Mobile Device Security

Mobile devices, such as smartphones, are an integral part of daily life with the ability to communicate with others, access services and apps, and increase productivity. They also circulate personal and/or critical business data, which may include personally identifiable information (PII), health information, financial information, and other sensitive information. As the use of mobile devices continues to grow exponentially, they become attractive targets for threat actors to exploit vulnerabilities, compromise devices, and commit further malicious activity. We explore the attack vectors in the mobile threat landscape and provide cybersecurity best practices to educate users and organizations to reduce the likelihood of victimization.

The Mobile Threat Landscape

Mobile devices can serve as a single point of attack or as a means to commit subsequent attacks. Threat actors may target mobile devices through a single attack vector or a combination of attack vectors, such as social engineering, SIM swapping, spyware, malicious mobile apps, and physical security.

Social Engineering

Threat actors may target mobile devices through social engineering—such as vishing, SMiShing, QR codes, and instant messaging platforms—by impersonating trustworthy people or entities in an attempt to convince the target to divulge information or take action. They will often conduct preliminary reconnaissance on their targets before attempting to make contact. For vishing (or voice-based phishing) scams, incoming calls may show up as unrecognized or spoofed phone numbers which appear as though they are coming from a known contact. In addition, SMS-based phishing (SMiShing) can be more effective than email phishing as these messages are viewed on a mobile device, making it more difficult to determine their legitimacy and the true destination URL of a link. These messages often contain a link that, if clicked, lead to fraudulent websites with the intention of siphoning user credentials, stealing funds, or delivering malware. These messages may also request sensitive information from the target that could be used for identity theft or account compromise purposes. SMiShing messages may come from random phone numbers or email addresses and often use a sense of urgency to convince the target to take a desired action quickly. Also, the combination of phishing and QR codes, known as quishing, creates an opportunity for threat actors to direct users to malicious sites, access their accounts, install malware, infiltrate networks, and more. Scanning QR codes on mobile devices may evade standard corporate security controls, including secure email gateways, link protection services, sandboxes, and web content filters. Additionally, threat actors may also use social engineering in instant messaging platforms to make an initial contact and build trust with their targets before encouraging them to click on links or attachments, download malware, or divulge information. The real-time capabilities of these platforms enable cyberattacks and their speed of propagation.

SIM Swapping

The voluntary posting of personal information online and the aftermath of data breaches can expose information that could be used in SIM swapping attacks. The risk of unauthorized account changes that facilitate these attacks increases for users who have not protected their mobile carrier account with a PIN and whose personal information has been exposed. Threat actors can contact the targeted victim’s cellular provider, claim that their target's phone was lost or damaged, and convince the cellular provider to give them control of the account without gaining physical control of the victim’s phone. This allows them to activate a new SIM card connected to the victim’s phone number on a new phone controlled by the threat actors. If activated, the threat actors will receive all of the victim's phone calls, text messages, and data on the new phone. The threat actors can then log into existing accounts that use SMS-based multi-factor authentication (MFA) and enable MFA on accounts without this feature, effectively locking the victim out of their other online accounts. Additionally, they can use or sell the victim’s personally identifiable information in identity theft schemes, steal funds, and facilitate other malicious activity.

Spyware

Spyware is malicious software typically used to monitor, capture, and share detailed information. It can collect emails, social media posts, call logs, messages on encrypted chat apps, contacts, usernames and passwords, notes, and documents such as photos, videos, and audio recordings. It can also collect GPS information to determine a user’s location, movement, and direction. Some spyware can also activate microphones and cameras as well as deliver files without any indicators or notifications to users. Spyware can be simple or sophisticated and rely on security weaknesses or unpatched software vulnerabilities. Although device and file encryption are recommended, it cannot assist in preventing spyware activity because once the encrypted message is delivered to the mobile device, it is decrypted and made readable by both the user and the spyware.

Malicious Mobile Apps

Threat actors target and exploit vulnerabilities not just in operating systems, but also mobile apps which may contain malicious code. Malicious apps may be found in official stores of both iOS and Android operating systems. In the case of Android, there are also third-party app stores. Threat actors generally target unsuspecting victims into downloading shopping, gaming, and other apps that are either malicious, or introduce vulnerabilities or the risk of compromise through adware, excessive permissions, or a dangerous combination of permissions that may potentially harvest personal information and account credentials.

