Hacking has gone mobile

Written by Joseph Poppy on 13/04/2018

Hacking has gone mobile

In the last ten years, mobile phones have rapidly evolved into the smart devices we spend the majority of our time staring at. Most of us (one in three) now have more computing power in our pockets than Apollo 11 (though if I was planning on going to the moon I’d still go with that). Technological convergence means that our phones are now our cameras, music players, gaming devices and even web browsers. It’s like we’re living in the future. However, with progress comes more problems. We all know that computers can be hacked. Now, phones – being the mini computers that they are, can be too. All the flaws, techniques and exploits used against computers and networks can now be employed against your smartphone. People use their phones for all sorts of things, from email to shopping, streaming to online banking or just browsing the internet. With so many applications on one device, getting hacked raises some serious concerns.

A mix of threats

Some of the most prevalent issues come in the form of malware hidden in applications on Google’s Play Store or Apple’s Appstore. The Ztorg Trojan is currently known to be doing the rounds (primarily on Android devices) and can be quite severe, in that it can send premium rate messages from your device without permission. Then there’s the persistent Hidad family of trojans that can access (and even sell) your personal data, as well as bombard you with unwanted ads.

Phone hacking implications

Relatively simple pieces of software can provide hackers with the potential to gain access to your call records, texts, web history, microphone and even camera. From here, there’s the possibility of them getting at more sensitive information. Fortunately, this software usually requires the user to actively install it. Unfortunately, users often do just that. Accessing certain sites or clicking links without checking them can initiate a background install of malicious software. We are all human and, consequently, quite lazy. No doubt when browsing a site or using a service which requires an account, many of us allow the browser to remember our details. This not only saves us valuable seconds, but also relieves the stress of having to remember a dozen different passwords for all our various accounts. However, should your device ever be compromised, a hacker now has easily access to these accounts.

What does this mean for your business?

From a business perspective, this could spell disaster. Every smartphone in your business becomes another potential weak spot for criminals to exploit. A compromised device could go on to compromise your business. Depending on the nature of the business and the capacity a user is employed in, there could be a lot of sensitive information to be found in their emails and text messages alone. Texts sent to colleagues or managers could well contain information which you’d rather keep private. If they’re logging onto online portals or VPNs there’s even more that can be at risk as your 2FA text could now be in the hands of hackers. More sophisticated pieces of software can access the microphone and even record phone conversations in which sensitive information could be discussed.

Why would people install malware?

Of course, no one deliberately installs malware. Most people are completely unaware that they have. A common method of getting malicious software onto a device (both computers and smartphones) is via phishing or SMiShing. It is not uncommon for users to receive emails or texts that on first glance look official. These will often state something reasonable, such as their password is due to expire and that they need to change it. This is followed by a helpful link. By clicking on the link users will open themselves (and subsequently your business) to the threat of malware or spyware, which can start downloading discretely in the background. Furthermore, if the user does indeed attempt to change their password via the link provided, they will have given hackers the means to access your corporate network as and when they see fit. These methods are often referred to as ‘social engineering’.

Knowledge is power!

This is one of those threats that becomes more of an issue the more employees you have. It only takes one person to click the link and your entire network could be exposed. Whilst there are various precautions that can be taken build-wise such anti-virus apps, restricting the handset etc., the best defence against these types of attacks is education. Knowing how hackers operate, what to look out for and where your weaknesses are can protect your business as well as the best of firewalls and other technology-delivered security controls However, the larger the business the harder it can be to educate and defend against social engineering. With open public Wi-Fi becoming now ubiquitous and phones becoming ever smarter, phone hacking is a growing concern. As technology becomes more sophisticated, so will the methods of attack. Staying informed is becoming just as important as your security software.

In short

The notion of phone hacking is still very much in it’s infancy, but it is rapidly evolving and stands to be a huge threat in the near future if you are not prepared. In many ways, social engineering is one of the biggest threats to your company with very little defence at what can effectively be reduced to ‘human error’. This is why a social engineering aspect of a penetration test is worthwhile for any growing business. Discovering where your weaknesses are and how susceptible to social engineering you currently are, means the easier it will be to shore up your defences. It doesn’t matter how good your other defences are if staff ‘willingly’ give away credentials. The human aspect is often the easiest to exploit.

  • Bulletproof are CREST approved

    CREST approved

  • Bulletproof are ISO 27001 and 9001 certified

    ISO 27001 and 9001 certified

  • Bulletproof are Tigerscheme qualified testers

    Tigerscheme qualified testers

  • Bulletproof are a PCI DSS v3.2 Level 1 service provider

    PCI DSS v3.2 Level 1
    service provider

  • Bulletproof have 24/7 on-site Security Operations Centre

    24/7 on-site Security
    Operations Centre

Get a quote today

If you’re interested in our services, get a free, no obligation quote today by filling out the form below.