Updated by Suzanne Kantra on 2/15/2023 with new research and interviews with Keatron Evans, Principal Security Advisor at Infosec Institute, Sachin Puri, Vice President of Marketing at McAfee, and Jakub Vavra, Threat Analyst at Avast.
From email to banking, our smartphones are the main hub of our online lives. No wonder smartphones rival computers as common targets for online hackers. And despite the efforts of Google and Apple, mobile malware continues to land in official app stores – and these malicious apps are getting sneakier.
There are three main types of threats faced by mobile users: malware apps, adware, and spyware. According to the McAfee 2022 Mobile Threat Report, mobile malware apps are mainly masquerading as gaming hacks, cryptomining, and messaging apps to gather account logins, charge fees for bogus services, and sign users up for premium text services. In its 2022 State of Malware Report, MalwareBytes reported a rise in aggressive adware – ads that appear in notifications, the lock screen, and in popups – and highlights the fact that preinstalled malware on inexpensive Android devices continues to be a serious problem. Spyware is software that monitors a device’s content, programs that harness a device’s internet bandwidth for use in a botnet to send spam, or phishing screens that steal a user’s logins when entered into a compromised, legitimate app. It is often unintentionally downloaded from non-official sources that people visit in phishing links sent via email or text messages, as well as malicious websites.
Then there are the commercial spy apps that require physical access to download to a phone. These apps are often installed by those well-known to the victim, such as a partner or parent, and can monitor everything that occurs on the device.
There are technological means and motives for hackers, governments, and even the people we know, such as a spouse or employer, to hack into our phones and invade our privacy. However, unless you’re a high-profile target – journalist, politician, political dissident, business executive, criminal – that warrants special interest, it’s far more likely to be someone close to you than a government entity doing the spying.
Not sure if you may have been hacked? We spoke to Keatron Evans, principal security advisor for Infosec Institute, Sachin Puri, Vice President of Marketing at McAfee, and Jakub Vavra, Threat Analyst at Avast, about how to tell if a smartphone might have been compromised. And, we explore the nine ways your phone can be hacked and the steps you can take to protect yourself.
What are the signs your phone may have been hacked
1. Noticeable decrease in battery life
While a phone’s battery life inevitably decreases over time, a smartphone that has been compromised by malware may start to display significantly decreased battery life. This is because the malware – or spy app – may be using your phone's resources to scan the device and transmit the information back to the hacker's server.
2. Sluggish performance
Do you find your phone frequently freezing or specific applications crashing? This could be a sign that malware is overloading your phone’s resources or interfering with other applications. You may also experience continued running of applications despite efforts to close them, or even have your phone crash and/or restart repeatedly.
(As with reduced battery life, many factors could contribute to a slower phone. One main contributor can be running out of storage space, so try freeing up space on your Android or iPhone.)
3. Phone feels hot when not using or charging it
Malware or apps, like bitcoin miners, running in the background can cause your phone to run hot or even overheat, according to Vavra. If your phone feels hot to the touch and it's not in use or on your charger, it could be a sign that malware is present. Try turning your phone off and on to see if the problem goes away. If not, there may be cause for concern.
4. High data usage
Another sign of a compromised phone is an unusually high data bill or running out of data before the end of the month. Extra data use can come from malware or spy apps running in the background and sending information back to their server.
For iPhones, go to Settings > Cellular and scroll down to see the list of apps using cellular data. You can check the current and last billing periods.
For plain Android phones (Google Pixels phones), go to Settings > Network & Internet > SIMs > App data usage. For Samsung phones, go to Settings > Connections > Data usage > Mobile data usage. Or, search for "data usage" in the search bar of the Settings app.
5. Outgoing calls or texts you didn’t send
If you see lists of calls or texts to numbers you don’t know, be wary. These could be premium-rate numbers that malware is forcing your phone to contact, the proceeds of which land in the cyber-criminal’s wallet. In this case, check your phone bill for any costs you don’t recognize.
6. Mystery pop-ups and apps
While not all pop-ups mean your phone has been hacked, constant pop-up alerts could indicate that your phone has been infected with adware, a form of malware that forces devices to view certain pages that drive revenue through clicks. Even if a pop-up isn’t the result of a compromised phone, pop-ups coming from external sources can include phishing links that attempt to get you to type in sensitive info or download malware.
