These days, it’s the norm to protect your home computer from malware. But what are you doing to protect your cellphone?
Yes, your smartphone can be hacked. The average American spends an hour every day playing with their cellphones, according to a study from Experian. In the meantime, they are taking and sharing a lot of photos, sending personal text messages and browsing the Web.
“A mobile phone is the perfect spying device,” Kevin Haley, director of product management for Symantec Security Response, told TODAY. “You can listen. You can look. You can track location. And you can view every phone call and every text the person makes.”
The most common strategy is through malware. Think about all the permissions we give our apps. Facebook Messenger has access to your location, text messages, camera, stored photos and all kinds of other stuff.
Overall, smartphones are safer from malware than PCs. But they can still get infected. One tactic hackers use is spamming people through social media and text messages with links to download malware.
More often, hackers will take a popular app, insert malicious code and then put it out there for people who don’t want to pay for the real thing. (Experts call it “Trojanizing” an app). Someone might balk at paying $6.99 for “Minecraft,” download a free, unofficial version on a random website, and then happily play it while the bad code does its job.
“If you go off-market, the risk of getting one of these ‘Trojanized’ apps is very high,” Chester Wisniewski, senior security adviser at Sophos, told TODAY. “They are not just giving you free software for the hell of it. They are doing it to infect your phone and make some money off of you.”
Sometimes, the apps spying on you aren’t even malware. This is a problem with technically legal apps that are physically downloaded onto unattended phones with weak or no password protections.
“There are dozens of commercial surveillance products available for mobile devices, marketed towards individuals who would like to spy on someone they know — often a spouse or significant other,” Jeremy Linden, senior security product manager at Lookout, told TODAY.
So if you have a jealous boyfriend or girlfriend who might want to track your location, you might want to invest in some relationship counseling, then pick a better password.
Finally, there are multiple high-tech ways that hackers can intercept your cellphone signals. There are IMSI (international mobile subscriber identity) catchers, which act as fake cellphone towers. One model, called the Stingray, has been used by police agencies across the country — something that some privacy advocates are not too happy about.
Then there are femtocells, normally used by carriers to provide cellphone service to rural areas with very little coverage. They are about the size of cable boxes and can be bought for around $250.
Tom Ritter, a senior consultant for iSEC Partners, and his team hacked one sold by Verizon and were able to intercept phone calls, text messages and photos from phones that connected to it.
“This is a very advanced attack,” Ritter told TODAY, noting that it hasn’t really been seen in public.
“The amount of skill needed to do this is high, but it’s not so absurdly high that it’s impossible to imagine a number of people being able to replicate what we did.”
What Do Hackers Want?
It is possible for hackers to gain access to a cellphone camera and take a picture or capture video, but it’s extremely uncommon, the experts interviewed for this story told TODAY.
For one thing, the camera on a phone is often looking at the inside of a pocket, as opposed to a laptop webcam that is constantly pointed at someone’s face. Still, with a black market out there for private videos, it could be a concern for women.
“This is one of those Internet threats that skew very strongly along gender lines,” Tod Beardsley, technical lead for Metasploit, told TODAY.
The same goes for audio files or anything else you store and send on your smartphone. But most hackers aren’t interested in your private life. They are interested in turning a quick buck.
“To be honest, criminals don’t want your photos. What are they going to do with them?” Wisniewski said.”Most of these cases are blatant money grabs.”
When Trojanized apps are installed, he said, they often enact two common strategies:
1. Your phone will start sending SMS texts to a premium rate number — think of when the Red Cross asks you to text 90999 to donate $10 after an emergency. Except in this case, you are giving away $25 to some faceless hacker.
2. Your phone will be held ransom. At first, Wisniewski said, many of these programs pretend to be anti-virus software, asking you to spend money to get rid of viruses it has discovered. If you refuse enough times, it can completely disable your phone (often with a pornographic lock screen) until you pay up.
Hackers are always looking for login information as well. A social media username and password sell for anywhere from 50 cents to $10 on the black market, he said, because scammers are always looking for trusted places to disseminate shady links.
How to Protect Yourself
The consensus opinion is that it’s a bad idea to download apps that aren’t in official stores run by Google, Apple or Microsoft. Those companies are pretty good at sniffing out malware and regularly remove suspicious apps.
When you do download an app, make sure to read the app permissions to make sure it’s not asking for anything out of the ordinary.
For iPhone and Google Nexus owners, regularly upgrading to the latest operating system can protect against some malware. (Other Android phone users can be out of luck, as carriers often hold out on system updates).
It’s also very important to password protect your phone, preferably with a code that isn’t 1234. A jealous partner or coffee shop criminal can’t download malicious apps on phones they can’t access.
There are many companies out there that sell anti-virus software for phones. They aren’t always effective, since a lot of malware is downloaded and given permission by the user, instead of illegally infiltrating their phone. But it doesn’t hurt.
And while there are things you can do to protect your smartphone, it’s probably more important to pick a good Gmail password.
“The problem is not so much hacking into the phone itself,” said Ritter. “It’s more about hacking into a connected email or Apple account.”