Recently I was asked to discuss the cybersecurity risks associated with smartphones and the possibility that those devices could be compromised and information stolen. As part of the conversation, an all too familiar story was told about an older gentleman who had been prompted through a fear-based social engineering phone call to go to the bank and withdraw a significant amount of money to avoid some fictitious financial penalty. What was a little more unique in this situation was the fact that the older gentlemen had also been prompted to download an app on his smartphone that had in turn given the attacker control of that device. Fortunately, an alert bank employee noticed something strange during the transaction as the older gentleman continued to receive directions from the attacker via his phone. The bank employee intervened and, after some effort, was able to power off the gentleman’s phone and get to the bottom of the scam.
Sadly, this is not a terribly unique situation. Creative and malicious vishing (voice phishing) attacks take place everyday, targeting young and old alike. What is a little more concerning is the evolution of malicious applications and the use of these applications to take remote control of a device during a social engineering attack, thus giving the attacker near complete control over the situation and ramping up the fear factor for the victim.
In the situation with the older gentleman at the bank, his problems did not end once the attack was discovered and his phone was powered off. At that point, his smartphone, a low cost, prepaid Android device, was compromised and unsafe to use. The bank employee rightly recommended he factory reset the device or replace it, but neither option was honestly viable for the victim. He lacked the technical skill to properly reset the device and he could not afford to simply throw it away and buy another one. Because it was a big box store purchased prepaid device, he could not walk into a wireless carrier store and ask for help. He was stuck.
In talking through this situation, several questions came to mind. First and foremost, what can we (the IT security and cybersecurity community) do to help? That question prompted others – are certain mobile devices safer than others in terms of their ability to prevent these types of social engineering and malicious device takeover attacks, is this issue age related or more widespread, and what tips and tricks can we provide to help mitigate these types of cyberattacks? I want to take a moment and work through some of these questions and see if I can provide some answers that will help keep people safer when dealing with these types of attacks.
Are certain mobile devices safer than others?
This is a very loaded question and feeds into the ever present and ongoing debate of Google Android versus Apple iOS. Let me begin by stating that I am not here to advocate for one manufacturer over another – both device families has some great security features and both device families have the potential for compromise by a cyber bad guy. I do want to talk about some features and specific design methodologies provided by each manufacturer that can impact a victim, both positively and negatively, in the scenario we are discussing – vishing and remote device takeover. Let’s look at some relevant statistics to better frame this conversation:
Apple iOS is the more prevalent mobile phone operating system in the U.S. at 53% to Google Android’s 46%. (Statista 2022)
That said, the Android OS accounts for more than 50% of all malicious infections of devices in the U.S. followed by Microsoft Windows at 23% and Apple iOS at less than 1%. (Nokia Threat Intelligence Report 2021)
So, if Apple leads in terms of market share for smartphones, why is Google Android so far ahead in terms of operating system malicious infections? There are several reasons. First, Google Android, as an operating system, runs on many different platforms beyond smartphones. The Android OS can be found on a variety of IoT devices including smart TV’s, tablets, home automation systems, appliances, and many other Internet-enabled platforms. As such, the attack surface for Android OS is simply larger than Apple iOS. Second, the Google Android OS is a much more open and customizable platform in terms of the sources and types of applications that can be loaded to an Android device. Application downloads for the Android OS are not necessarily restricted to the Google Play Store and, as such, cannot be as closely vetted and verified when compared to the relatively closed application ecosystem of Apple’s iOS. Third, Google does not own and control all of the hardware platforms on which Android OS is loaded. Dozens of smartphone manufacturers use Android OS for their devices, and, therefore, those manufacturers can to an extent control the applications that ship on those devices. Once again, this is very different for Apple iOS as Apple manufactures all smartphones and tablets and devices that run their operating systems. Apple has built a closed, proprietary ecosystem for its “iDevices” and controls all applications that can be listed and downloaded from its App Store. This approach has made it significantly more difficult, though not completely impossible, to load malicious software on an Apple device and facilitate remote control. Given all of this information and each manufacturer’s approach to application installation control, it is a fair statement to say that Apple’s smartphones are a safer platform in this specific situation.