You may also find apps on your phone that you didn't download and could be signs malware has been installed on your device. If you don't recall downloading the app, you can press and hold on the app icon (Android) and click on the option for App info. Scroll down and the App details section will tell you were the app was installed from (should be Google Play Store). Click on App details to go to the Google Play Store, where you can check the app is a legitimate app from a trustworthy developer. For Apple owners, go to the App Store and tap on your profile icon, select Purchased > My Purchases, and search for the app name.
7. Unusual activity on any accounts linked to the device
If a hacker has access to your phone, they also have access to your accounts – from social media to email to various lifestyle or productivity apps. This could reveal itself in activity on your accounts, such as resetting a password, sending emails, signing up for new accounts whose verification emails land in your inbox, or moving emails to trash that you don’t remember seeing (especially those verification emails).
In this case, you could be at risk for identity fraud, where criminals open new accounts or lines of credit in your name, using information taken from your breached accounts. It’s a good idea to change your passwords – without updating them on your phone – before running a security sweep on your phone itself.
From targeted breaches and vendetta-fueled snooping to harvesting data from the unsuspecting, here are nine ways someone could be spying on your cell phone – and what you can do about it.
1. Spy apps
There is a glut of phone monitoring apps designed to covertly track someone’s location and snoop on their communications. Many are advertised to suspicious partners or distrustful employers, others are marketed as legitimate tools for safety-concerned parents to keep tabs on their kids. Such apps can be used to remotely view text messages, emails, internet history, and photos; log phone calls and GPS locations; some may even hijack the phone’s mic to record conversations made in person. Basically, almost anything a hacker could possibly want to do with your phone, these apps would allow.
Techlicious has studied consumer cell phone spying apps and found they could do everything they promised. Worse, they were easy for anyone to install, and the person who was being spied on would be none the wiser that their every move was being tracked. Commercial spyware programs, like Pegasus, sold to law enforcement and government agencies (including in countries with poor human rights histories), don't even require direct access to the device.
“The purpose of spyware is to be undetectable. Generally, if it's sophisticated, it may be very difficult to detect,” says Vavra.
Spyware apps are not available on Google Play or Apple's App Store. So someone would have to jailbreak your iPhone or enable unauthorized apps on your Android phone and download the spyware from a non-official store. Parental monitoring apps, which are available in Google Play and the App Store, have similar features for tracking and monitoring, but they aren't designed to be hidden from view.
How to protect yourself
- Since installing spy apps requires physical access to your device, putting a passcode on your phone greatly reduces the chances of someone being able to access your phone in the first place. And since spy apps are often installed by someone close to you (think a spouse or significant other), pick a code that won’t be guessed by anyone else.
- Go through your apps list for ones you don’t recognize.
- Don’t jailbreak your iPhone. If a device isn’t jailbroken, all apps show up in the App Library. If it is jailbroken, spy apps are able to hide deep in the device, and whether security software can find it depends on the sophistication of the spy app. For iPhones, ensuring your phone isn’t jailbroken also prevents anyone from downloading a spy app to your phone, since such software – which tampers with system-level functions - doesn’t make it into the App Store. The easiest way to tell if your iPhone has been jailbroken is the existence of an alternate app store, like Cydia or Sileo. They may be hidden, so search for them. If you find one, you'll need to restore your phone to factory settings. Back up your phone and then go to Settings > General > Reset > Erase All Content and Settings.
- If you have an Android phone, go to Settings and search for "install unknown apps" and make sure all sources are set to off.
- Download a mobile security app that will scan for rogue apps. We recommend Avast, Bitdefender, or McAfee.
2. Phishing messages
Whether it’s a text claiming to help you recover a package or a friend exhorting you to "check out this photo of you last night", text messages containing deceptive links that aim to collect sensitive information (otherwise known as phishing or “smishing”) continue to make the rounds. And with people often checking their email apps throughout the day, phishing emails are just as lucrative for attackers.
Periods such as tax season tend to attract a spike in phishing messages, preying on people’s concerns over their tax returns. You'll also see a rise after natural disasters, asking people to donate.
