Last weekend, an international consortium of media organizations published an investigation around a leaked list of 50,000 phone numbers from across the world, called the Pegasus Project. The leaked list reportedly comprises surveillance targets for authoritarian governments worldwide using the Pegasus spyware (developed by Israel’s NSO Group) to hack into the smartphones of critics, journalists, activists, politicians, and business executives.
However, sophisticated spyware like Pegasus isn’t the only way someone’s personal device can be hacked into. From malicious links to hijacking public Wi-Fi, there are some fairly easy to complex tools and techniques to hack into a user’s smartphone:
Hack level: Easy
One of the most common hacking tools is a fake app. Google Play Store and Apple App Store regularly take down hundreds of apps that may be fake or malicious.
Hackers usually create fake apps imitating a popular app and embed it with spyware or other malware. Most of these apps are found on third-party app stores, social media, pop-up ads on the internet, or sometimes; hackers target users via messages and links on websites.
Malicious links are another popular way to hack a smartphone and can sometimes even be a precursor to leading a user to fake apps.
These malicious links or attachments are usually sent via e-mails, SMS, or third-party chatting apps. All these needs from a user is a click/tap on the link. Once done, the link injects a user’s device with virus/malware, giving the hacker control over (a part or entire) data.
Phishing is a method used by hackers to donate to a company or trusted individual to gain confidential data.
Here, hackers often use official-looking communication, commonly shared via email or text messages, usually leading to a login page for a service that looks legitimate but is, in fact, faked. When you follow phishing links to a login page and enter your details — for example, your bank account — your personal information has basically been stolen. This applies to banks, social media accounts, or any service that requires a login and password.
Bluetooth file transfers
You’ve likely experienced this at least once before: a random Bluetooth file transfer from someone you don’t know. This is typically viral malware from another infected phone, trying to dump its payload into your device. Never accept unsolicited Bluetooth file transfers.
Hack level: Moderate
Via Public Wi-Fi
Any network, including public WiFi, can be snooped upon. Unencrypted traffic can be trivially stolen. Your Facebook login? Your bank details? All free games for a motivated hacker.
It’s simple; until necessary, always avoid public Wi-Fi. And if you make financial transactions from your smartphone, it’s best to give it a miss. Also, turn off your Wi-Fi when not in use.
Using a smartphone/tablet/laptop on public Wi-Fi makes the device vulnerable to hacking.
SIM card swap
SIM card swapping or a SIM hijack isn’t exactly the easiest way of hacking smartphone data, but it is becoming increasingly popular. This method enables a hacker to trick a mobile carrier into transferring a number to them, potentially leading to losing control over their social media accounts, banking apps, and other sensitive logins and data. Essentially, any service that uses an OTP for authentication can be compromised by this method, making it very dangerous. Remember: your Aadhar authentication also happens via OTP.
Hack level: Difficult
Bluetooth hacking, also called blue bugging, steals data from another Bluetooth-enabled device without permission. For this hacking technique, cyber attackers use specialized software that automatically detects nearby devices with enabled Bluetooth. With blue bugging, hackers can track a user in real-time and even take control over their device.
Hacking via phone numbers
Another hacking method is via phone numbers. For this to work, hackers need to know the technicalities of phone hacking.
SS7 signaling – a set of protocols used to set up and tear down phone calls – is exploited to hack through phone numbers.
With this, a hacker can record calls, forward calls, read messages, and find locations of a particular device.
These are vulnerabilities in your device hardware or software that are unknown even to phone/software makers. Such exploits are highly prized by criminal organizations and governments alike because they allow discreet access to devices indefinitely or until the vulnerability is patched. The exploit may take the form of something preventable — like clicking a link in a message, or as has been used by Pegasus in the past, a “zero-click” vulnerability in Apple’s iMessage app on iPhones. WhatsApp has been used as an attack vector in the past, with Pegasus infecting target devices simply by placing a WhatsApp call. The user did not even need to respond to be infected. WhatsApp sued the NSO group over this in the past.
Unfortunately, the very nature of 0-day exploits is unknown, so protecting oneself from them is near-impossible.
How to prevent your smartphone from being hacked
While in the case of sophisticated spyware like Pegasus, there is often not much a user can do to prevent hacking, but in most cases, small things can dramatically reduce your chances of being hacked.
When it comes to your smartphone, not sharing is caring
The easiest way a hacker can steal your information is if they get access to your smartphone. Use six-character passcodes (and not your birth date) or complex patterns. Also, secure all apps with additional app locks in case they may carry any sensitive information.
SIM Card locking
Putting a passcode on your SIM card can protect it from being hacked.
On an iPhone, head to Settings > Cellular > SIM PIN. Enter your existing PIN to enable the lock.
On Android, head to Settings > Lock screen and Security > Other security settings > Set up SIM card lock. Here, enable the option to lock your SIM card.
Keep your Wi-Fi and Bluetooth off when, not in use
It is possible to hack a smartphone using Wi-Fi or Bluetooth. So, whenever you are not using it, especially when you are in public, turn off your Wi-Fi and Bluetooth.
Adopt a security-aware posture
We’re used to things “just working” on the internet and with smartphones. However, any technology can be circumvented or exploited. Some things you can do online to protect yourself:
- Ensure any WiFi networks you connect to use WPA2 security and not the older WEP, and certainly do not connect to open networks without security
- Do not blindly accept Bluetooth file transfers.
- Do not click on links in messages or emails unless you are confident of the sender.
- Do some due diligence on received links and addresses — check the sender’s sender’s sender’s email address carefully to ensure it matches what you know. Check the URL of a link to ensure that it matches what you normally type in a browser to go to a site. Telltale signs of a phishing/malicious link – a legitimate domain name prefix with something else tacked to the end such as ICICIBANK.SIGN IN.URLXYZABCFOO.CO, Note the end of the link; that’s probably not your bank.
- Read notices and prompts thrown up by your device; don’t blindly click “OK.”
- Enable two-factor authentication (OTP/Authenticator) for all your online accounts
- Do not scan random QR codes, especially related to payments. These can potentially lead to harmful links or, at worst, empty your bank account.
- Avoid face unlock on Android phones. It is known to be less secure than on iOS devices.
- When called by telemarketers, pay attention if you intend to stay on the call. Ask questions. Which credit card company are they calling from? What are they offering? What are they asking of you? Phone phishing is on the rise, and there is little recourse if you’re successfully stolen from
- Use a VPN to encrypt your communications. It may make things a wee bit slower, but the added security is worth it. You absolutely should use a VPN on public or hotel WiFi networks.