Your smartphone probably knows more about you than you do.
It knows where you are at all times. It knows every person you talk to, and what you’ve said to them. It has your family photos, your pet’s pictures, your passwords and more. For attackers, it’s a digital passport to access everything they would need to know about a person.
And that’s why attacks on smartphones are on the rise, security researchers said.
At the Kaspersky Security Analyst Summit in Mexico, Andrew Blaich, a researcher from mobile security company Lookout, and Eva Galperin, the cybersecurity director from the Electronic Frontier Foundation, presented their findings about Dark Caracal, a global malware campaign targeting mobile devices that’s infected thousands of people in more than 20 countries.
The attack campaign, tracked to a building in Beirut belonging to the Lebanese General Security Directorate, used nearly identical versions of real apps and tricked thousands of people to install it. Once it was on their phones, the attackers had access to everything.
The attack was massive, but it’s just a preview of what’s to come, the researchers said. It’s a reversal of conventional wisdom that pointed to PCs as the most prone to hacks. Attacks on mobile devices are getting easier, they yield a bigger reward and people are using smartphones much more than they use their computers. It’s a no-brainer for a hacker.
“Getting a look into someone’s personal device is tremendously personal, it’s like getting a look into their mind,” Galperin said.
Low entry, high reward
The Dark Caracal attack focused on personal information and it didn’t need any new type of vulnerability to carry out its mission. The malware, which allowed attackers to take photos, find your location and record audio, spread by disguising itself as messaging apps like Signal and WhatsApp.
It wasn’t an exploit that allowed Dark Caracal to do all those things — it was the victim. The Trojan app would ask for permissions like any other app would, and to the unsuspecting eye, they wouldn’t see anything wrong with the request.
After all, apps like Instagram and Facebook also ask for permission to take photos, use your location and record audio. If a person was downloading malware that he or she believed was a real version of an app, these permissions wouldn’t set off any alarms.
Google and Apple’s security patches can block the latest vulnerabilities, but they can’t stop you from getting tricked. Malware hitting mobile devices isn’t exploiting a code’s vulnerabilities, it’s exploiting a person’s vulnerabilities.
“Instead of spending effort and time in researching exploit codes, they just take advantage of an overly permissive app,” Blaich said. “The barrier to entry for surveillance ware can be lowered if you’re not trying to use vulnerabilities.”
While Google and Apple’s app stores are fairly protective against malware popping up in its marketplace, it’s a different story for third-party stores. That’s how Dark Caracal was able to spread, Blaich said.
The fake apps advertised themselves on a website called “Secure Android,” telling people its version of WhatsApp and Signal were more secure than the original apps. Attackers advertised the page in groups for activists and journalists, because it was trying to spy on them.
While the best advice to prevent mobile malware is to never side-load an app, certain apps may not be available outside of the US. The Google Play store, for example, doesn’t work in China, where there were 386 million active Android usersin 2014.
Apple and Google have done extensive work to make their mobile operating systems more secure. Apple’s Secure Enclave and encryption has protected data so well that the FBI was willing to pay $900,000 to unlock the San Bernardino terrorist’s phone.
Google has improved its app security and patching system with Project Treble and Play Protect.
But given how infrequently some of these updates actually get to the phone, it isn’t enough.
On Feb. 28, the Federal Trade Commission released a report that mobile devices haven’t been getting the security updates they need efficiently enough. The commission received information from Apple, Google, Microsoft, Samsung, Motorola, LG, HTC and BlackBerry on their security patching process, and the results weren’t great.
“Some devices didn’t get any updates at all. The support ranges from absolutely nothing to three or more years of support,” said Elisa Jillson, staff attorney for FTC’s privacy and identity protection.
The problem is that security updates are often bundled with broader software updates, meaning that some devices never get patched, while others may have to wait months for it. The FTC recommended separating them, with more frequent patches for devices. Google’s Project Treble already does this.
Before Treble, security updates for Google only came to devices using recent versions of Android. Up to 42 percent of Android users don’t have the latest version, and with 2 billion active Android users around the world, that’s 846 million devices exposed to potential malware.
“The majority of victims do not get compromised by zero-days,” Galperin said. “They get compromised by vulnerabilities that have already been disclosed they have not yet patched.”
As security experts continue to see the rise in mobile attacks, it’ll soon surpass the amount of attacks focused on your computers, Blaich said.
During the Dark Carcal campaign, Lookout and the EFF noticed there was a separate attack targeting Windows computers. It dwarfed in comparison to how many mobile devices were infected.
“This is a known problem, that updates aren’t getting to devices, so there’s an open window to any would-be hacker,” Jillson said.
To read the original article: