From targeted breaches and vendetta-fueled snooping to opportunistic land grabs for the data of the unsuspecting, here are four ways someone could be spying on your cell phone – and what you can do about it.
1. Spy apps
There is a glut of phone monitoring apps designed to covertly track someone’s location and snoop on their communications. Many are advertised to suspicious partners or distrustful employers, but still more are marketed as a legitimate tool for safety-concerned parents to keep tabs on their kids. Such apps can be used to remotely view text messages, emails, internet history, and photos; log phone calls and GPS locations; some may even hijack the phone’s mic to record conversations made in person. Basically, almost anything a hacker could possibly want to do with your phone, these apps would.
And this isn’t just empty rhetoric. When we studied cell phone spying apps back in 2013, we found they could do everything they promised. Worse, they were easy for anyone to install, and the person who was being spied on would be none the wiser that there every move was being tracked.
“There aren’t too many indicators of a hidden spy app – you might see more internet traffic on your bill, or your battery life may be shorter than usual because the app is reporting back to a third-party,” says Chester Wisniewski, principal research scientist at security firm Sophos.
Likelihood
Spy apps are available on Google Play, as well as non-official stores for iOS and Android apps, making it pretty easy for anyone with access to your phone (and a motive) to download one.
How to protect yourself
- Since installing spy apps require physical access to your device, putting a passcode on your phone greatly reduces the chances of someone being able to access your phone in the first place. And since spy apps are often installed by someone close to you (think spouse or significant other), pick a code that won’t be guessed by anyone else.
- Go through your apps list for ones you don’t recognize.
- Don’t jailbreak your iPhone. “If a device isn’t jailbroken, all apps show up,” says Wisniewski. “If it is jailbroken, spy apps are able to hide deep in the device, and whether security software can find it depends on the sophistication of the spy app [because security software scans for known malware].”
- For iPhones, ensuring you phone isn’t jailbroken also prevents anyone from downloading a spy app to your phone, since such software – which tampers with system-level functions – doesn’t make it onto the App Store.
- Download a mobile security app. For Android, we like Bitdefender or McAfee, and for iOS, we recommend Lookout for iOS.
2. Phishing messages
Whether it’s a text claiming to be from a coronavirus contact tracer, or a friend exhorting you to check out this photo of you last night, SMS texts containing deceptive links that aim to scrape sensitive information (otherwise known as phishing or “smishing”) continue to make the rounds.
And with people often checking their email apps throughout the day, phishing emails are just as lucrative for attackers.
Periods such as tax season tend to attract a spike in phishing messages, preying on people’s concern over their tax return, while this year’s coronavirus-related government stimulus payment period has resulted in a bump in phishing emails purporting to be from the IRS.
Android phones may also fall prey to texts with links to download malicious apps (The same scam isn’t prevalent for iPhones, which are commonly non-jailbroken and therefore can’t download apps from anywhere except the App Store.). Android will warn you, though, when you try to download an unofficial app and ask your permission to install it – do not ignore this warning.
Such malicious apps may expose a user’s phone data, or contain a phishing overlay designed to steal login information from targeted apps – for example, a user’s bank or email app.
Likelihood
Quite likely. Though people have learned to be skeptical of emails asking them to “click to see this funny video!”, security lab Kaspersky notes that they tend to be less wary on their phones.
How to protect yourself
- Keep in mind how you usually verify your identity with various accounts – for example, your bank will never ask you to input your full password or PIN.
- Check the IRS’s phishing section to familiarize yourself with how the tax agency communicates with people, and verify any communications you receive
- Avoid clicking links from numbers you don’t know, or in curiously vague messages from friends, especially if you can’t see the full URL.
- If you do click on the link and try to download an unofficial app, your Android phone should notify you before installing it. If you ignored the warning or the app somehow otherwise bypassed Android security, delete the app and/or run a mobile security scan.
3. Unauthorized access to iCloud or Google account
Hacked iCloud and Google accounts offer access to an astounding amount of information backed up from your smartphone – photos, phonebooks, current location, messages, call logs and in the case of the iCloud Keychain, saved passwords to email accounts, browsers and other apps. And there are spyware sellers out there who specifically market their products against these vulnerabilities.
Online criminals may not find much value in the photos of regular folk – unlike nude pictures of celebrities that are quickly leaked – but they know the owners of the photos do, says Wisniewski, which can lead to accounts and their content being held digitally hostage unless victims pay a ransom.
Additionally, a cracked Google account means a cracked Gmail, the primary email for many users.
Having access to a primary email can lead to domino-effect hacking of all the accounts that email is linked to – from your Facebook account to your mobile carrier account, paving the way for a depth of identity theft that would seriously compromise your credit.
Likelihood
“This is a big risk. All an attacker needs is an email address; not access to the phone, nor the phone number,” Wisniewski says. If you happen to use your name in your email address, your primary email address to sign up for iCloud/Google, and a weak password that incorporates personally identifiable information, it wouldn’t be difficult for a hacker who can easily glean such information from social networks or search engines.
How to protect yourself
- Create a strong password for these key accounts (and as always, your email).
- Enable login notifications so you are aware of sign-ins from new computers or locations.
- Enable two-factor authentication so that even if someone discovers your password, they can’t access your account without access to your phone.
- To prevent someone resetting your password, lie when setting up password security questions. You would be amazed how many security questions rely on information that is easily available on the Internet or is widely known by your family and friends.
4. Bluetooth hacking
Any wireless connection may be vulnerable to cyber-snoops – and earlier this year, security researchers found a vulnerability in Android 9 and older devices that would allow hackers to secretly connect over Bluetooth, then scrape data on the device. (In Android 10 devices, the attack would have crashed Bluetooth, making connection impossible.)
While the vulnerability has since been patched in security updates out soon after, attackers may be able to hack your Bluetooth connection through other vulnerabilities – or by tricking you into pairing with their device by giving it another name (like ‘AirPods’ or another universal name). And once connected, your personal information would be at risk.
Likelihood
“Rather low, unless it is a targeted attack,” says Dmitry Galov, security researcher at Kaspersky.“Even then, a lot of factors have to come together to make it possible.”
How to protect yourself
- Only turn your Bluetooth on when you are actually using it
- Don’t pair a device in public to avoid falling prey to malicious pairing requests.
- Always download security updates to patch vulnerabilities as soon as they’re discovered.
Credit: Natasha Stokes