersky).

Image source - securelist.com

Distribution of detected mobile apps by type (2019)

Image source - securelist.com

As you can see, over the past year, the share of AdWare has increased significantly. The share of Trojans has declined. But this doesn’t mean that the danger has decreased. On the contrary, previously harmless apps designed to display aggressive advertisements and spoof search engine results are using technologies typical of serious and very dangerous Trojans. Many of these AdWare exploit vulnerabilities in Android or other apps and gain super-user (root) privileges.

According to Irbis, such malware (and rooted AdWare rooted is malware) cannot be removed even with a factory reset. Read more about this below.

The geography of the spread of mobile threats has changed slightly. Significant changes include an increase in the number of malicious apps in China and a decrease in South America and the United States.

You can learn more about the Kaspersky report here.

I would like to point out that most often, experts researching threats to mobile devices provide data on Android devices. But that doesn't mean that Apple users are safe.

In September 2020, Apple released version 14 of iOS, and over 30% of users installed it in the first week alone.

Image source - digitalinformationworld.com

In January 2021, an update was released that fixes a bug that allowed hackers to gain remote or local access to any iPhone or iPad. The vulnerability was discovered by an anonymous hacker. Now it poses a real threat to those who postpone the installation of updates.

Which mobile OS is more reliable?

The Android platform has been one of the most vulnerable OSs since its inception in 2003.

Why?

This is because initially it was focused on maximum flexibility, ease of app development, and the ability to run on any device.

It is the versatility and convenience of Android that became the direct and indirect reason for most cases of vulnerabilities of this platform. The ability of apps to control each other and access shared areas of memory has spawned dozens of varieties of spyware, banking Trojans, ransomware, and other malware.

iOS (as well as iPadOS) is structured differently. It doesn’t have a “universal” Linux kernel that allows it to run on almost any device. On the contrary, it is tightly tied to the Apple hardware. This made it possible to isolate apps from each other. There are no apps in iOS that can control each other or change data belonging to other apps.

Thanks to this architecture, malware that intercepts clicks or other actions in banking apps, crypto wallets, web browsers, etc. is impossible on iOS.

The downside of iOS is the impossibility of using it anywhere other than Apple products. Because of this, there will never be more iPhone users than Android users. One company cannot be larger than its dozens of competitors combined.

Some experts also believe that Apple is too centralized and opaque about security issues. One of them is Katie Moussouris, CEO and founder of cybersecurity firm Luta Security.

For this article, I won’t cover other OSes such as BlackBerry OS or Windows Phone as they are no longer supported.

Pros and cons of Android and iOS security

Let me give you a quick comparison of the two platforms from the point of view of a security specialist. I will also give the opinion of Irbis, who talked about how hackers themselves relate to Android and iOS, which smartphones they choose for themselves, and why.

Android

Pros:

• Ability to fine-tune security and privacy policies.
• The latest versions of the platform are well protected (10 and higher).

Cons:

• Allows one app to control others.
• Warnings (confirmation requests) of additional rights are rather arbitrary. The situation has been improving lately.
• Unreliable system for publishing apps in the Google Play Store, Huawei AppGallery, or Amazon Appstore.
• Like any strong tool, it requires the user to comply with some rules.
• Versions older than 8 have fatal vulnerabilities.

iOS (including iPadOS)

Pros:

• Of little interest to attackers due to its secure architecture.
• Reliable validation of apps and publishers before publishing apps to the Apple App Store.
• Strict policy for obtaining additional app rights.

Cons:

• Unavailability of data exchange features between apps.
• To escalate privileges, you need a Jailbreak (the process is described in detail in my article on setting up Kodi on iPhone.

A Hackers’ choice

 Image source - safety.google

When I asked Irbis which smartphone a professional hacker would choose for himself, he firmly answered - Google Pixel.

And this isn’t an add. I am not getting paid to feature this model.

Why this particular model, why not an iPhone, for example?

Irbis said that the Google Pixel is the only smartphone available that cannot download data if it is locked. This is because the Google Pixel disables the connector while the screen is locked. In addition to this, the smartphone has protection against disassembly, which is why specialists cannot connect to the chips directly.

As for Apple, Irbis stressed that he doesn’t know of any case when hackers have successfully worked on this brand of mobile devices. This is due to the reasons I described above - the isolation of apps in the system and the strict policy of the Apple App Store. But he never uses an iPhone, not trusting the company's privacy policy.

Let's summarize the intermediate result.

For more information on how to safely set up and use your Android smartphone, see “…”.

I will also add that in the middle of 2020, after 11 years of using iOS, I switched to Android. Now I follow the rules for the safe use of smartphones and feel completely safe.

