Security Awareness For Mobile Threats

Did you know that a mobile device is attacked every 39 seconds? Reliance on cell phones and tablets for business, especially during the COVID-19 pandemic, has increased exponentially. In response, cybercriminals have pivoted their focus to mobile devices and are working on ways to infiltrate via mobile. Ransomware has been developed that can attack cell phones. Malware has been designed to attack Mobile Device Management (MDM) systems, which can infect an entire corporation’s mobile devices in one swoop.

The Stats

In their 2021 Mobile Security Index, Verizon published the results of their annual survey of professionals responsible for procurement, management and security of mobile devices. These results illustrate that mobile usage is up, as well as the security concerns that come with it.

Some of the most notable stats in the report showed that:

• 71% of respondents stated that mobile devices are very critical to their business
• 75% said their reliance on cloud-based apps is growing
• 40% said mobile devices are the biggest IT security threat
• 79% saw remote working increase as a result of COVID-19
• 97% consider remote workers to be at more risk than office workers.

The Risks

Apps: Malware isn’t just for computers. Malicious mobile apps and trojans (apps that appear to have a legitimate purpose, but are malware in disguise) are continually emerging. While most applications obtained through an official app marketplace like the iOS App Store have been security screened, malicious apps have been known to still make it through. The risk of installing a malicious app is many times higher when obtained through less official means, such as sideloading on a rooted or jailbroken device.

Legitimate applications, while inherently safer, can have security vulnerabilities that a cybercriminal would be able to exploit. In 2020, major vulnerabilities were found on popular applications such as Facebook Messenger, Instagram and WhatsApp.

Devices: Mobile devices themselves can have operating system (OS) or even hardware vulnerabilities. A cybercriminal could leverage these vulnerabilities to launch malware. Or they can even cause a device to leak information, including real-time camera and microphone recording, photos, videos, text message and GPS/location data.

Phishing and smishing (“SMS phishing”) attempts can be delivered via mobile browsers, fraudulent ads, SMS texts and social media. There are several approaches used to try to compel a user to click on a link or submit private information. Some trick users into thinking they are downloading “free” software or media. Some try to make users think their device is already infected, and direct them to click a link to fix it. Some send messages telling a user that their electric bill is unpaid and they must submit payment information within 30 minutes to avoid disconnection. Some even try to embarrass a user into clicking a link with a message like, “OMG is this you in this video??” During the COVID-19 pandemic, cybercriminals even preyed on people by pretending to offer help.

Network: Mobile devices can be especially prone to leaking sensitive information when on an unsecured network. Free Wi-Fi hotspots are notorious for their susceptibility to being hacked to intercept passwords and data. For example, a cybercriminal could set up an access point at a popular coffee shop and give it a name that looks legitimate (for example, “Starbuckz”). Unsuspecting users would connect to that Wi-Fi network not knowing that it’s actually operated by someone trying to steal their info.

Mobile Device Management (MDM): Mobile Device Management (MDM) platforms are used by organizations to monitor, manage and secure all of its mobile phones, tablets and laptops. In 2020, security researchers discovered a new type of malware that would attack an MDM server and spread through all of the company’s devices.

How to Avoid Mobile Threats

Fortunately, there are steps you can take to avoid these threats and increase your mobile security. Here are our 12 tips on how to avoid mobile security threats:

1. Use security software: You wouldn’t dream of using your computer without anti-virus and anti-malware software installed. You need to install these on your mobile devices as well.
2. Use official app stores: Only download and install apps from the Apple App Store on iOS or the Google Play Store on Android, as these are pre-screened for security. Steer clear of “free” app downloads on third party websites.
3. Review app permissions: Pay attention to the permissions an app will try to obtain. For example, apps may ask for access to your contacts, your location, your camera and/or your microphone. Consider whether or not an app actually needs that access to serve its purpose.
4. Update OS and apps: Make sure that your device’s operating system (OS) is up to date. Many of the updates contain patches to fix security vulnerabilities that were discovered since the last update. The same goes for all of your apps as well.
5. Don't root or jailbreak: Rooting (Android) or jailbreaking (iOS) a mobile device refers to modifying it, usually to access enhanced privileges, remove restrictions, and install unofficial apps. Not only can this void your device’s warranty and cause stability issues, but it can also expose the device to huge security risks.
6. Don’t click on suspicious links: Phishing can happen on your mobile device, too. Think twice and avoid clicking on links sent in suspicious emails, texts, social media messages, and even ads.
7. Disable Bluetooth and Wi-Fi when not in use: Not only will this increase your battery life, but it will prevent unwanted and malicious connections. Of course, Bluetooth and Wi-Fi are often needed to connect to other devices such as a smartwatch, speaker, etc. At the very least, set Bluetooth to non-discoverable and set Wi-Fi to never automatically connect to public networks.
8. Avoid public Wi-Fi: You’re much better off using your mobile phone as a secure hotspot. If you insist on using public Wi-Fi, just assume that potentially anyone can see what you’re doing, so stick to browsing the news or watching a video. Do NOT work on confidential documents, enter passwords or credit card numbers, or access sensitive information while on public Wi-Fi.

Bonus Tips for Businesses

9. Establish and enforce clear guidelines: 54% of companies that experienced a security compromise attributed it to user behavior. Set security guidelines and make sure everyone acknowledges them. If possible, set up Security Awareness Training to test employees and ensure they are following guidelines.
10. Enforce strong passwords: Users often create passwords that are easy to guess or crack. Set strong password policies and configure your systems to reject passwords that don’t meet the criteria.
11. Enforce use of biometrics: Whenever devices allow the capability, enforce the use of biometrics such as fingerprints or facial detection. Not only are biometrics easier and more convenient to use than passwords, but they are proven to provide greater privacy and security.
12. Use mobile device encryption: Set up encryption on all mobile devices to ensure that the information is protected, even if the device itself is lost or stolen. Encryption scrambles the data and makes it unreadable to those trying to access it without a password or biometric unlock.

We hope the 12 tips above help you feel safer and more confident about your mobile security. AllSafe IT’s comprehensive cybersecurity services are designed to identify, assess, and manage cybersecurity risks. We have aligned with the National Institute of Standards and Technology (NIST) framework for the design of our cybersecurity solutions.

‍