Physical Security

In terms of cybersecurity, the purpose of physical security is to minimize this risk to information systems and information. If mobile devices are left unlocked/unsecured and unattended, they can provide threat actors with additional attack vectors to connect to networks, infect other devices, and exfiltrate data. Multiple layers of physical security can be implemented to protect the most critical assets and services. 

Best Practices

The NJCCIC recommends users apply cybersecurity best practices to protect their digital assets and reduce the likelihood and impact of attack. Additionally, organizations can help protect mobile devices through various mobility management tools depending on business needs and industry requirements.

• Invest in security awareness training: Invest the time, money, and resources to ensure users understand risks, the latest cyber threats, and best practices. 
• Use unique, complex passwords for all accounts: Unique passwords for each account prevent password reuse attacks, in which threat actors obtain your password for one account and use it to compromise an additional account using the same credentials.
• Refrain from sharing login credentials or other sensitive information: Login credentials and other sensitive information should not be shared with anyone, posted in plain view, or saved on your computer or other platforms.
• Update passwords immediately following a data breach or potential compromise: Use a resource, such as haveibeenpwned.com, to determine if your information, such as an account password, has been revealed in a public data breach. Change exposed passwords for every account that uses it to protect against account compromise.
• Enable multi-factor authentication (MFA) where available: MFA is the use of two or more factors to authenticate to an account or service. This significantly reduces the risk of account compromise via credential theft in which your password has been exposed. Even if a cybercriminal obtains a user’s username and password, they will be unable to access that user’s account without their second factor. The NJCCIC encourages users to choose authentication apps, hardware tokens, or biometrics as a second factor over SMS-based authentication due to the risk of SIM-swapping, though using any form of MFA is beneficial. The website TwoFactorAuth.org maintains a comprehensive list of websites that offer MFA.
• Exercise caution with communications: Refrain from clicking on links or attachments or divulging sensitive information without verifying the requestor via a separate means of communication before taking any action.
• Navigate directly to websites: Navigate directly to authentic or official websites by typing the legitimate URL into the browser instead of clicking on links in messages, and refrain from entering login credentials on websites visited via links delivered in messages.
• Use secure websites and networks: When sharing personal or financial information, ensure you are using verified, secure, and encrypted websites and networks. Connect to virtual private networks instead of widely-used and public WiFi networks.
• Use reputable apps: Download and install apps from legitimate developers/companies through official app stores and after analyzing customer reviews.
• Check and configure privacy and security settings: Check these settings to help manage your cyber risk and limit how and with whom you share information. This will help safeguard information or resources if an unauthorized user gains access. Use the NJCCIC instructional guides for Android, Facebook, Google, Instagram, and Twitter, and configure similar settings on all other social media sites. Information on how to access privacy settings for additional popular devices and online services can be found on the National Cybersecurity Alliance webpage.
• Reduce your digital footprint: Minimize your online presence and PII exposure, and exercise caution when uploading sensitive PII or other information to websites, applications, or social media.
• Value and protect your information: Make informed decisions about sharing your data with certain individuals, businesses, services, and apps.
• Conduct frequent searches and remove personal data: Conduct searches for personal data and remove any tags for photos of you and your family on social media. Contact connections to remove personal data about you and your family. Utilize Michael Bazzell’s Extreme Privacy guide to remove personal data from the internet, which includes submitting opt-out/removal requests for public record or ‘people search’ websites where your information is readily accessible.
• Deactivate and/or delete accounts and apps that are no longer in use: Deactivate or permanently delete any online account or app that is no longer in use. Sites such as https://justdelete[.]me provide instruction on how to remove information and delete accounts for numerous online and social media sites.
• Lock screens: When stepping away from your device, the lock function helps to protect the information stored on or accessible from your device. Also, check security settings or policies to automatically lock screens after inactivity.
• Secure physical devices: Safeguard devices and ensure a password/passcode or an additional authentication factor is enabled for all devices to prevent unauthorized access in the event a device is lost or stolen.
• Backup devices: Protect your information from malware, hardware failure, damage, loss, or theft by making multiple copies and storing them offline.
• Keep devices up to date: Stay informed about publicly-disclosed vulnerabilities and update devices—including firmware—to the latest version to ensure they are patched against known vulnerabilities that could be exploited by threat actors to gain unauthorized access to your device and/or data. If a device is unable to receive updates from the vendor, consider not purchasing or discontinuing use of the device.

References

NJCCIC: User Beware: Your Smartphone is Tracking Your Every Move
CISA: Mobile Device Cybersecurity Checklist for Organizations
NSA: Mobile Device Best Practices