Recently I was asked to discuss the cybersecurity risks associated with smartphones and the possibility that those devices could be compromised and information stolen. As part of the conversation, an all too familiar story was told about an older gentleman who had been prompted through a fear-based social engineering phone call to go to the bank and withdraw a significant amount of money to avoid some fictitious financial penalty. What was a little more unique in this situation was the fact that the older gentlemen had also been prompted to download an app on his smartphone that had in turn given the attacker control of that device. Fortunately, an alert bank employee noticed something strange during the transaction as the older gentleman continued to receive directions from the attacker via his phone. The bank employee intervened and, after some effort, was able to power off the gentleman’s phone and get to the bottom of the scam.
Sadly, this is not a terribly unique situation. Creative and malicious vishing (voice phishing) attacks take place everyday, targeting young and old alike. What is a little more concerning is the evolution of malicious applications and the use of these applications to take remote control of a device during a social engineering attack, thus giving the attacker near complete control over the situation and ramping up the fear factor for the victim.
In the situation with the older gentleman at the bank, his problems did not end once the attack was discovered and his phone was powered off. At that point, his smartphone, a low cost, prepaid Android device, was compromised and unsafe to use. The bank employee rightly recommended he factory reset the device or replace it, but neither option was honestly viable for the victim. He lacked the technical skill to properly reset the device and he could not afford to simply throw it away and buy another one. Because it was a big box store purchased prepaid device, he could not walk into a wireless carrier store and ask for help. He was stuck.
In talking through this situation, several questions came to mind. First and foremost, what can we (the IT security and cybersecurity community) do to help? That question prompted others – are certain mobile devices safer than others in terms of their ability to prevent these types of social engineering and malicious device takeover attacks, is this issue age related or more widespread, and what tips and tricks can we provide to help mitigate these types of cyberattacks? I want to take a moment and work through some of these questions and see if I can provide some answers that will help keep people safer when dealing with these types of attacks.
Are certain mobile devices safer than others?
This is a very loaded question and feeds into the ever present and ongoing debate of Google Android versus Apple iOS. Let me begin by stating that I am not here to advocate for one manufacturer over another – both device families has some great security features and both device families have the potential for compromise by a cyber bad guy. I do want to talk about some features and specific design methodologies provided by each manufacturer that can impact a victim, both positively and negatively, in the scenario we are discussing – vishing and remote device takeover. Let’s look at some relevant statistics to better frame this conversation:
So, if Apple leads in terms of market share for smartphones, why is Google Android so far ahead in terms of operating system malicious infections? There are several reasons. First, Google Android, as an operating system, runs on many different platforms beyond smartphones. The Android OS can be found on a variety of IoT devices including smart TV’s, tablets, home automation systems, appliances, and many other Internet-enabled platforms. As such, the attack surface for Android OS is simply larger than Apple iOS. Second, the Google Android OS is a much more open and customizable platform in terms of the sources and types of applications that can be loaded to an Android device. Application downloads for the Android OS are not necessarily restricted to the Google Play Store and, as such, cannot be as closely vetted and verified when compared to the relatively closed application ecosystem of Apple’s iOS. Third, Google does not own and control all of the hardware platforms on which Android OS is loaded. Dozens of smartphone manufacturers use Android OS for their devices, and, therefore, those manufacturers can to an extent control the applications that ship on those devices. Once again, this is very different for Apple iOS as Apple manufactures all smartphones and tablets and devices that run their operating systems. Apple has built a closed, proprietary ecosystem for its “iDevices” and controls all applications that can be listed and downloaded from its App Store. This approach has made it significantly more difficult, though not completely impossible, to load malicious software on an Apple device and facilitate remote control. Given all of this information and each manufacturer’s approach to application installation control, it is a fair statement to say that Apple’s smartphones are a safer platform in this specific situation.
Please do not take this specific conclusion and extrapolate that Android devices are less safe overall when compared to Apple devices. Both operating systems have their specific strengths and weaknesses. Google Android OS, for example, provides one of the most flexible and secure identity management platforms available, providing numerous secure ways to validate the identity of the device user and ensure physical compromise is extremely difficult for the bad guys. Android’s flexibility and portability has also created opportunities for lower cost smartphones and tablets that have brought internet access to people and places it otherwise may not have reached. That said, everyone needs to understand the potential security challenges with these devices in certain situations and take proper precautions.
Is the growth of malicious device infection and the prevalence of social engineering attacks age related?
I am sure many people will read the details of the incident at the start of this article and focus on the word “older” that was used to describe the victim and draw the conclusion that this type of scheme is designed to prey on novice internet users. Those people would be both right and wrong. This type of scam is often targeted at older Americans, but not because of a lack of internet experience. Consider these statistics:
Older Americans are quickly becoming savvy Internet consumers, but this same demographic has a specific set of fear triggers that make them particularly susceptible this is type of social engineering attack including a fear of lost income or the failure to meet a particular commitment. Younger Americans also fall prey to these types schemes on a regular basis. The cyber criminals simply make a few tweaks to the script based on clues gathered during the initial conversation. Younger people tend to fear a loss of services or damage to their reputation via social media or a threat to their children. At the end of the day, it is important to remember that the cyber bad guys have developed strategies to adapt their attacks based on the audience they reach and all of us are targets.
Tips and Tricks to Stay Safe
Here are a few tips that can help you avoid the pitfalls of this type of social engineering attack and keep you and your personal information safe:
In talking through all of the factors and mitigation strategies associated with this particular type of social engineering attack, the most important piece of advice I can share is this – “learn to control your fear”. Bad guys prey on fear. They manufacture fearful situations. If you can remain calm, take a deep breath, ask a few relevant questions, and do a little research, you should be able to safely navigate these types of threats without any harm.