Seems like everywhere you turn, there’s news of another mobile security breach. Just last month, vulnerabilities in iOS 9.3.5 were being exploited by the notorious NSO Group, maker of surveillance software, to read text messages and emails, record sounds, collect passwords, and even track the calls and whereabouts of users. Apple released a security patch on August 25 in response.
Meanwhile, on the Android side, a Linux bug first introduced in Android 4.4 (and present in all future versions) left 1.4 billion users vulnerable to hijacking attacks. The vulnerability allows attackers to terminate connections and, if the connections aren’t encrypted, inject malicious code or content into users’ communications. Representatives from Google say they are aware of the vulnerability and are “taking the appropriate actions.”
These hacks aren’t happening in a vacuum. Mobile malware is a frontier ripe for cybercriminal activity. According to a 2015 Pew Research Center Report, nearly two-thirds of Americans own a smartphone, and roughly one in five of those users conduct most of their online browsing using their phone instead of a computer. The reality is that as more and more people use their phones to go online, more cybercriminals will hear the call.
Mobile malware on the rise
“Mobile malware has been on the rise drastically in last couple of years,” says Nathan Collier, Senior Malware Intelligence Analyst at Malwarebytes. “Everything from backdoor malware that steals personal information to ransomware that locks your phone until payment is made exists in the mobile space. With millions of malware samples in the wild, there is no reason not to be concerned.”
In addition to an increased volume of people turning to their phones as the primary means for going online, there’s also an increase in using mobile devices for storing and transmitting sensitive data. The 2015 Pew Research Center Report also shows a full 57 percent of smartphone users doing their online banking on their phones.
But online banking is just the tip of the iceberg. GPS programs can find your location. Mobile apps often require that you allow them to access data stored in your phone or on the cloud. You can receive digital boarding passes via text message or verification codes for logging into sites, social media apps publish photos and personal data, fitness and health apps track steps, heartrate, and food intake—a cybercriminal can learn all there is to know about their targets by breaching their cell phone.
Your phone may contain and transmit a larger volume of and more sensitive info than your computers—but it’s not always as protected.
Security issues with phones
A number of factors contribute to weak mobile phone security, but one of the top concerns is that phones are much easier to be misplaced, lost, and stolen. Mobile phones go with you everywhere, which means there’s more potential for leaving them behind. Once a criminal has physical control over your phone, it’s often not too difficult to gain control of its data.
A second huge concern for mobile phone security is the validity of third-party apps. They aren’t vetted by the major app stores iTunes and Google Play, therefore they needn’t pass a minimum standard for safety. Apple iPhone has strict laws about apps: They can only be downloaded from iTunes, therefore they’re more secure. The downside is that users are restricted from going outside the iTunes ecosystem, which is why people sometimes jailbreak their phones. This is a dangerous measure, as it negates all security, not only for apps, but also for operating systems.
Google’s Android, however, allows for third-party apps to be downloaded. “Android is highly customizable and open to innovation by its users,” says Collier. “Also, although Google highly recommends you only install from the Google Play store, they allow you to take the risk into your own hands if you really want to install elsewhere.”
Another security risk with mobile phones is that users don’t update their OSes as often as computers. Updating phone software requires ample memory and battery power, and users are often running low on both. Every time a software update is delayed on a mobile phone, a cybercriminal has an opportunity to exploit security vulnerabilities in the operating system.
Of course, mobile phones are also vulnerable to the same pitfalls that befall desktops and laptops—mainly, users who don’t practice safe surfing. Social engineering in the form of social media scams and phishing can especially ensnare mobile users who regularly check their email, Facebook, Twitter, and other social networking sites. Phishing in the form of text messaging, or smishing, has also become a popular attack vector, particularly for criminals looking to cash in on the popularity of mobile banking.
Finally, all of these risks are compounded by the fact that technical security measures are not commonplace in phones. While computers are often equipped with firewalls, antivirus, and/or anti-malware software, mobile devices typically have only their operating systems and the security of their apps to protect them.
Ways to stay secure
So what does this mean for mobile phone users? It means that it’s even more important to stay vigilant about cybersecurity when using a mobile device. Here are some ways you can protect yourself, your data, and your phone.
Chances are, you use your phone to do a lot of stuff online. You may even be reading this article on it right now. For peace of mind, and to get a leg up against a rising tide of mobile malware activity, don’t just phone it in—be proactive about your mobile security.