Imagine if your mobile phone could be used to spy on you, listen to your conversations and send information and images from your device to a third party? This is not an imagined, dystopian future, it is the story of the Pegasus spyware put on mobile devices by clients of Israeli spyware software firm NSO.
Although the Pegasus spyware is meant to be used by law enforcement only and is targeted at high-value individuals, this story provides some food for thought as mobile malware and spyware are not only aimed at the wealthy and the important – they can have a serious impact on anyone’s life.
Other mobile threats such as banking malware for example use a similar process to the Pegasus spyware to get to users’ devices. For example, many of these types of malware get installed by people clicking on a link that they received via SMS or WhatsApp and end up downloading a malicious app that could result in advertising click fraud, mobile ransomware, banking trojans or in some cases, even roots or jail breaks their phone to obtain full remote control over the device. The malware then allows for the criminals to listen to calls, take screenshots and see what the user types – catching passwords and banking details.
Criminals use social engineering tools and approaches to lull users into a false sense of security. Pretending to be anything from a parcel tracking link to a banking confirmation link, these malware messages are designed to provoke people to make impulsive mistakes. And these mistakes can lead to your device being completely compromised, putting you and your financial security at risk.
These smart malware infiltrations are designed to get past people’s defences. Another form of distribution is taking advantage of devices that have not been updated or exploiting vulnerabilities on the phone or in apps that do not yet have patches. It is really important to ensure that your mobile devices are updated, and to ensure that you minimise risk by removing unnecessary apps, only downloading apps from official apps stores and by avoiding clicking on links from your mobile device.
Unfortunately, people are more likely to click on a link using their mobile device because they think they are safer than a computer. You need to be cautious and ensure that if you do not know the sender, you do not download anything or click on anything. Do not believe an SMS message that tells you to update your WhatsApp software or a link that tells you to update an app that comes through a social media platform. Always update from the App Store or Google Play, nowhere else.
Also, be aware of clickjacking, which is a form of mobile phishing that comes with an invisible link, which is covered by a “bothersome” graphic element that is made to look like a small hair or a speck of dust. This tricks the user into wiping the hair or dust off the mobile’s screen, which activates the link and launches a connection to the phishing site.
Keeping your mobile device free from infection means that you watch what you click, you do not trust unexpected links from unknown sources, do not share information with anyone – especially if they call and pretend they are from your mobile phone provider or bank – and do not provide people with your OTPs unless you have initiated the transaction with a trusted agent yourself. Mobile devices are as much at risk as computers, so stay aware, stay alert and stay secure.
Anna Collard, SVP Content Strategy & Evangelist at KnowBe4 AFRICA.