5 cases of compromised smartphones 2020-2021

• WhatsApp
• Barcode Scanner
• Baidu
• Alien malware
• Apple Mail

Below I will describe 5 high-profile cases of successful mobile attacks. They illustrate the vulnerability of even large companies to the strategies and professionalism of cybercriminals.

In addition to direct attacks using mobile devices, there is also the possibility of gaining access to personal data of correspondence of mobile messengers. But this is a topic for a separate article. Write in the comments if you are interested in the topic of attacks on popular instant messengers.

WhatsApp

In early 2021, shortly after the scandal caused by the alleged change in the privacy policy (the transfer of personal data of users to Facebook), the WhatsApp messenger suffered a new nuisance. This time it was caused by the actions of malefactors.

It all started with a phishing campaign with a link to a malicious Huawei app. Some users installed this app, and it initiated a chain reaction - sending messages with the same link.

The screenshot and video below show how it works.

 Image source - digitalinformationworld.com

The user receives a WhatsApp message “Download This app and Win Mobile Phone” and a link to a phishing page imitating Google Play. At the same time, the attackers used two methods of misleading users at once, which I analyzed in detail in my long article on phishing. Namely - imitation of a trusted site and imitation of a real URL. 

After the user clicks on Install, he is prompted to install malware. In the screenshot, this attempt was stopped by a third-party protection app ESET NOD32, but most users don’t have mobile antiviruses installed and their system doesn’t warn about additional dangers.

As a result, some users install the worm and it, first of all, starts to “multiply”.

To do this, it asks for permission to access notifications and waits for the victim to receive messages in WhatsApp. He then uses the quick reply feature to send a phishing message to a new potential victim.

At the same time, it also performs its main malicious activity - collecting confidential data from installed apps. These are credentials, documents, and more.

Barcode Scanner

There is a type of mobile attack that the owner of the device has little control over. This is a compromise of already installed apps using an infected update. Read more about how this happens in the next chapter. Now I want to tell you about an attack that lasted more than two months and affected more than 10,000,000 Android devices.

In early February 2021, Malwarebytes Labs published research of an incident with LavaBird LTD, which was developing one of the bar codes scanning apps. The bottom line is that from the end of November 2020 (version 1.67) to January 2021, updates released by this company contained malicious code.

Why is embedded malicious code dangerous?

The Barcode Scanner update contained a heavily obfuscated Android / Trojan.HiddenAds.AdQR. It is an AdWare Trojan that displays aggressive ads on compromised devices. Moreover, advertising isn’t in the main app, but in pop-up windows, regardless of which app is active.

Whose fault is it?

LavaBird representatives deny their involvement in the incident. This is a fairly large company that develops dozens of other apps, and they assure that they would never use malicious code since this is a blow to their reputation.

Baidu

Hackers and third-party attackers aren’t the only potential problem for users. Often, the developers of apps themselves, either by their own will or under pressure from the authorities, embed backdoors or mechanisms into the source code to track the actions and movements of users.

In this case, data breaches occur.

In the fall of 2020, it became known that an undocumented code that collects information about users was found in two Baidu apps at once.

The Baidu Maps and Baidu Search Box apps contained spyware in their real-time notification display modules.

The apps have been downloaded over 6,000,000 times.

What data was collected by the undocumented code?

• Collecting IMSI identifiers,
• MAC address.

IMSI allows you to track the user even if they change devices. It also de-anonymizes the user due to the binding of the IMSI to the SIM card.

Given the Chinese origins of Baidu and the tough policies of the Chinese authorities, it can be assumed that tracking users through such apps isn’t the developers' fault.  

How was the suspicious activity detected? 

Google Play tracks the activity of all published apps using artificial intelligence. It identified the suspicious activity usually characteristic of malware.

Alien malware

Threats to mobile devices are primarily targeted at users' personal data and financial information. As a rule, these are data for logging into accounts and Internet banking.

Banking RAT Trojans (with remote access feature) are the most dangerous of them.

Such malware can not only steal credit card details and passwords for logging into Internet banking, but also give the attacker full access to the system. This allows him to do even more operations with the smartphone than the owner himself.

The most sensational Trojan in recent years is Cerberus. A year ago, this malware was so effective that they asked for $10,000 per month for renting it on one of the forums (according to Irbis).

But Cerberus closed in the summer of 2020, after which its code went public.

But literally the next month, Threat Fabric specialists discovered a new fork of Cerberus - Alien. According to their research, Alien shares architecture with Cerberus.

The method of communication with the command and control server has been changed. Alien can steal data from 226 apps, including secret tokens from Google Authenticator.   

