Companies threatened by smartphone attacks? Learn about four popular cybercrime methods using phones

September 10, 2019 Aneta Stokes

Business phone: usually a smartphone, connected to the Internet 24 hours a day, seven days a week, with access to company emails, customers’ personal data, and confidential information. It’s rarely protected to the same degree as company computers, and placed at the employee’s disposal, with great confidence in their general knowledge of cybercrime.

Private phone: usually a smartphone too, almost always online, solicited by tempting applications asking for permissions of any kind (sometimes involving high risk), and — as research shows — often used by employees for business purposes (handling emails, checking their calendars, work schedules), but remaining completely out of the company’s control.

Hacker behind the screen

Cybercriminals may be interested in your employee’s phone because it provides the easiest access to your company’s resources. They are doing it more and more boldly (Symantec reports there has been a 12% increase in cyberattacks on large organizations and enterprises), most often taking advantage of a lack of awareness and human error. The consequences? The leakage of confidential information, data loss, huge costs and fines (even resulting from GDPR violations) and, consequently, even the closure of the company.

Method #1: Disguised apps

Even if your employees download apps on their business smartphones from the official Google Play Store, this doesn’t guarantee total security. Google defends itself bravely but products whose main purpose is mine data from a mobile device are still there. At best, they flood us with spam, at worst, they can take over user accounts on social media, access our bank accounts, reveal company secrets, or steal a contact database.
Several of those malicious apps were recently detected by Symantec. It turns out that they’ve been on the shelves of Google’s store for a year, and during that time have been downloaded by more than 1.5 million users. The apps (OCR Text Scanner, GTD, Color Notes, and Beauty Fitness) urged the users to click on fake ads that slowed down data transfer and the phone’s operation.

Method #2: App doppelgangers

The second category of harmful apps are those that directly impersonate other, mostly banking apps. Their names and logos are misleadingly similar to the original, and the attack is based on the mass sending of text messages with an active link. Since such apps require the user to enter login details and a password to access the account, criminals are soon able move freely around the control panel. With control over the phone, they also have access to incoming text messages with a one-time password, which allows them to change transaction limits on the account, or make transfers to the specified account.
This is exactly how the app worked that hackers used to attack mBank clients last year. They received text messages with a link to update their banking software. All those who followed the instructions and provided their ID and password lost control of their account.

Method #3: Shady supplier

Are you planning to buy smartphones for your employees from a lesser known, exotic brand? Have you seen sales offers for the Doogee BL7000, M-Horse Pure 1, Keecoo P11, or VKworld Mix Plus? Be careful! In addition to the standard operating system and more or less useful gadgets, some hardware providers equip phones with spyware or a virtual “backdoor” that allows them to remotely access the device and the information stored on it without the user’s knowledge.

Method #4: Bugging

False base stations, so-called “IMSI catchers,” are used most often by authorized services. It turns out, however, that such devices can be bought on the black market, or — a version for hacker handymen — constructed at home. They enable eavesdropping, call recording, and even the interception of text messages. IMSI catchers are not assigned to or installed on a particular device; the hazard is related to the place where the “target” is located. That’s why neither prevention nor detection of this trap is easy.
In our training, we also talk about other types of attacks from the “Man in the Middle” group, which assumes that an attacker enters between the phone and a trusted element of the system.

Cybersecurity in your organization

Your employees — even if they aren’t fully aware of it — guard the security of your company’s resources by standing in the front line of defense against a cyberattack. They most likely have smartphones (market share is currently 74.45% Android to 22.85% iOS), which are much more vulnerable to attacks than iPhones. If you equip them with company mobile phones, consider implementing an MDM (Mobile Device Management) system that will allow you to ensure an adequate level of data security. However, tools alone aren’t enough if there’s a lack of knowledge and awareness of the risks involved. Information security training should nowadays be a basic part of every employee’s equipment. Since employees are the guardians of your company’s security, it’s worth giving them the best weapons.

, , ,