On November 8th 2018, the Amazon billionaire Jeff Bezos had his mobile phone “hacked” after receiving a WhatsApp message that had apparently been sent from the personal account of the crown prince of Saudi Arabia. [1] Smartphones today are everywhere, and with such widespread use, it often becomes an easy target for attackers. Suffice to say, cybersecurity in the mobile world is now more important than ever before.
1. The Bezos Hack, and what it means for the average person
The idea that mere messages shared on a trusted service like WhatsApp can compromise the security of someone’s device is enough to raise several red flags.
The malware was sent encrypted along with a video in a WhatsApp chat. It contained a downloader that executed malware on Bezos’ device. Within hours of the encrypted downloader being received, a massive and unauthorized exfiltration of data from Bezos’ phone began, continuing and escalating for months thereafter.
This brazen act of breach of security on one the most powerful people on Earth sent one clear message – “You are not as safe as you think”.
2. How safe are you?
The short answer would be – “Not so much”.
There are various systems on a person’s smartphone, which can be exploited by the malicious apps – extra permissions, root access, 0day exploits, social exploits to name a few. While there are apps that have gained our trust through the years of their clean track records, it is not safe to assume that all apps are the same. In a study by Symantec, 1 in 36 mobile devices had high risk apps installed. [2] Multiply that by the millions of apps available on the Google Play Store, and you begin to see the real picture. Malicious apps use these exploits to first gain the trust of the user and then, either compromise their privacy by selling off their data, or perform even more nefarious tasks on the host device.
In 2016, GitHub user j0nk0 published an exploit [3] for the linux kernel running on android devices that could allow an attacker to get temporary root permissions by exploiting some race conditions in the Linux kernel. [4] Although this exploit (precisely CVE-2016-5195) was patched in the next security patch of android, it was clear that mobile devices were just as much of a target to attackers as servers and desktops.
Since then, there have been multiple attempts at compromising the security of a mobile device – both on android and iOS platforms. Almost every version of iOS can now be “Jailbreaked” and android versions can be “rooted”. Both of these methods are used to gain root access on the user’s device, which can have adverse consequences. Hackers have even managed to breach the security of Apple’s T2 chip, that runs it’s own operating system, BridgeOS. [5]
Even if you have an untampered device, a malicious app may be able to steal information quietly. In 2018, a SMS-Stealer app for android surfaced that could steal a user’s SMSes. [6] Although it might seem insignificant, an SMS might be one of the factors of a 2-factor authentication system, and a targeted attack might be disastrous. Similarly, there have been multiple reports of apps misusing device permissions in order to steal data.
Probably the most infamous of these cases is the TikTok ban case. [7] On June 29th, the Government of India banned a total of 59 chinese mobile apps including TikTok. The ministry of information and technology said the apps have been banned due to multiple reasons such as security and privacy concerns. A similar ban followed adding additional 117 apps to the list of apps banned in India.
As if on Que, on 14 August the President of the United States, Donald Trump said in an executive order that TikTok would face a complete ban if it did not sell to a US company by 14 November. [8]
3. The human factor
It is said that security in a system is only as good as it’s weakest link. And unfortunately, in most of the cases, this link is the human factor. People are forgetful, they forget passwords, overlook important security measures and trust malicious systems. Often times, it’s because the user tapped on the ’allow’ buttons in a hurry when an app asks for extra permissions, that their data got stolen. In the end, security is just a people-problem. Mitigate that, and you’ve got the most secure system. But again, since we are humans and to err is human, we need constant advancements in supporting systems to compensate for our faults.
4. Staying safe
So far, we have seen how our devices can be compromised. But what are the measures to be taken to stay safe?
- An important one will be the use of encryption everywhere possible. This includes (but is not limited to) encrypted messaging, encrypted file storage and encrypted web connections. You might have heard of end-to-end encryption in messaging apps, there are some popular apps that use it to secure your chats (namely WhatsApp and Signal) [9].
- But, at the same time, you should note that Jeff Bezos was also using end-to-end encryption when his phone got hacked. Encryption is only one side of the coin. Even when we are using encrypted systems, it’s our responsibility to keep it safe.
- Another important point includes using 2-factor authentication whenever possible, even on your phone. Google by default reminds you to activate it’s 2FA system by using an email AND a phone number to log in.
- Zero-trust should be followed whenever possible: do not connect to unsecure networks, nor give you data in any way to untrusted parties. It is advisabled to read the Terms and Conditions of any service that you use, to get a fair idea of your security. Also, be wary of ’free’ services in general.
Lastly, care should be taken in using new services and a zero-trust principle be followed whenever possible. There are antivirus apps available on the play store but they won’t be any useful if we are not vigilant of the activities happening on our devices.
5. Further reading
Over 1,300 Android Apps Caught Collecting Data Even If You Deny Permissions
Netsec – Reddit
References
[1] The Guardian, (2020) Jeff Bezos hack: Amazon boss’s phone ’hacked by Saudi crown prince’
[2] Symantec, (2020)
[3] GitHub, (2018), GetRoot-Android-DirtyCow
[4] GitHub, (2019) dirtycow.github.io
[5] ReportCyberCrime, (2020) Hackers jailbreak Apple’s T2 security chip powered by bridgeOS
[6] Max Kersten, (2020) Android SMS Stealer
[7] The Times of India, (2020) Centre bans 59 mobile apps including TikTok, UC Browser, others
[8] Kari Paul, The Guardian, (2020) Trump’s bid to ban TikTok and WeChat: where are we now?
[9] Andy Greenberg, WIRED, (2020) Signal Is Finally Bringing Its Secure Messaging to the Masses