Smartphones today are small computers that fit in your pocket. Unfortunately, a computer – any computer, even your phone – can be hacked. It may not always be easy, but it can definitely happen. In this post, we’re going to look at the most prevalent methods used to hack smartphones. We’ll also show you the most common signs your phone has been hacked and provide tips on keeping your phone secure (and un-hacked).
Let’s get started.
Methods used to hack phones
Phishing is a social engineering tactic that attempts to trick unsuspecting victims into disclosing personal information, like usernames, passwords, credit card numbers, etc. Usually, the attempt will come in the form of an email or text message that appears to be from a legitimate organization with whom you have a relationship.
The message might state that there’s an issue with your account and that you should follow a link to sign in and fix the problem, or promise steep discounts and prizes if you’re quick enough. Clicking the link takes you to a lookalike site controlled by the attacker. If you enter your username and password, they then fall into the attacker’s hands, who can sign in to your actual account and do all sorts of mischief.
SIM swapping is a type of attack that can occur after a successful phishing campaign. With enough of your personal information in hand, a malicious actor can contact your mobile carrier, impersonating you while claiming you lost your phone and need to port your number to a new phone (i.e., a new SIM card under the attacker’s control). The customer support rep will, of course, ask the typical security questions to the attacker.
If they’ve done their job right, they’ll be able to answer them all (remember, you’ve been phished once the attacker gets to this point) and the number will be transferred to the attacker’s SIM card. They now have control over your phone number.
Malicious file attachments
Trojans, viruses, and malware usually masquerade as innocuous files. They’re typically sent as attachments in instant messages or emails. When you open the file, the malware is deployed, and your device is compromised.
Malware can steal your data, monitor your keystrokes, use your device’s resources to mine cryptocurrency, redirect you to malicious websites, and hold your files for ransom, among other attacks.
Malicious calendar invites
That’s right. Calendar apps have become an attack vector for phishing attempts. Malicious actors can send calendar invites that appear legitimate, but which, if accepted, can allow the installation of malware on the device, giving the attacker access to your personal data.
Another common avenue for phone hacking is via a malicious app. Malicious apps appear innocuous but contain malware that, as above, can steal data, record keystrokes, mine cryptocurrency, redirect you to malicious sites, or hold your files for ransom, among other attacks. Malicious apps tend to affect Android devices more than iPhones because Android users can more easily install .apk files from third-party websites.
In contrast, Apple only allows apps to be downloaded from its official App Store. But iPhone users shouldn’t believe they’re immune to malicious apps. Sneaky malicious apps have found their way into the App Store before, so be careful what you install.
Pairing your device with an untrusted device over Bluetooth can lead to a compromise of your phone. Your Bluetooth signal can be used to obtain your location and may allow malicious actors to access your phone. Avoid pairing your phone with a Bluetooth device you don’t trust.
As mentioned above, your WiFi antenna is another attack vector that can compromise your phone. A widespread WiFi attack entails the attacker setting up a fake public WiFi hotspot. The hotspot looks like a clone of a legitimate public hotspot (i.e., Starbucks WiFi, for example). Once you connect to the malicious WiFi hotspot, everything you do over that network is visible to the attacker.
Have you ever been out and about with a smartphone that’s low on battery? You were probably quite happy to find a public charging station, allowing you to top up your battery, right? While it’s no doubt convenient, there’s a risk associated with public charging stations called juice jacking.
Juice jacking attacks exploit the fact that it’s possible to infect a device with malware through the USB port. Your phone isn’t as protected from physical threats as remote online threats. Once your phone is connected to the compromised USB port, the malicious actor behind the attack could monitor your keystrokes or download your files and personal information. Juice jacking attacks can also result in a virus or malware being uploaded onto your phone, opening the door to further attacks.
Now you know the most common attack vectors for smartphones. There are others, to be sure, but focusing on these will help you steer clear of the likeliest and most prevalent attacks.
Let’s now look at how you can tell whether your phone has been hacked.
Signs that your phone may have been hacked
While it can be challenging to get some visibility into the inner workings of your smartphone, here are some red flags that can indicate compromise:
- Unusual battery drain: If your usage patterns have not changed, but you notice your phone’s battery is draining much faster than usual, it could be a sign that your phone has been compromised with malware working in the background.
- Increased data usage: A sudden and significant spike in data usage can also be a telltale sign that your phone has been compromised. Many times, malware will consume a considerable portion of your bandwidth.
- Erratic behavior: Spontaneous shutdowns, apps crashing, and generally poor performance can be another sign of a compromise.
- Suspicious apps: Finding apps you don’t recognize and didn’t install on your device is another sign you may have been hacked. Beyond that, malicious apps typically masquerade as legitimate apps but funnel your data in the background.
