Consumer Comeback Blog

A Goldmine for Hackers: Your Smartphone

A piece of technology is truly innovative if you can’t imagine life without it, and the smartphone certainly fits that criterion. With hundreds of thousands of apps seconds away from download, you can entertain yourself for hours or take care of your day’s errands in minutes. It’s an indispensable tool for those who value efficiency and convenience.

However, as technology advances and becomes more sophisticated, so does crime. Opportunistic crooks have used smartphone technology to take advantage of people’s propensity to let their guard down when using their devices. According to data released by Javelin Strategy & Research last winter, more than 11.6 million Americans were victims of identity theft in 2011, a 13% increase from the previous year. Phones and social media sites, often used in tandem, received blame as the primary culprits for the rise.

Seven percent of all smartphone users were victim of identity theft, a one-third higher incidence than the general public. Additional data compiled by Javelin shows that many users aren’t taking the appropriate measures to protect themselves: 62% don’t password protect their home screens and 32% save login information on their device.

Previous sources for extracting consumer information, such as banks and merchants, have heightened security, making it more difficult for hackers to meet their quotas. The hackers’ response has been to skip the middleman and go directly to consumers, who have proven to be much more vulnerable.

How Hackers Procure Your Personal Information

Experts warn that smartphone hacking is expected to rise this year as users slowly adjust to the threat, a reflection of the increasing numbers of smartphones in use. Android devices specifically have been targeted because hackers have a relatively easy time maneuvering through the open platform. A report from NQ Mobile shows that 10.8 million Android devices were infected with malware worldwide in 2011. Also last year, Lookout Mobile Security estimated that Android users lost more than $1 million to mobile threats.

Hackers are expanding their criminal portfolios by employing old school methods, adopting many of the same tactics used for PCs. Mobile malware has evolved from its humble beginnings eight years ago, when an anti-privacy Trojan found in the game Mosquito sent SMS text messages from users, unbeknownst to them, to its parent company Ojam. The Trojan-SMS.AndroidOS.FakePlayer.a invaded Android devices in 2010, becoming the first malicious piece of malware to spread among smartphones. Users infected with it encountered larger-than-normal bills because it covertly sent SMS text messages to premium rate numbers.

But having your phone bill inflated is a relatively minor problem compared to having thousands upon thousands of dollars stolen from your bank account. Banking Trojans intercept financial transaction data and enable hackers or their clients to drain the accounts, in some cases costing the victim their entire savings. The Zeus Trojan is one example that made headlines in 2011 for attacking Android systems. Users who access bank accounts for their employer with their devices may experience this as well. Hackers value business data just as much as they do personal data.

The technology business publication Tech Journal predicted that users will see more malware attached to banking and financial apps in 2012. Those who are driven to download anti-malware applications for protection should proceed with caution, as they could be cleverly disguised malware. An increase in SMS fraud scams are expected as well.

Some malware seek information about your phone – such as its product ID, International Mobile Equipment Identity (IMEI) number, and International Mobile Subscriber Identity (IMSI) number – to store for future attacks, and some spy on the user, recording their GPS location, emails, text messages, and even phone conversations, forwarding them to the hacker.

Malware creators have had the blueprint to build malware – their primary task in the early stages of their enterprise was to find ways to gain access to users’ devices. This has been accomplished by: downloading apps, attaching their malware by inserting the code, and re-launching the app in the marketplace; attaching malware to existing apps by giving users the opportunity to download an “upgraded version” of the app, which enables an upgraded version of the malware to invade their devices; and offering downloads outside of the marketplace promising to enhance the app, giving the malware a direct avenue through which to infect the device.

Less advanced hackers may use more primitive methods for obtaining personal information. They may call posing as your phone provider, requesting information to bring your account up to date, or send a phishing email asking you to log in to your account. In both cases they’re attempting to gain access to your account, which in turn provides them access to a veritable buffet of personal information they can use nefariously.

Staying Ahead of the Game

A new industry has emerged due to the increased threat to smartphone security, and it’s expected to experience a dramatic upswing in business in the coming years. Last year a report from projected that the global smartphone security software market will reach $3 billion by 2017. At the time, just 23% of smartphone users had enabled security software, according to the report.

McAfee, an industry leader in computer security, is developing a program that warns of possible threats by analyzing “permissions” sought by an app from your device. In other words, apps soliciting information that doesn’t pertain to their function will be flagged. Employing technical common sense, this program would make avoiding malware easier for users. Before there’s an abundance of well-developed, comprehensive malware programs from which to choose, however, you will have to take your own measures to protect your information:

  • Never put yourself in position to lose your phone. By allowing someone else to gain access to your phone, you’re giving them direct access to your personal information – it’s not much different from losing your wallet. Always keep your phone in your hand or in your pocket. Refrain from casually placing it on a table, whether you’re at work, a friend’s house, or a restaurant. Don’t even leave it in your car, as it could be stolen.
  • If your phone has been stolen, act immediately. Call your phone service provider and request to have your data wiped. This will ensure the thief won’t have much information with which to work. Your provider should cancel your service on the phone to avoid additional charges from usage by the thief.
  • Download wiping and backup apps. A wiping app will ensure you won’t have to make such a request from your provider. For example, some are triggered by a specific number of password failures, sniffing out a potential hacker. Backup apps will ensure your data is saved for future use – by you.
  • Password protect your device. It shouldn’t take more than a minute to set up, and it will provide more protection for your device than any other method. Android and iPhone users can create a numeric or alphanumeric passcode. For Android users, this is better than the usual swipe feature.
  • Don’t root your Droid or jailbreak your iPhone. Phone fanatics enjoy the full control that comes with it, but they’re only making their phones more vulnerable. If you can have access to your device’s basic systems and folders, so can a hacker. It’s wise to avoid apps that require rooting. Ultimately, you must decide whether or not the risk is worth the reward.
  • Don’t be so permissive to apps. If you’re like most Android users, in your haste to download a new app, you probably blindly grant permission for it to access a variety of different areas of your device. In the future, though, you should take the time to review each permission request. Remember, apps are a prime carrier of malware. iPhone users are better protected against these threats, as Apple denies apps that needlessly ask for permission.
  • Ensure your banking app is secured. Secured baking apps won’t allow you to remain signed on after you’ve logged in. Wells Fargo online takes it a step further, creating an alias to hide your account number. If you don’t trust that your bank is taking the proper measures to ensure your security on your device, remove its app.
  • Avoid suspicious websites. The same rules apply as when you’re browsing the web on your PC. Crudely constructed webpages and even ads have been cited as sources of malware.
  • Download existing security software. When you can’t avoid that suspicious looking site, you’ll need backup support. Take what you can get. These programs haven’t entirely evolved yet, but they’re certainly better than nothing. Continue to download updates as they become available.
  • Avoid public Wi-Fi connections. The dangers of free public Wi-Fi have been well-documented. Public, unsecured connections present fraudsters and scammers the perfect opportunity to steal your information. If you must connect your device to Wi-Fi, make sure it’s password protected.
  • Use your best judgment. Don’t record your pins and passwords for your own memory in parts of your phone that can be easily accessed by others. Don’t open suspicious emails or texts. Don’t ignore data breach notifications. Being mindful about security can prevent a lot of trouble in the long run.