Apple Mail

All previous examples of mobile threats have been implemented on Android. But iOS also doesn't provide a 100% guarantee of user safety. Moreover, the danger doesn’t necessarily come from installed apps.

I will give an example of a major vulnerability in iOS, which was exploited for remote access and full control over the device in the context of MobileMail or maild (iOS 12 and 13). Threat investigators also report successful implementation on earlier versions of iOS, up to version 6.

The essence of the threat is that a specially prepared letter is sent to the victim's email address. Provided that it is opened in Apple Mail, an exploit will work. This will launch a second exploit that compromises the kernel.

In April 2020, ZecOps published a report that reported attempted attacks against the following targets:

• Fortune 500 people,
• MSSP from Saudi Arabia and Israel,
• The Head of a telecom operator from Japan,
• Other VIPs. 

Why is the Apple Mail vulnerability dangerous? 

Gaining remote access and obtaining privileged rights at the level of the mail service made it possible to gain access to all correspondence of the victims and steal data from letters.

It is already known that this 0-day vulnerability has been exploited by hackers since 2018 or possibly earlier.

Apple fixed the issue with the iOS 13.4.5 update.

An example of using mobile malware step by step

Before proceeding to the description of the best known and most massive cases of compromised smartphones, I want to show a real example of how infection of an Android device can occur.

As an example, I will use the malware SpyNote, which is relevant for 2021.

This is a Trojan that successfully bypasses the protection of Google Play and serves to gain full access to the infected device.

This malware can be purchased by anyone on the website indicated in the screenshot for $15- $150, depending on the set of features.

As you will see further, even the latest version of OS doesn’t provide security guarantees if the user himself takes rash actions. The fact is that the software itself doesn’t use exploits or other overtly malicious features. The developers used only the built-in capabilities of the Android platform. This is the grave danger of modern malware. It can be integrated into completely legal apps and run on the infected device completely unnoticed, as you can further verify.

So how does it work?

The publisher provides a fully functional system for creating, managing, and monitoring the described malware. It is launched using the attached .exe file.

In the panel that opens, you can perform the following basic actions:

• Create APK file (malware body)
• Monitor infection statistics
• Manage infected devices

Let's take a look at all the features in turn.

Creating a malicious APK:

The builder can be launched directly from the panel, applying various malware parameters.

The list of available parameters is shown in the following screenshot:

Pay attention to the App Name and the picture shown by the arrows. This is what the malware will look like after being installed on a mobile device.

Once the APK is created, attackers use any of the methods to distribute the malicious code. In the test version, the installation file is simply copied to Android.

More often than not, spyware and other mobile malware are embedded in clean APKs.

After launching the app, SpyNote contacts the management server. The operator has a whole set of tools for managing the infected device:

• File Manager
• SMS Manager
• Call Manager
• Contacts Manager
• Location Manager
• Account Manager
• Camera Manager
• Shell Terminal
• Apps
• Microphone
• Keylogger
• Communication with the victim

In fact, the hacker has a more complete and convenient smartphone management tool than the owner himself. Moreover, the presence of the Keylogger module allows you to record everything that is typed on the keyboard. A simple analysis of the received logs will allow you to get the necessary passwords. An attacker can enter a crypto wallet, Internet banking, or any other protected area directly through the account owner's smartphone (it is possible to receive SMS confirmation and two-factor authentication). This allows you to bypass all degrees of protection, except for face recognition and fingerprint recognition.

For clarity, I will demonstrate the work of the file manager and the camera access module:

Thus, it isn’t difficult for cybercriminals to find, buy (or rent) and launch multifunctional mobile malware, which today can be used to obtain any personal data and access to any services and accounts to which the owner of an infected smartphone or tablet has access. Moreover, such systems make it easy to control a huge number of such devices simultaneously.

How smartphones are hacked (information from a hacker)

• How do infected apps get to a smartphone?
• Phishing
• App updates
• Social engineering
• MITM attack
• Router attack

The way attackers or special services infect mobile devices and compromise a user is primarily influenced by their architecture. For example, remote access to the iPhone can be obtained only by using specific vulnerabilities that aren’t available through the web browser.

Android works differently. It is easier to “work” with it just remotely via web technologies.

In this chapter, we will analyze all the main ways to install surveillance, extortion, theft of data, spill, and other confidential information.

How do infected apps get to a smartphone?

Experts from NortonLifeLock (formerly Symantec) and the IMDEA Software Institute in Spain have published the results of interesting research, which is the largest of its kind to date. For example, the researchers studied the channels through which malicious apps reach users' devices, and the conclusions were disappointing.

