Don’t miss the latest developments in business and finance.

Who is hacking your mobile?

Don't download free apps, among other precautions; we list some

Image
Neha Pandey Deoras
Last Updated : Feb 23 2014 | 11:43 PM IST
With the popularity of smartphones, there is no dearth of new wallpapers, games, music and applications (apps) one can download. The best part is that most are free of cost.

Free downloads come at a cost. They can compromise important details, features and the instrument, if you are not careful.

A recent release from Russian information technology (IT) security firm Kaspersky Lab says by late January 2014, it had accumulated about 200,000 unique samples of mobile malware for Android mobiles, up 34 per cent from November 2013, only two months earlier, when 148,000 samples had been recorded. The report found the number of malicious Android apps had topped 10 million in January.

More From This Section

It added that on January 30, the official Google Play market offered 1,103,1041 applications. Alternative, unofficial stores have many more - and these are more likely to be malicious.

In most cases malicious programs target the user's financial information. This was the case, for example, with the mobile version of Carberp Trojan that originated in Russia. It steals users' credentials as they are sent to a bank server.

Here are some ways of hacking mobile phones and ways to protect your handset.

TELL-TALE SIGNS OF PHONE HACKING
  • Your phone performance, net browsing becomes excessively slow, battery level drops faster
  • Receipt of email or text messages starts getting delayed, could be because of a malicious program running in the background
  • Funny characters appear on the phone screen every now and then
  • You hear varied noises during phone calls; means someone is trying to access your phone
  • Your call history shows calls you hadn't made especially international calls or messages
  • Unfamiliar charges appear on your phone bill like for international calls/texts, an app purchase

INSTALLING REPACKAGED APP
If you're regularly installing apps for free, then you're also making your phone vulnerable to fake and rogue apps. Experts say many hackers download a popular app, put a malicious code into it and then put it back on the Android Play Store as a free copy of a popular app. The most rampant way to compromise data on a mobile phone is downloading free applications, says Altaf Halde, managing director of Kapersky Lab (South Asia).

What should you do? Try not to install any unofficial apps, especially if these look like free copies of popular premium apps. Do not click on advertisements shown on the bottom of your phone screen and do not subscribe to sites. When you download games, ensure you have read the reviews posted online that the game is malware-free.

WAYS OF HACKING
  • Vishing: Phishing (typically an attempt to get personal information via e-mails) through the telephone
  • Smishing: Send SMS with a link, clicking on which installs a trojan horse on the mobile, compromising your details
  • SMS spoofing: Send messages using another number. If successful, a lot of transactions can be carried out pretending to be you
  • Pranking for profit: Infect smartphones, send premium texts from the device to a site that withdraws money from a bank or credit account
  • Bluesnarfing: Access information to copy contents of a mobile via bluetooth like calendar, contact list, e-mails, texts, pictures and private videos
  • Madware: Sneaks in to a device when an app is downloaded; sends pop-up alerts to the notification bar, adds icons, changes browser settings, and gathers personal information
  • Snoopware: Accesses smartphones to activate the microphone and listen to private conversations or confidential corporate meetings. Also views a calendar and contacts on a handheld device

APPS ASK FOR PERMISSION
Any app will ask for your permission to access phone data before you click on 'accept' for installing the app. Experts say over 70 per cent of Android apps ask for permission for something that can prove risky for your mobile security. Says Halde of Kapersky Lab (South Asia), "Many of these malware applications look very genuine and people fall for it without reading the 'terms and conditions', which need to be checked before allowing the app to be downloaded to your handset."

When you read the 'terms and conditions', you will notice terms like 'permission to make phone calls' or 'permission to send information by using internet' and 'send SMSes', Halde of Kaspersky Lab adds.

Explains Kartik Shahni, regional director of RSA Security (India & SAARC), trojans come attached when you download music or a wallpaper for free. Different trojans are programmed differently. "For instance, some trojans that are called Key Loggers are programmed to record all the keys you punch in. Therefore, when you punch in your username and password in to mobile banking app, Key Logger records it. Thus, compromising your crucial information," he says.

The information recorded might or might not be used to transact using the same mobile. It can be used from a different instrument. For, a mobile banking username and password are mostly the same as the one for your internet banking.

Androids are most prone to being hacked, followed by Windows phones and iPhones. Reason: There are more number of Androids than Windows phones and iPhones. Hence, trojans have a bigger Android user base to attack.

