Nadine Barrett-Maitland | Smartphones and devices the weakest link for attacks: What we need to know

THE USE of smartphones has grown exponentially over the last decade. Smartphones have not only revolutionised the ‘infotainment’ industry, but have changed the way we live, learn and do business. According to Statista, the number of smartphones in use around the world has surpassed six billion, and growth is projected to reach 7.69 billion by 2027. In developing countries, most connections to the Internet are via smartphones.

The nature of smartphones – flexibility, ease of using them and the ability to reduce the cost of communication – have resulted in the growth in their use. Unfortunately, wireless communications like technology, can be described as a two-edged sword. The increased use of smart/mobile devices makes them very attractive targets for career virus developers in the mobile communications network. Mobile devices account for more than 60 per cent of digital fraud.

Smartphones have the weakest security when compared to other technological devices. Increased security technologies and architecture in these devices would result in increased cost, hence these devices remain the most vulnerable. As a result, the vulnerability vector is very high for smartphones and other devices, and this makes them the main source of attack by malicious users of the Internet. Smartphones are built with very little security. The main vulnerabilities are: system faults/defects and insufficient management of applications.

It is virtually impossible for some defects to be found before deployment and usage. While some defects can be remedied, some can only be corrected by changing the device or the architecture, and these defects are usually targeted and exploited by attackers. The freedom of users to connect to unsecured networks and the lack of awareness by smartphone users heighten security and privacy risks, increasing the chances for malicious attacks. Thousands of viruses are created for smartphones every day. With the Q3 2022 report indicating that in the last quarter of 2022, over 5.6 million malware, adware and riskware attacks were identified, we need to pay attention to the use of these devices.

PRIVACY ISSUES

A study by Princeton University confirms that privacy concerns are valid, since trackers are making use of information that seems meaningless. Information from battery status application programming interface, otherwise called battery readout, which was created to alert users of the charge level of their phones, can provide information about the device user’s behaviour and allows monitoring, as it also provides information about usage time and the user’s pattern of use. This tracking script provides data that can enable behavioural analysis.

Additionally, connecting to other devices, for example, at school or work, facilitates further tracking and also opens the way for access to these systems. Some companies use the information to target users for marketing their product and services. Attackers will then get access to not only personal devices, but also the organisation’s network and all connected devices. From a privacy perspective, even the most unlikely mechanisms can result in unexpected consequences. Paying attention and viewing our digital footprint through a privacy lens can decrease the chances of abuse and unwelcome surprises.

SECURITY ISSUES

Security researchers point out that the seemingly harmless information collected by battery readout can create a pseudo identifier for each device. This increases the possibility of identifying users on the network. Virtual private networks (VPN) or ad blockers cannot prevent someone from getting access to your battery status readout and tracking you and the sites you visit. This creates security vulnerabilities; our only hope is that there may be safety in numbers.

SOME SMARTPHONE SECURITY BEST PRACTICES

• Ensure that you download apps from official app stores

Third-party app stores may not test the apps as rigorously as official app stores such as the Google Play Store or Apple’s App Store.

• Reduce or avoid connecting to public Wi-Fi from your smart/mobile device

Unsecure Wi-Fi hotspots increase vulnerabilities and put your mobile data at risk.

• Check an application’s settings before you download

Applications that request that you disable settings can make your device security vulnerable or allow access to data on your phone’s memory, and could compromise your privacy.

• Use a reputable mobile security app

Use mobile security applications that scan apps before you download and those which automatically let you know about malware, privacy and other risks. This proactive protection also includes lost or stolen device recovery that set off an alarm to easily find or see the location of your missing phone or tablet on a map.

• Update

Install the latest updates and fixes for your device; these can help to protect your device from the latest vulnerabilities that may have been identified.

USERS’ LACK OF AWARENESS

Users of smart devices must be careful of the apps that they download on these devices. Smartphones offer so many convenient ways for conducting business, such as, but not limited to, banking, paying bills, accessing emails, and so many other things. There are several options to carrying out these transactions. One of the preferred way is via mobile applications (apps); and today there is a mobile app for everything. Experts continue to find malware in app stores. Some notable ones are Joker Trojan, found in 2021 that signed up victims for paid subscription; the Facestealer Trojan, which steals credentials from Facebook accounts; and various banking Trojans. Attackers have found ingenious ways to mimic legitimate apps that are already published in app stores/sites, for example, a photo editor or a VPN service.

There are scamming apps: banking Trojan or Fakecalls banker, the Sova banker that steals cookies and gives attackers access to the user’s current session and personal mobile banking account without knowing the login credentials. The Vultur backdoor uses Virtual Network Computing to record smartphone screens; when the user opens any app that is of interest to the attacker, they can monitor onscreen activities. The first Game thief-type mobile Trojan was discovered in 2021; its aim was to steal account credentials for the mobile version of PlayersUnknown Battlegrounds.

Information is still limited regarding how companies are using battery readouts, but we should keep an eye on these developments. Studies have indicated that many companies are using this ‘innocent’ data collected for secondary purposes other than the initial intended use. Recent reports indicate that connecting to a public Wi-Fi gives malicious users access to your phone anywhere in the world. These persons get access to everything on your device, from your bank account to your email and the pictures on your smart device. The more dependent you are on your smartphone and devices, the greater the risk if they are compromised. Businesses need to develop policies regarding how these phones connect to the organisations’ network, because they are one of the main sources of infection to networks. Individually, we need to be very careful how we download things from the Internet. Be aware, and do not wait for a threat to strike before taking the necessary precaution.

Nadine Barrett-Maitland, PhD, is a senior lecturer at the School of Computing and Information Technology, University of Technology, Jamaica. Send feedback to columns@gleanerjm.com.