Telemetry data provided by NortonLifeLock was used for the analysis. Thus, the origin of apps on 12,000,000 Android devices was studied for the period from June to September 2019. In total, over 34,000,000 installed APKs were analyzed for 7,900,000 unique apps.

The researchers write that, depending on the different classifications of Android malware, between 10% and 24% of the apps they analyze may be considered malicious or unwanted.

There are 12 ways in which malware integrated into apps gets to a mobile device:

1. apps are installed from the official Google Play Store;
2. apps are installed from different directories (third-party app stores);
3. apps are loaded through browsers;
4. apps are installed using commercial PPI programs (pay-per-install);
5. apps are installed using backup and restore operations apps are installed through instant messaging programs (messengers);
6. apps are installed through theme stores for phones;
7. apps are downloaded and installed through the local file manager;
8. apps are installed via file sharing apps;
9. involved through file sharing apps;
10. apps are already installed on the device "out of the box" (bloatware);
11. apps are installed through MDM solutions (apps installed by enterprises on the devices of their employees);
12. apps are installed using package installers.

Phishing

 Most cases of compromised smartphones and tablets are carried out using mass or targeted phishing.

This is due to two reasons:

1. Widespread Android, which allows you to install apps from unverified sources;
2. Even in the most secure system, the weakest link is its user.

This type of attack applies primarily to the Android OS. On iOS, phishing for infection is practically not used.

There are several ways to infect a smartphone through phishing:

• Redirecting to phishing sites that distribute malware. The user is directed to fake pages under various pretexts and offered to install an app. It could be a fake antivirus, dating app, game, or any other app that people might be interested in;
• SMS messages with a link to a phishing site.
• Pop-up notifications.
• Email letters.

All these methods have a common feature - a person installs a malicious app of his own free will.

Moreover, for a very long time, the OS by default prohibits the installation of apps from unverified sources. But this protection is disabled in the settings. It would seem that this should completely disarm the attackers. But statistics show that many people still ignore the danger. The desire to get something easily or for free is stronger than common sense. Also, protection is often disabled during the initial setup of smartphones, when you need to install useful utilities from honest developers who, for various reasons, cannot post their software on Google Play. It is enough to disable protection once and it will no longer remind of itself.

However, not all malicious apps are untrusted.

With the development of Android protection and the increased attention and caution of users, cybercriminals are increasingly publishing malware in the Google Play Store.

This is done like this:

• A completely legal app is being created.
• Malicious code is embedded in the app. It is carefully disguised. To prevent Google from detecting prohibited features at the approval stage, a delayed malware activation is made and all sorts of protection against launching on virtual devices are added. For example, there is malware that is activated only after the user takes a certain number of steps (data from the built-in gyroscope and accelerometer are read).
• A developer account is being created. This can be done in a few minutes. It is enough to buy a Gmail address, for which dozens of services have been created on the Internet. You can create a Google account yourself. It is enough to receive an SMS once to a rented number for 20 minutes for 20-50 cents. With Gmail ready, a developer account is registered. You need to pay $25 to activate it.
• If Google asks for proof of identity, and pre-made scans of documents are sent to it. Today it isn’t a problem to confirm a fake account even with the help of a selfie. For this, there are separate "artists" and entire services. For a small fee, they take pictures of random people with a piece of paper or some kind of document in their hands and then use Photoshop to "paste" the necessary data.
• The created app is loaded.
• Advertising (traffic) is bought and thus the trust account is “farm”.

These actions take time, but it pays off well since more careful and trained people install on such an app. It is also important that third-party antiviruses also don’t respond to such software.

App updates

A less common but most effective way to install malware is to release infected updates to already installed apps.

In this case, everything happens without the participation of a smartphone or tablet user. Because of this, the device of even the most suspicious and attentive person or company can be infected.

 It works like this:

• Cybercriminals buy a project or hack an app company.
• An update containing malware is created.
• Google automatically updates all installed target apps.
• When the app is launched on each device where the app has been updated, the malicious code is executed. The device is infected.

One of the most striking examples of such an attack was the vulnerability of the Barcode Scanner update, which infected more than 10,000,000 devices in 2021 (the incident is detailed above).

Social engineering

In addition to ordinary phishing, containing convincing reasons that the user needs to download and install an app right now, ignoring common sense and Android security warnings, there are more complex and effective methods of installing malware on the victim's smartphone.

Irbis talked about interesting ways for target attacks using social engineering.

1. Gift

The easiest way to track a victim through his smartphone is to give him a new model. Any pretext for this can be suitable. The main thing is that the one who gives the phone is a trusted person, company, or group of colleagues.