- Pop-up ads: An unusually high number of pop-up ads may indicate your device is infected with adware – a kind of malware that bombards users with ads.
- Unusual phone bills: If your bill is significantly higher than usual or displays unauthorized charges for calls or messages you didn’t make or send, that can be another sign of a compromise.
- Warm/hot phone: If your phone is consistently warm to the touch – even when not in use – it could be because of malware running in the background.
- Your contacts are receiving strange messages from you: If your friends and family claim they’ve received strange and out-of-character messages that appear to come from you, that’s a pretty clear sign you’ve been hacked.
What to do if you think your phone was hacked?
If you have reason to believe your phone has been hacked, you should do the following as soon as possible.
- Get off the internet: If you have reason to believe your phone has been hacked, the first thing you should do is turn off your WiFi and mobile data. This will prevent further data from being sent to your attacker.
- Backup your data: You’ll also want to backup important data from your phone to a separate device (hard drive or cloud storage).
- Delete suspicious apps: If you notice apps installed on your phone that you know you never downloaded, remove them immediately. Untrusted apps could contain trojans, viruses, or malware.
- Scan for malware (Android only): If you have an Android device, you can use an antivirus app to scan your phone for any viruses and malware. If any are found, the app can help in removing them. Unfortunately, this is not an option for iPhone users.
- Update your apps and operating system: When software vulnerabilities are discovered, a responsible vendor will usually issue a security update to patch the vulnerability. Make sure you update your device and its apps as soon as patches are available.
- Change your passwords: If you suspect your phone has been compromised, you should change your passwords for all your accounts. It is advised to always choose strong, unique passwords that include letters, numbers, and symbols. Using a password manager to generate these for you is also recommended.
- Enable two-factor authentication: Set up two-factor authentication (2FA) for all accounts that support it. 2FA (using something you know and something you have) makes your accounts significantly harder to compromise.
- Review your granted app permissions: Many apps ask for more access permissions than they actually need, opening up attack vectors along the way. You’ll want to go through all the apps on your phone to check the permissions they’ve been granted and revoke them if they seem unnecessary.
- Alert your contacts: If you know your phone has been compromised, it’s a good idea to notify your contacts so they avoid falling into the trap and becoming victims themselves.
- Perform a factory reset: A factory reset of your device will delete all of the data on your phone and restore it to factory settings, so make sure you’ve backed up critical data before doing this.
What can you do to keep your phone secure?
The above is about what you should do if your device has been hacked. But there are also things you should be doing to avoid getting hacked in the first place.
Below is a list of general digital security tips that can help keep your devices secure. There will be some overlap with the above, which simply means that it’s sound advice whether or not you’ve been hacked.
- Ensure your operating system, firmware, and applications on all your devices are current. Always install security updates as soon as they’re available.
- Unless you really know what you’re doing, only download applications from the official stores. Their app-vetting process can definitely keep everyday users safer.
- Uninstall any applications you don’t use from all your devices – especially messaging apps.
- You should also avoid “jailbreaking” or “rooting” your phone. It disables many of the security measures built into iOS and Android.
- Enable your device’s password protection/facial recognition/fingerprint scanner for better security.
- Use multi-factor authentication to access your accounts.
- Set robust passwords for your logins (long, random, and unique passwords), and never reuse the same password for multiple accounts.
- Make regular backups of all your devices. If any of your devices are ever compromised, you’ll be happy to know that you can restore them to an uncompromised state.
- Block web browser pop-ups. And if they happen to pop up despite that, don’t click on them. Ever. Bad actors often use pop-ups to spread malware.
- Use a firewall. All major operating systems have a built-in incoming firewall, and all off-the-shelf commercial routers provide a built-in NAT firewall. While smartphones don’t include firewalls, a malicious actor could obtain the info they need to hack your phone from your computer.
- Use an antivirus program. While primarily for computers, using an antivirus program is not a luxury. Only buy genuine, well-known, and well-reviewed antivirus software from legitimate vendors. Always keep your antivirus application updated and configure it to run regular scans.
- Don’t open attachments in emails/instant messages unless you know who the sender is and that you’ve confirmed with them that they sent you the email in question and are aware of the attachment.
- Don’t click links (URLs) in emails/instant messages unless you know who sent the URL, its destination, and that the sender is not being impersonated. Even then, scrutinize the link carefully. Check the link for incorrect spelling (i.e., ‘Faceboook’ instead of ‘Facebook’ or ‘Goggle’ instead of ‘Google’). If you can reach the destination without using the link, do that instead.
Your smartphone is a pocket-sized computer, so just like any other computer, it can be hacked. Your smartphone is probably the device that holds most of your personal information, so it’s an extremely tempting and potentially lucrative target for hackers.
Hopefully, the tips provided will help you avoid a hack and, to a lesser degree, manage it if it happens.