Please do not take this specific conclusion and extrapolate that Android devices are less safe overall when compared to Apple devices. Both operating systems have their specific strengths and weaknesses. Google Android OS, for example, provides one of the most flexible and secure identity management platforms available, providing numerous secure ways to validate the identity of the device user and ensure physical compromise is extremely difficult for the bad guys. Android’s flexibility and portability has also created opportunities for lower cost smartphones and tablets that have brought internet access to people and places it otherwise may not have reached. That said, everyone needs to understand the potential security challenges with these devices in certain situations and take proper precautions.
Is the growth of malicious device infection and the prevalence of social engineering attacks age related?
I am sure many people will read the details of the incident at the start of this article and focus on the word “older” that was used to describe the victim and draw the conclusion that this type of scheme is designed to prey on novice internet users. Those people would be both right and wrong. This type of scam is often targeted at older Americans, but not because of a lack of internet experience. Consider these statistics:
10 years ago, less than 46% of Americans over the age of 65 used the Internet. That number is now greater 75%. (Pew Research)
Over 61% of Americans over the age of 65 have a smartphone. (Pew Research)
Older Americans are quickly becoming savvy Internet consumers, but this same demographic has a specific set of fear triggers that make them particularly susceptible this is type of social engineering attack including a fear of lost income or the failure to meet a particular commitment. Younger Americans also fall prey to these types schemes on a regular basis. The cyber criminals simply make a few tweaks to the script based on clues gathered during the initial conversation. Younger people tend to fear a loss of services or damage to their reputation via social media or a threat to their children. At the end of the day, it is important to remember that the cyber bad guys have developed strategies to adapt their attacks based on the audience they reach and all of us are targets.
Tips and Tricks to Stay Safe
Here are a few tips that can help you avoid the pitfalls of this type of social engineering attack and keep you and your personal information safe:
Do your own research – When you receive a call from someone supposedly representing Microsoft or Amazon or another merchant claiming some type of issue (fraudulent transaction, late shipment, account compromise, etc.), pause, take a moment to think about the situation, and question what you are being told. DO NOT take any action based on the recommendations of the person on the other end of the phone call. Politely tell them you will research the issue and call them back on a publicly published phone number. Go to the merchant or organization’s website. Check your account. Call or chat with their publicly listed support team. At the end of the day, very few if any merchants will call you with these types of issues and they will always provide valid information via legitimate websites.
Think before you download – Never download applications for your smartphone or tablet via a link sent to you or from an unknown website. Use the Apple App Store or the Google Play Store for all application downloads. Read and verify the app reviews and the number of historical downloads.
Be willing to hang up – As mentioned earlier, do not allow yourself to feel pressured to do something that makes you uncomfortable. It is ok to hang up, look up a valid phone number for the organization in question, and call that number back once you have more information.
Multi-factor authentication is your friend – One of the most important things you can do to protect your identity and the applications and services you use on your smartphone and/or via the web is to set up multi-factor authentication (MFA) for all associated accounts. From Amazon to PayPal to your local Bank, nearly all major websites and services support multiple MFA options for authentication. Most can leverage a token or randomly generated code from your smartphone as the second factor of authentication. This will prevent access to your accounts by the cyber bad guys even if they get access to your username and password.
Use unique passwords for all websites and services – It is very important to NOT reuse the same password for multiple websites, services, and applications. Most usernames are tied to a person’s email address, so if a cybercriminal gets a password for one site or application, it is not hard to use that same email address and password to access that same user’s other services and websites. In order to make the use of unique passwords for all websites and applications easier to manage, I highly recommend pairing this strategy with a reliable, encrypted and secure password manager. This tool will allow you to store and easily recall all your unique accounts in a safe and secure manner. 1Password, LassPass, and KeePass are good options to consider.
Secure your mobile devices with passcodes / passwords – Modern smartphones and tablets have made local device authentication very easy, so there is no good reason not to protect your devices with a passcode or password. This level of protection better secures your device in the event it is lost or stolen or if it is accessed in some way remotely and the screen is locked. This can be as simple as a 6-digit code or as complicated as a long alphanumeric passphrase. Fortunately, most current smartphones and tablets can frontend this code with facial recognition authentication like FaceID or biometric authentication like a fingerprint reader.
In talking through all of the factors and mitigation strategies associated with this particular type of social engineering attack, the most important piece of advice I can share is this – “learn to control your fear”. Bad guys prey on fear. They manufacture fearful situations. If you can remain calm, take a deep breath, ask a few relevant questions, and do a little research, you should be able to safely navigate these types of threats without any harm.