To achieve maximum effect, an attacker can gain the trust of the victim, his colleagues, or family members over weeks or months.

As a rule, such a phone is pre-installed with malware or it is possible to install it later, even if the victim prudently resets the device to factory settings.

Most often, this method is used for:

• eavesdropping,
• video surveillance,
• registration of movement,
• control over the device.

In all cases, it is possible to attack not only from Android but also from iOS. But it all depends on the technical level of the attackers.

In the simplest case, it could be surveillance by a jealous partner. In this case, a hidden or renamed app is installed.o

This is also the case when it comes to commercial espionage. In this case, the budget for the attacks may not be limited, and the best specialists are involved.

2. Winning contests / lottery in social networks

If you need to establish surveillance of an object without coming into direct contact with him or his proxies, then attackers resort to another effective method - organizing a competition or a draw with a valuable prize in the form of a smartphone.

Most often, targeted attacks occur via social media. For example, the action takes place in one of the groups where the victim is. The latest version of the top smartphone is being raffled off. The person “wins” the prize and receives it by mail or courier service.

This method has both advantages and disadvantages.

Pros:

• There is no need to gain the victim’s trust,
• Easier to hide traces,
• It takes less time.

Cons:

• One, maximum two attempts are possible,
• Not effective for all people,
• Not suitable for those who don’t respond to phishing.

In some cases, when a subject is too cautious, attackers can take advantage of the gullibility of his or her relatives.

3. Damage to the tube and subsequent contamination during repair

If there is a possibility of direct contact with the victim's smartphone, then the attacker can act in two ways:

1. Install unnoticed malware.
2. Damage the device and make it go to the “right” repair shop (or bribe the workshop worker), where the hacker installs malware or modifies the system so that it becomes possible to do it remotely.

In this case, the main thing is to not overdo it and not to spoil the phone so that it will be impossible to fix it.

MITM attack

MITM (Man-In-The-Middle) attack is based on interception and alteration of data. Although for more than 10 years it has been considered a rule to create sites on https to avoid interception of information between the user and the site server, many apps still download updates via insecure http.

This is a vulnerability of even the most secure smartphone.

If you intercept such an update in one way or another, you can replace it with malicious code and infect the app.

Router attack

Router attacks are a common hacker tactic. According to Router Security, in the first two months of 2021 alone, 5 exploited vulnerabilities were discovered in various routers, which were installed in tens and hundreds of thousands in homes and companies around the world.

The peculiarity of such an attack is that it gives access to the traffic of all devices connected to the compromised router.

This makes possible for not only the MITM attack described above but also effective spear phishing.

Example. The hacked router is flashed with OpenWRT firmware, the Captive Portal is configured in it. After that, when the desired device is connected to the WiFi router, it will receive a phishing page with a plausible message about the need to install an app to fix an error or security problem. 

Separately about iOS

If, after reading the article, you got the feeling that it is enough to use the iPhone to be reliably protected, then this isn’t entirely true.

Indeed, if:

• on your smartphone there are only photos of close people and interesting places,
• you don't use it for work
• you don’t hold a high position in a large company,
• you don’t engage in politics,
• you are not very rich
• you aren’t involved in serious crimes,

it is true to some extent.

But if you are a VIP, some technologies can compromise even the iPhone. In everything related to crime or intelligence surveillance, the combination of the funds spent and the potential result plays a decisive role.

As I said, it is possible to install spyware on an iPhone through a gift and repair shop.

But there are also expensive technical tools that aren’t developed by individual hackers, but rather large companies cooperating with the governments of countries around the world.

For example, at the end of 2020, Citizen Lab experts said that the Israeli NSO Group's spyware was used to hack the iPhone of dozens of Al Jazeera journalists commissioned by Saudi Arabia and the UAE.

Such software is used by special services and law enforcement agencies to identify terrorists and other criminals.  

Moreover, the infection can occur through Apple servers.

Obviously, if you are interested in the secret services of large states, then it is almost impossible to avoid hacking and surveillance. And Apple products won't help here.

But this isn’t the only way to jailbreak an iPhone or iPad.

I mentioned that iOS can have critical vulnerabilities as well. The last known critical vulnerability was fixed only in the beginning of 2021 after existing for about 2 years. Perhaps there is something like this right now, and someone is already learning how to exploit it.

How to know if your smartphone has been jailbroken

Professional hackers know how to create malware that doesn't manifest itself directly. Still, there are some signs of their work. This is due to the nature of the hardware device and cannot be controlled by hackers.

