Hackers are using increasingly sophisticated techniques in their efforts to install malware on your mobile device.
When hackers infect mobile devices, such as smartphones or tablets, with malware, their goal is often to gain control over these devices. The hackers then can steal financial information or personal credentials that may be sold to others for illegal purposes, such as sending out more malware or spam.
One reason that mobile devices may be targeted is their greater susceptibility to such threats.
“A mobile [device] has five attack points,” according to Gary Davis, chief consumer security evangelist at McAfee. WiFi, Bluetooth, near field communication (NFC), GPS, and cellular service provide a variety of ways for hackers to get malware onto your device.
Over the past two years, it’s estimated that more than four million Android smartphones have been infected with a particularly virulent mobile malware campaign called NotCompatible, according to mobile security company Lookout. The malware has been used to turn infected mobile devices into bots capable of sending spam and scalping event tickets.
Lookout said this particular malware appears to be unique in its ability to cover its tracks and avoid discovery.
Hackers use a number of methods to get malware like this onto your device, but here are four of the most common:
1. Targeted apps
Mobile apps have surged in popularity along with mobile devices, and this has made them a favorite target for cybercriminals. Davis says more and more examples of malware are being found in app stores.
“Not the Apple app store or Google Play store, but third-party app stores,” he says.
Hackers often model apps after wildly popular ones already up for sale, infect them with malware, and then put them up for download in third-party app stores. Once downloaded, the malware can steal information from your device and send it back to the hackers.
Hackers can also take advantage of the vulnerabilities in legitimate apps. According to Davis, app writers are not always security conscious. This gives malware writers the opportunity to design malicious software that can take information directly from the apps themselves. If, for example, a legitimate app that you’ve already downloaded has access to your location and your messages, hackers can use malware to pull this information for their own uses.
2. Drive-by downloads
Drive-by downloads can happen in less than a second. They occur when you use your mobile device to visit a legitimate website which, unbeknownst to you, has been hijacked by malware. According to Sophos, 82 percent of malicious websites are actually legitimate sites that have been repurposed like this.
Once you visit the site, the malware figures out which systems are running on your device, looks for vulnerabilities based on whether you have updated your security software (or are running any security programs at all), and then dumps the malware onto your device. Once installed, it does whatever it was designed to do—typically stealing your personal or sensitive information and sending it back to whomever is running the malware
3. Spam from hijacked email accounts
If hackers have access to a hijacked email account, they can use the account to send out messages embedded with links to malware. Whether the hijacked email account belongs to a contact of yours or a total stranger, the messages may appear more legitimate than regular spam emails.
This can lure users into opening the messages and clicking on links embedded in them. Once this happens, the malware downloads itself onto the device without the user even noticing. According to Lookout, this tactic was responsible for more than 20,000 NotCompatible infections a day.
4. Security patches in email attachments
Hackers will send emails claiming to be from a security representative and warning of supposed infections or problems on your device. They’ll attach a so-called “security patch” for you to download. In reality, however, the patch is the malware itself.
Other tactics, such as using public WiFi to set up phony hotspots and take over control of connected devices, are also popular because they are so easy to pull off.
Although many of these threats happen on computers as well, the proliferation of mobile devices—and how much information we share through them—makes them too valuable a target for hackers to pass up.
Davis says the risk of attack will continue to rise in 2015, and more devices will be vulnerable.
“As more smart devices arrive for the home, like smart thermostats and refrigerators, attacks will open up dramatically,” he says.
This makes it more important than ever to stay safe on your mobile devices. Be sure to apply legitimate security fixes and updates when they become available, and if a message or link seems suspicious, don’t click on it.