Android phones may also fall prey to texts with links to download malicious apps. Android won't allow you to install apps from sources outside the Play Store unless you change your install permissions in Settings to allow unknown app, so it's safest to always keep these set to "Not allowed". The same scam isn’t workable for iPhones, which are commonly non-jailbroken and, therefore, can’t download apps from anywhere except the App Store.
Quite likely. While people have learned to be skeptical of emails asking them to click links, people tend to be less wary when using their phones.
How to protect yourself
- Keep in mind how you usually verify your identity with various accounts – for example, your bank will never ask you to provide your password or PIN via text message or email.
- Check the IRS’s phishing section to familiarize yourself with how the tax agency communicates with people, and verify any communications you receive.
- Avoid clicking links in texts from numbers you don’t know or in unusual messages from friends.
3. Unauthorized access to iCloud or Google account
Hacked iCloud and Google accounts offer access to an astounding amount of information backed up from your smartphone – photos, contacts, location, messages, call logs, and saved passwords. This information can be used for phishing or blackmail.
Additionally, access to your Google account means access to your Gmail, the primary email for many users. The ability to use your email for verification codes to your accounts can lead to a domino effect of hacking all the accounts your email is linked to – from your Facebook account to your mobile carrier account, paving the way for identity theft.
If you use a weak password, it won’t be difficult for a hacker to gain access to your account.
How to protect yourself
- Create a strong password for all your accounts (and, as always, your email). We recommend using a password manager so you can use strong passwords without needing to memorize them. Password managers can also generate strong passwords, making the process even easier.
- Enable login notifications, so you are aware of sign-ins from new computers or locations.
- Enable two-factor authentication (2FA) so that even if someone discovers your password, they can’t access your account without access to your 2FA method.
- To prevent someone from resetting your password, lie when setting up password security questions. You would be amazed by how many security questions rely on information that is easily available on the Internet or is widely known by family and friends.
4. SIM swapping
Last year, the FBI announced that it saw a significant rise in SIM swapping complaints. With SIM swapping, cybercriminals call up cellular carriers to pose as legitimate customers who have been locked out of their accounts. By providing stolen personal information, they’re able to get the phone number ported to their own device and use it to ultimately take over a person’s online accounts, including virtual currency accounts.
SIM swapping is not common, but it is on the rise.
How to protect yourself
- Make sure you have your cellular account protected by an account passcode. Don’t use guessable numbers for your carrier PIN – like your birthday or family birthdays, all of which could be found on social media.
- For AT&T, log into your AT&T account, select Account settings > Linked accounts > Manage extra security and make sure "Extra security" is checked in the Account Passcode tile.
- For T-Mobile, log into your T-Mobile account with the T-Mobile app and select Account > Profile Settings > Privacy and notifications > SIM protection, and toggle on SIM protection for your accounts and select "Save Changes."
- For Verizon, log into your Verizon account with the Verizon app. Select Account Settings > Number Lock and toggle on for all of your accounts and select "Save Changes."
5. Hacked phone camera
The prevalence of video calling has highlighted the importance of securing computer webcams from hackers – but that front-facing phone cam could also be at risk. To gain access to your phone's camera, hackers would need to have the ability to run software remotely in a remote code execution (RCE) attack. In 2021, a vulnerability found in Qualcomm and MediaTek chips used in two-thirds of all phones sold that year put people at risk of RCE attacks, including streaming video from the phone's camera. This vulnerability was quickly patched, but RCE vulnerabilities regularly crop up, including Apple's recent update to old iPad and iPhones.
While RCE vulnerabilities continue to be a problem, cameras are not usually the target. Hacking is unlikely unless someone has physical access to install an app on your phone.
How to protect yourself
Always download security updates for all apps and your device.
6. Apps that over-request permissions
While many apps over-request permissions for the purpose of data harvesting, some may be more malicious and request intrusive access to everything from your location data to your camera roll. Puri notes that "Cheating tools and hacking apps are popular ways to get extra capabilities in mobile games. Criminals are exploiting this by promoting game hacking apps that include malicious code on legitimate messaging channels." Other types of apps that have been known to deliver malware include camera filters, photo editors, and messaging apps. And last year, McAfee identified a group of "cleaner apps" that purportedly removed unneeded files or optimized battery life, but actually installed malware on millions of devices.
It's common to run into apps that over-request permissions.
How to protect yourself
- Read app permissions and avoid downloading apps that request more access than they should need to operate.