Let's consider the main signs that your mobile gadget may be infected:

1. Sudden cases of accelerated discharge of the battery, provided that the device itself is in good working order. When the software compresses the video and audio signal, the transmitting antenna module, and other power-consuming elements, the power consumption increases. This leads to premature battery drainage. This is possible if the device is running spyware. But this doesn’t mean that each such program will consume a lot of energy. For example, if tracking occurs only for movement, or if the transmission of sound occurs only if the user is talking on the phone, and the image is transmitted only when he uses the camera, then it is almost impossible to detect this sign.
2. The device is noticeably warmer than usual after being idle. The increased draining of the battery leads to its overheating. Therefore, this symptom most often accompanies the first. But, if you have both signs, then you should be on your guard. In the next chapter, I will tell you how to do the right thing if you suspect that your device is infected.
3.  Pop-up ads outside of apps and push notifications from unknown services. This is usually a sign of an AdWare infection.
4. Turns on the screen in rest mode. In good working order, in rest mode, the smartphone is with the screen off. The exceptions are when messages or push notifications arrive. Otherwise, turning on the screen may indicate malware operation. For example, Trojans that allow making calls remotely (AZORult and other multifunctional malware.
5. Other failures. Malicious code can malfunction. This is because there are a great many devices on Android that run different versions of the OS. Therefore, unexpected freezes, reboots, and other unusual symptoms may indicate that the device is infected.  
6. OS version.  It doesn't matter if you are using Android or iOS, you need to make sure that it is running the latest version of the OS. If this isn’t possible or if you postpone the update for a long time, then sooner or later your smartphone will become vulnerable to a remote attack and with a high degree of probability, it will be infected. So, according to cvedetails.com, by the beginning of 2020, 2563 vulnerabilities in Android were known. They have all been fixed. But what if you have never updated your smartphone, but purchased it more than two years ago? Then the fixes aren’t installed. Take a look at the table in the screenshot below and appreciate the importance of installing OS updates. 

 Image source - cvedetails.com

Several hundred new Android vulnerabilities appear every year, of which about half can be used to launch malware.

They also find vulnerabilities in iOS, but there are about 20 times fewer of them and they can rarely be exploited remotely.

How to protect yourself from hacking (step by step instructions)

Despite the weaknesses in Android and iOS, the weakest point in the protection of mobile devices is the user himself. In sum, the situation requires increased attention. If you don’t take any measures to protect against mobile attacks, there is a high probability of getting infected with malware.

What should be done to defend against mobile attacks?

Together with Irbis, who has a lot of hacking experience, I have compiled a list of actions that need to be taken (and some of them - regularly) to significantly increase the level of protection of mobile devices.

Follow all the steps in the guide and your smartphone or tablet will be as safe (and possibly more) than your iPhone or iPad.

For users of Apple gadgets, I have also prepared a few recommendations for maximum security and privacy.

A step-by-step guide to securing Android devices

1. Install the latest OS update. What matters here isn’t what version of Android you have, but whether the latest patches are installed. If your device doesn't support the latest Android release, or you don't want to upgrade from Android 9 to Android 11, then that's okay. The only thing to worry about is Android 7 or later. For these versions, Google no longer releases updates. These versions may not be secure enough. You must complete this step every time the device announces an available update.
2. Install the latest app updates. This usually happens automatically. But for some reason, this option may be disabled. Make sure automatic updates are turned on. To do this, go to Google Play settings, find “Auto-update apps” and check its status. Turn it on if needed
3. Check the status of the “Install from external sources” option. One of the most important options in Android. It is important to prohibit the installation of apps from external sources (Websites and app catalogues that weren’t preinstalled with the system. As a rule, this is Google Play or Huawei AppGallery). The option is located in Device Settings-> Security-> Additional Settings-> Install Apps from External Sources. It must be disabled for all apps.
4. Set a password to unlock the screen. Your smartphone should be inaccessible to everyone but yourself. It is desirable that family members also don’t have access to it. This isn’t due to distrust, but so that no one except you can accidentally or deliberately manage device settings or install apps. Modern smartphones have face and fingerprint recognition technology. Use them if it is more convenient than other unlocking methods.
5. Don’t remove the SIM unlock password. I also recommend changing the PIN to a complex one if it was initially set as a standard one (“1111” or similar).
6. Remove all zombie apps. When, for some reason, Google Play removes an app from its repository, but it has already been installed on end devices, then it becomes a “zombie”. While fully operational, such apps are actually backdoors to the user's system. The developer is no longer responsible to Google and can sell the management of the “zombie botnet” to anyone.
7. Reset the device after repair. If your smartphone is broken and you took it for repair, after it is returned to you, save all the valuable files that you are familiar with on an external storage device (for example, on a computer or memory card). Then do a factory reset.
8. Don’t install apps from unverified publishers. Even if you disabled installation from external sources, there is no guarantee that experienced cybercriminals won’t publish an app with malware on Google Play or other repositories that people trust. To protect yourself as much as possible from the possibility of hacking, pay attention to the following app parameters: 

