These days, we don’t only have to be concerned with protecting our home or business computers, but also the tiny hand-sized computers we carry with us daily. Mobile devices are susceptible to the same types of attacks as their older sibling, but with a twist. Alongside the ability to gain access in new ways, attackers have also developed new types of mobile hacks.
Mobile Carrier Network Spoofing
Since your mobile device is running on a cellular network, it is still susceptible to connecting to a fake network set up by the attacker. An attacker can use some HAM radio equipment and an IMSI Catcher and convince your mobile device to connect to their fake cellular network instead of the actual network. The big issue here is that unlike WIFI networks, the user does not have control as to which tower (access point in WIFI) the device connects to. It will choose the preferred network. If the attacker is pushing out a stronger signal than the real tower, a user’s device will automatically jump to it. The attacker can then connect to the mobile carrier network as a base station and carry out a man-in-the-middle attack. It’s also worth mentioning that mobile devices are still vulnerable to MITM attacks over WIFI networks as well.
The likelihood of being a victim of base station spoofing is extremely low, especially in comparison to its WIFI counterpart. However, there are tools available to aid in IMSI-Catcher detection. For example, in iOS 5, the iPhone will alert users that the call is unsecure. There are also several IMSI-Catcher detecting apps available for Android.
Much like e-mail, SMS, MMS, and EMS all provide the attacker a myriad of attacks that can be carried out, including spamming for profit to phishing or spear phishing attacks. An independent research study discovered a flaw that enabled specially crafted SMS messages sent that prompted an automatic reply that could be forwarded to a premium SMS service for profit. Many times the message isn’t even detected (PC World). Although phishing isn’t anything new, it is still one of the more preferred attacks that are carried out. Most SMS phishing scams act on fear. As humans, we react more erratically to a fear-induced situation. For instance, a phishing scam might prompt users that their credit card has suspicious activity and they need to click a link to follow up. The users would be directed to a website that would allow the attacker to harvest valuable information.
The best way to thwart SMS attacks is by using common sense. If a random text message advises the user to ‘click this link’, they are likely being targeted for an attack. It can also happen when the user is the victim of a spear phishing attack, where the attacker impersonates someone that victim is familiar with such as his or her bank or credit card company. Even in these cases, it’s best to contact the institution directly to confirm the message.
Malware can be installed posing as a legitimate app, yet malicious code is being executed alongside the legitimate code. Aside from being able to carry out attacks such as sending premium SMS messages or collecting sensitive data, the attacker could also identify other mobile devices on the same WIFI network. If an infected device enters a network, it could find other mobile devices on the network and exploit them. These devices can then be used to carry out various attacks, or be potential victims for malware propagations.
Although it’s not as popular as it once was, crypto-mining is still around. A user’s device can be infected with malware that searches the device for digital currency. The infected devices can then be used as a crypto currency miner by connecting to an anonymous mining pool, and using the device’s CPU to solve math problems in exchange for digital currency. Attackers aren’t seeing the profits that a large server would produce, but still carry out this attack.
The best way to protect your mobile device from any type of malware including worms and micro miners is to download any application from a legitimate source. Most malicious software comes from third party sources. Also, avoiding suspicious links in both SMS and e-mail messages will help prevent you from inadvertently installing malware.
As technology expands, hackers find new ways to exploit it and devise new attacks to be carried out. Although many of the methods for exploitation are new, how they are executed have been modified to work against the mobile platform. By using common sense and some helpful tools, most of these modern attacks can be mitigated.