- For Android, download a mobile security app such as Avast, Bitdefender, or McAfee that will scan apps before downloading and flag suspicious activity on apps you do have.
7. Snooping via open WiFi networks
The next time you happen upon a password-free WiFi network in public, be careful. Nefarious public hotspots can redirect you to lookalike banking or email sites designed to capture your username and password. It's not necessarily a shifty manager of the establishment you’re frequenting who's behind the ruse. For example, someone physically across the road from a coffee shop could set up a login-free WiFi network named after the café in hopes of catching useful login details for sale or identity theft.
If you're using a legitimate public WiFi network, Vavra says that "there are now enough safeguards it [snooping] shouldn't be too much of an issue." Most websites use HTTPS to encrypt your data, making it worthless to snoopers.
How to protect yourself
- Use the apps on your phone to access email, banking, etc., rather than your browser, and you will be protected against malicious redirects.
- Vavra says that "VPN adds another layer of encryption and essentially creates a more secure tunnel between the user and the website. While HTTPS only covers the communication data, VPN encrypts all data sent and can be used to change user location as perceived by the website or service the user is communicating with. So even the ISP (Internet provider) doesn’t see what is sent." Paid versions of mobile security apps often include a VPN, and we like Nord VNP and, for a free option, Proton VPN.
8. SS7 global phone network vulnerability
A communication protocol for 2G and 3G mobile networks, Signaling System No 7 (SS7), has a vulnerability that lets hackers spy on text messages, phone calls, and locations. The security issues have been well-known for years, and hackers have exploited this hole to intercept two-factor authentication (2FA) codes sent via SMS from banks. According to Evans, his method could also be used to impersonate a user's identity by spoofing their MSISDN or IMSI number, intercept calls, locate the user, commit billing fraud, and launch a Denial of Service (DoS) attack, which could bring down the network.
Evens says that the likelihood is pretty low of experiencing this type of hack. The major U.S. carriers have shut down their 3G service, and Evans estimates that only about 17 percent of the world still uses 2G or 3G networks.
How to protect yourself
- Choose email or (safer yet) an authenticator app as your 2FA method, instead of text message. We like Authy and Google Authenticator.
- Use an end-to-end encrypted message service that works over the internet (thus bypassing the SS7 protocol). WhatsApp and Signal encrypt messages and calls, preventing anyone from intercepting or interfering with your communications.
- Keep your device updated.
- If you want to be extra careful, Evans suggests, "If you're traveling abroad, get a cheap phone that you can almost use as a disposable and get rid of it when you get back or getting ready to return."
9. Fake cellular towers, like the FBI’s Stingray
The FBI, IRS, ICE, DEA, U.S. National Guard, Army, and Navy are among the government bodies known to use cellular surveillance devices (the eponymous StingRays) that mimic bona fide network towers. StingRays, and similar ISMI pretender wireless carrier towers, force nearby cell phones to drop their existing carrier connection to connect to the StingRay instead, allowing the device’s operators to monitor calls and texts made by these phones, their movements, and the numbers of who they text and call. As StingRays have a radius of about half a mile, an attempt to monitor a suspect’s phone in a crowded city center could amount to tens of thousands of phones being tapped.
The American Civil Liberties Union has identified over 75 federal agencies in over 27 states that own StingRay-type devices but notes that this number is likely a drastic underestimate. In 2015, the Department of Justice started requiring its agencies to obtain warrants for using StingRay-type devices, but this guidance doesn't apply to local and state authorities. Several states have passed legislation requiring a warrant for use, including California, Washington, Virginia, New York, Utah, and Illinois.
While the average citizen isn’t the target of a StingRay-type operation, it’s impossible to know what is done with extraneous data captured from non-targets.
How to protect yourself
Use encrypted messaging and voice call apps, particularly if you enter a situation that could be of government interest, such as a protest. WhatsApp and Signal encrypt messages and calls, preventing anyone from intercepting or interfering with your communications. Most encryption in use today isn’t breakable, and a single phone call would take 10-15 years to decrypt.
From security insiders to less tech-savvy folk, many are already moving away from traditional, unencrypted communications – and perhaps in several years, it will be unthinkable that we ever allowed our private conversations and information to fly through the ether unprotected.
[image credit: hacker smartphone concept via BigStockPhoto]