• How long ago was the app published;
• How many reviews it has. There should be at least a thousand of them;
• Negative reviews. Examine the negative reviews. This is to detect deception among well-rated apps. It often happens that reviews are messed up. It isn’t difficult to recognize real reviews from fake ones. You need to find similar reviews among the negative ones. If different people say that the app doesn’t do what it says, then this is a reason to think and look for another app.
• Have there been updates. As a rule, malware-laden apps don’t live long. During their existence, they simply don’t have time to release updates.

9. Use a VPN. A good VPN service securely encrypts device traffic and makes it impossible to intercept the information. Even if you don’t trust encryption in instant messengers, VPN will give a 100% guarantee of the protection of transmitted data. Moreover, this applies to the traffic of all apps of the device at once. This technology has additional benefits as well. With it, you can change your IP address to the IP address of another country. For example, when using a Netflix VPN, you may be able to access video content that isn’t available in your area. And when using NVP for torrenting, your ISP won’t be able to know that you are using a BitTorrent client.

Tips for securing iOS devices

The most important thing to do on iOS regularly to avoid mobile attacks is to keep the system up to date. In the vast majority of cases, this is sufficient to avoid malware installation.

According to Irbis, hackers rarely work with this platform due to the impossibility of launching full-fledged Trojans on it that open remote access with maximum privileges.

The only exception is device infection through direct contact. But even this is a complicated and expensive procedure.

As I said above, for direct contact with the iPhone, it is either presented to the victim with “pre-installed” malware or forced to contact a service for repair, where the gadget is compromised.

Naturally, these are very rare cases. Therefore, if you aren’t an important person, then you shouldn’t worry too much about your iPhone. The main thing is to update the OS in time.

What if you need to test your app?

But what if you still need to install some kind of app, but you aren’t completely sure that it is "clean"?

For example, you have been recommended a program for a smartphone that will simplify its use, it is praised, you are a responsible employee and don’t want problems.

There is a solution! The developers have foreseen the need to test new apps and laid down in Android technologies to restrict privileges and isolate the app.

• Guest mode
• MultiROM
• Cutting off privileges
• Safe mode

Guest mode

The easiest way to run a suspicious app without compromising your data, bank, and mobile accounts is to use the so-called multi-user mode (Settings-> Users). It appeared in Android 5.0 (in fact, it was still available in version 4.2, but only for tablets) and allows you to create a special user account with reduced powers.

Such a user won’t have access to the apps installed by the main user and their settings, won’t be able to look into his app data and files, connected accounts (for example, to install an app from the Play Store, you will have to log in with a new account). So in general, everything will look like a freshly installed and not yet configured Android, but with some restrictions:

• Barring calls and sending SMS (can be disabled by clicking on the gear next to the username and enabling the "Enable calls" option);
• A ban on enabling developer mode (Settings-> About phone-> Seven tapes by assembly number) and, as a result, activating ADB.

If you run a malicious app under such a user, it won’t be able to steal information about the main user, his data, SMS, authorization tokens, or read SMS from the bank. He won’t be able to empty his mobile account by sending SMS to short numbers.

It's almost ideal for running untrustworthy software. But there is also a serious caveat: if malware finds a way to gain root privileges, all this protection will collapse instantly. Having root rights, a trojan, a virus, or whatever you come across can do anything. Therefore, you have to come up with something more sophisticated.

MultiROM

MultiROM — This is a system that allows you to organize a full-fledged multiboot on your smartphone. The user downloads and installs the package from the Play Store, launches the app, it “flashes” its bootloader into the device (it will work after the original bootloader), kernel, and recovery console. Then the user can install any firmware next to the main one on the smartphone, be it CyanogenMod, a copy of the main firmware, or even Ubuntu Touch.

MultiROM has a well-designed architecture, it doesn’t mix installed firmware files with the main firmware, but instead creates for each of them several images on a memory card (real or virtual - it doesn't matter) that store firmware and user data. The bootloader slips these images into the firmware during its startup instead of real NAND partitions, so it appears to be locked into a sandbox. This feature fully protects the main firmware even if it has root access.

In terms of isolation, MultiROM is much more reliable than multi-user mode, but, nevertheless, it has its cracks. The strangest of them is that if you install on a smartphone an advanced Trojan that cannot just register itself in system apps. It will penetrate a RAM disk (it contains files necessary at the initial stage of OS boot), and the one that wasn’t launched from using MultiROM firmware, will be the main one.

