Beware of These Attacks Exploiting Mobile Devices in 2022
Photo from Pexels
Originally Posted On: https://www.alwaysvpn.com/guides/common-attacks-mobile-devices
There are almost 15 billion mobile devices in existence today, which averages out to about two devices per person worldwide. This creates quite a large cybersecurity problem. While the number of total mobile attacks has declined year over year, attacks have become more complex in nature with zero-day exploits seeing a 466% increase in 2021, effectively canceling out the former.
“In 2021, there was a 466% increase in exploited, zero-day vulnerabilities used in active attacks against mobile endpoints.”
Zimperium , Global Mobile Threat Report
Attack Vectors for Mobile Devices
In general, there are four attack vectors regarding mobile devices. Each represents a specific endpoint through which bad actors gain access to valuable information, or in some instances, take over the device itself.
WiFi Network Vector
Bad actors commonly use unsecured WiFi networks to siphon user data. In some instances, attackers will go as far as to spoof a network (create a fake network) that mimics a legitimate one. A spoofed network will usually prompt users to create an account, allowing the attacker to obtain the user’s email along with any data passed through the network.
Attacks through mobile applications are becoming increasingly complex. Applications are frequently at the core of mobile device vulnerabilities, due to the amount of data shared, built-in vulnerabilities, or excessive permissions given by the user. Attacks such as these typically occur through user error, with the user downloading a malicious app leading to malware on iPhone or Android devices, or over-granting device permissions.
This attack form usually takes shape through either phishing, smishing, or spoofing. Essentially, these attacks are carried out through a message, whether it be an email, text, or call. The attacker presents themself as a legitimate entity, but the delivered message contains malicious files, code, or prompts for the user to enter personal data.
Most Common Mobile Attacks in 2022
As illustrated, there are several ways a mobile device can be compromised. One of the most important pieces of security is being aware of current cyber threats. Through the attack vectors listed above, these are the most common forms of cyberattacks seen in the last year:
Data Theft through Unsecured WiFi Networks
Free public WiFi, like the ones accessed in coffee shops, airports, and restaurants, can be found everywhere. Countless users connect to these networks every day, especially with the rise of the workcation. Many are drawn to using them because it avoids consuming personal mobile data, but often this comes at a cost. Nearly all of these networks are unsecured and provide a path for attackers to obtain user data.
To avoid or minimize the risk, avoid connecting to a public network that requires login credentials or account creation.
It’s good practice to refrain from engaging with banking apps, email, online shopping. As a whole, avoid anything that deals with important personal information when using public networks. If it is necessary to use one of these networks, using a security-focused VPN like Surfshark will encrypt your traffic and prevent attackers from snooping.
Data Theft & Malware Injection through Apps
While it may be obvious that applications downloaded outside of official Android or Apple app stores present a clear risk, danger still lurks within these official stores. There are many examples of apps that exist within these official stores which contain Android or iPhone malware or have predatory data collection practices.
Many new, and some old, banking and gaming malware types have cropped their heads up in 2021. Additionally, with the growth of bring your own device (BYOD) policies, data breaches can happen through infected organizational apps.
To mitigate attacks from apps, only download from official Android or Apple stores, or other verified vendors.
On top of that, be extremely scrutinous about which permissions apps are given, especially location, microphone, and camera access. Additionally, the use of a mobile VPN will add in crucial encryption and malware protection.
Phishing and smishing have become extremely prevalent on mobile devices. With clearly faked corporate logos or poorly written messages easily exposing malicious intent, these attacks can be obvious. However, they aren’t always conspicuous and can catch users off their guard.
Due to their physical size, mobile devices often display less information per message compared to a desktop. This may obscure some of the more obvious signs of a faked or spoofed message. Attackers will also often use emotional calls to action, using a sense of urgency or penalty to get the victim to act without thinking.
It goes without saying, but never engage with an email or text message if even the slightest bit of suspicion arises.
Instead, observe the sender’s email address or phone number. Verify the sender’s information against the source they claim to originate from.
On top of this, check the veracity of a link through Google Safe Browsing. This is a tool that will check if the site in question has hosted malware in the last 90 days. Once confirmed as a bad actor, flag and block the sender.
General Mobile Security Tips
Aside from making efforts to prevent the most frequent attacks, there are fundamental actions users can take to maintain good cybersecurity. Using these tips daily will maintain a strong base of security with minimal effort:
- Use two-factor authentication (2FA) whenever possible.
- Use an Apple or Android mobile VPN with included anti-virus software. We recommend Surfshark VPN.
- Ensure operating systems and apps are always up-to-date by enabling auto-updates.
- For each account and app, use a unique, complex username and password.
- Use a password manager.
- Periodically review apps on the device and remove any that are unused or rarely used. The fewer apps on the device, the smaller window of opportunity an attacker has.
Although the number of mobile device attacks fell last year, attackers are advancing their approach with more zero-day exploits. In 2021, 75% of all phishing sites targeted mobile users. Even previously secure platforms like iOS are becoming more vulnerable. The Apple OS accounted for 64% of all mobile-specific zero-day attacks last year. Google recently removed 8 applications from its store containing a virus that allowed attackers to take control of devices, giving access to banking information, credentials, and more.
As a whole, it’s clear that the mobile threat environment is evolving. Upgrading mobile protection, like installing an Apple or Android mobile VPN, and keeping good cyber hygiene is absolutely vital to keep your information secure against modern attackers.