Also, Android is not a regulated operating system. It is an open source. In comparison, Windows and iOS are regulated. This means there is a code in these phones, owned only by the manufacturing companies, like 7.0 or 7.01. So, the permission to play around with the operating system also lies with only the company. Thus, though banks' mobile apps are pretty secure, a hacker always thinks two steps ahead. Thus, making it ineffective once a mobile phone has been hacked.

What should you do? Read the terms and conditions before installing an app.

DUPLICATING SIM CARDS
Mobile phones can also be hacked through your SIM card, explains Halde of Kaspersky Lab. The fraudster makes a false identity proof, say a driver's licence, using details such as date of birth, mobile number and photograph, often found on social networking sites these days. Using this fake identity proof, the fraudster approaches the telecom company and says he has lost the SIM card and asks for a duplicate one.

While that is being issued, the original card stops working for a brief while. In this time, the fraudster, who has already obtained details such as the bank account number and user ID, will also receive the one-time PIN (OTP) from the bank and transfer funds from the bank account.

What should you do? Do not reveal personal details on social networking websites. If you find that your phone is not working for some time, check with your operator if there is a problem with the network. If not, check if someone has requested for a duplicate SIM. If you have two phones, it is better to register with the bank the SIM card that is not frequently used.

THROUGH FREE WI-FI
On public places like airport lounges and coffee shops, hacker(s) might provide you free wi-fi. And, then, use the same network to hack your phone. When you browse online, you give out crucial information. The other very common way of entering your mobile phones is when you use a mobile and have access to a corporate network through Virtual Private Network. Then, the malware can travel and affect the network. "Say you have a business and some crucial business information is in your handset. You use free or unsecure wi-fi. Then your mobile can be hacked into and details can be collected like some people are used to keeping a back-up of passwords (or credit card number, CVV number, PIN) on the handset, such informations can be compromised on," explains Shahni of RSA Security.

What should you do? A mobile network is safer to use than a public wi-fi. Avoid wireless boosters that belong to a third party.

THROUGH BLUETOOTH
Many have the habit of keeping their phone's Bluetooth on while on the go. There are many Bluetooth-hacking softwares. These search for Bluetooth-enabled devices, try and extract crucial information such as contacts, email addresses and text messages.

What should you do? Keep the Bluetooth off until needed; also saves your phone's battery. Even if you want it on, keep it in invisible mode.

THROUGH TEXT MESSAGES
Remember the old phishing trick on emails? These can now be true for mobile phones, too, through infected embedded links on SMSes. These could also come with messages from a friend's number. Sometimes you can receive SMSs that can't be decoded, like a square or a triangle and so on. The minute you open such messages, you download a malware into your device.

There is also something called a Ransomware. It is a class of malware which restricts access to the computer or mobile that it infects, and demands a ransom be paid to the creator of the malware if you want your data (like contact details and pictures) back. If you don't pay, you lose all the data or it will simply be lying in your phone in an encrypted form.

What should you do? Never click on any attachment on the phone. Install anti-virus security to scan malicious attachments and block these.

THROUGH MOBILE CHARGERS
Phone-charging kiosks in public places such as airports, restaurants or coffee shops can be a potential hacking device.

A hacker only needs to install a malicious system into it. On connecting your phone, the infected system steals your photos and data or writes malware into the device.

What should you do? Always carry a charger. Use power plugs only or use a portable charger when on the go.
PROTECT YOUR CREDIT CARD AGAINST FRAUDS
Your credit card can also be used fraudulently, even when it is safe with you. Therefore, ensure you have mapped your mobile number and email IDs with your bank or card issuer. This will alert you the minute a fraud takes place. If you are asked to swipe your card on more than one machine at one time, question the procedure. Make sure your card is swiped in front of you. Cut and dispose expired card(s) and scratch the magnetic strip. Swipe new cards immediately. Never share your ATM or other security PINs with anybody. Don't write down PINs or card numbers or CVV anywhere. "Always use a strong password when transacting online through credit cards. Ensure your password has one capital letter, one or two special characters and an alpha numeric character. Such passwords are difficult to hack. At the same time, the password should be easy to remember and it should not be stored or written anywhere," says Kumar Karpe, CEO of TechProcess Payment Services. When transacting online through a card, use a secured log-in and/or a one-time password (OTP). OTP is a new password created everytime you transact. This is sent to your registered mobile number and email ID. Ensure that the website you are transacting on is PCIDSS- or Verisign-compliant. Most banks' websites are compliant but check non-bank sites. Card data can also be hacked if you browse via free Wi-Fi. Check your card statements regularly. The sooner you spot and report unfamiliar purchases, the sooner your card can be blocked

Also Read

First Published: Feb 23 2014 | 10:30 PM IST

Next Story