This is because the RAM disk, along with the kernel, is stored in the boot partition. To infiltrate a RAM disk, the Trojan extracts its image from the boot, modifies it, and writes it back. But since the firmware installed by the second system is loaded from the boot image on the memory card, it remains uninfected, and the main firmware falls under the distribution. By the way, removing such a Trojan is quite easy: just overwrite the boot partition using the same MultiROM (check the box next to the "Kernel" item and click "Install").

Cutting off privileges

Another, less "invasive" way of protecting against unsafe apps is through privilege control. It is well suited if you are dealing not with a Trojan or a virus, but with an ordinary app, but still don’t want it to gain access to your location, contacts, be unable to send an SMS or make a call.

In other words, the most common situation.

In Android, the privilege control feature was introduced in version 6.0. Immediately after launching or when switching to a specific screen of the app, a request appears to gain access to certain features of the smartphone. Whether or not such access is allowed depends on the situation. Most apps will continue to function normally even without access to some features.

But there is a very serious feature in this mechanism: if the developer deliberately designates the Android 5.1 version as the target, the Android authority control system won’t work, and the screen won’t be prompted for authority, they will be given by default. This is a specially introduced exception required for compatibility with old software.

There are several ways to get around this limitation. CyanogenMod has a tight permissions control system that allows you to deny apps access to features. With its help, you can disable the powers of absolutely any app, including system ones. Just go to “Settings -> Privacy -> Protected Mode”, select an app from the list, and hold your finger on it for a long time. A screen appears with a list of permissions that can be disabled using the switches.

To do this, simply tap on the app in the list, after which the shield icon on the right will change the color to green. Also, the app can be denied access to the Internet, this is done on the permission control screen at the very bottom.

Another option is the LBE Security Master app. It is a kind of harvester to protect the device from all sides, with its authorization control system, antivirus, garbage cleaner, and other features.

Disadvantage: The official version of the app only supports Chinese.

LBE will start working immediately after installation so that when the apps are launched, a permission request will appear on the screen, and when you call, the “Add to blacklist” button or notifications of suspicious actions will appear on the screen. The most useful features are found in the "Active Protection" section. Here you can manage the permissions of the app, open and close access to the Internet, remove them from startup and even block ads.

All of these features require root, but the LBE also has support for non-rooted smartphones. True, it works somewhat differently. To be able to manage permissions and Internet access, the app must be added to the so-called "Isolator" (it is located in the pull-down menu). After that, it will operate under the supervision of the LBE.

Safe mode

Google's version of Android (as well as all custom firmware) has a special mode in case of infection with viruses, screen blockers, or installing incorrectly working apps. In this mode, Android disables all user-installed apps and prevents them from affecting the system. It is very easy to enter this mode: hold the power button until the power off menu appears, and then hold the “Power off” option until the message about entering safe mode appears.

Conclusion

So is there a real danger of a true mobile malware pandemic?

Of course, yes. Today, the vast majority of users prefer Android. At the same time, not everyone follows the system updates, many have outdated devices that don’t support installing more secure versions of the OS. But even with the most advanced software, the weakest point in protection remains - the human factor.

Combined with the low efficiency of anti-virus apps, this makes mobile devices vulnerable to malware.

Cybercriminals' interest in mobile devices will continue to grow. This is primarily due to the transition of a large number of people to remote work. As a result, the amount of “business traffic” passing through smartphones and tablets has increased.

There is also a trend towards a shift in workplace activities from desktops and laptops to telephones. This is facilitated by the development of the devices themselves and the development of stronger, feature-rich, and convenient mobile apps.

Malware capable of stealing valuable data and intercepting personal information will continue to appear.

A surge in mobile ransomware is also possible. All for the same reason - the presence of valuable information on mobile devices, which makes sense to target.

In this regard, I consider one of the main priorities to be increasing the security of the devices themselves and training ordinary users and companies’ staff on the rules for safe use of smartphones.

When it comes to choosing the best smartphone model, a lot depends on the user's needs. The most flexible and functional are Android smartphones and tablets. But at the same time, their architecture requires increased attention and “doesn’t forgive” rash actions (installing apps from unverified publishers, ignoring OS updates, and more, which was described in the article).

For simpler tasks, where functionality is more important, but security is needed, an iPhone or iPad is suitable.

If the article was useful to you, then please share in the comments what you discovered new for yourself after reading it. If you think the information isn’t complete, then please write your opinion on what can be improved. You can also ask me questions about the topic of the article, I will be glad to answer everyone.

Dean Chester.