Today’s Mobile Security Threats: What Are They and How Can You Prevent Them?
Viruses, spyware, and other malware can affect more than just desktop computers and laptops. Mobile devices are vulnerable as well. As the threat landscape continues to evolve, it’s important that we not only understand these risks—but how we can protect ourselves against them.
In this post, we’ll take a closer look at the mobile phone security threats we face today and offer tips and suggestions for minimizing them.
What are mobile security threats?
Mobile security threats are attacks that are intended to compromise or steal data from mobile devices like smartphones and tablets. These threats often take the form of malware or spyware, giving bad actors unauthorized access to a device; in many cases, users aren’t even aware that an attack has occurred.
With access, attackers can perform a variety of malicious actions, from stealing and selling data to accessing contacts to sending messages and making calls. They can also use the device to steal users’ login credentials and spoof identities. These attacks impact individual users and organizations alike, as one single breach could lead to large scale data leaks.
Types of mobile security threats
Mobile device attacks come in all shapes and sizes, but generally fall within the following four categories:
- App-based mobile threats: Applications are often the root of mobile device vulnerabilities. These types of attacks can occur when users download malicious apps or grant apps permission to access device data without checking whether or not it’s safe to do so.
- Web-based mobile threats: A web-based mobile attack is usually achieved through phishing or spoofing. Attackers will send an email, text, or other instant message that looks as if it was from a trusted source—but the message contains a malicious link or attachment. When users click through or provide personal information, the bad actor can then gain unauthorized access to their mobile device or steal credentials to spoof identities.
- Network threats: This type of mobile attack occurs when bad actors target unsecured or free-to-use public WiFi connections. In some cases, hackers may even set up a fake WiFi network (known as network spoofing) in an attempt to trick users. Spoofed networks will ask users to create an account with a username and password, giving hackers the opportunity to compromise devices and credentials.
- Physical threats: Lost, stolen, and unattended devices open users up to a range of cell phone security issues. If you don’t use a strong password, PIN, or biometric authentication, or use unencrypted apps and services, your phone can easily be hacked—especially considering how sophisticated the threat landscape is today.
6 mobile security threats—and how to prevent them
It’s bad enough that malicious actors can use any of the above-mentioned threat types to launch an attack on unsuspecting users—but what’s even worse is that our everyday behavior and mobile activity can make it even easier for them to succeed. Below are some of the most common ways that we put our data and identities at risk of mobile device security threats, and tips on how to protect ourselves.
1. Downloading malicious apps and granting too many permissions
Applications that are downloaded from sources other than official app stores can lead to data leaks, as they’re often unlikely to have the appropriate protections in place. In addition, attackers may release malicious apps that are intended to exploit the users who download them—by stealing data from a device and selling it to third parties, for instance. Data leaks can also occur through malware-infected enterprise apps that distribute code on mobile operating systems, moving data across business networks without being discovered.
How to minimize risk: Only download applications from Google Play, the Apple App store, and other trusted providers. In addition, deny permissions—such as access to location data, your camera, and microphone—unless the app you’re using absolutely requires it.
2. Connecting to unsecured WiFi networks
WiFi networks that are free to access in public places like airports, coffee shops, and libraries are attractive because they give you the opportunity to avoid using mobile data. But many of these networks are unsecured, which means attackers can more easily gain access to users’ devices and compromise their data.
How to minimize risk: Think twice before connecting to free WiFi hotspots, and never use one that requires you to create an account or password. If you do need to use one of these networks, stick to low-risk activities—they should never be used to access your social media accounts, banking apps, or to make an online purchase.
3. Being the target of a social engineering attack
With remote work on the rise, attacks like phishing and “smishing” are increasingly prevalent on both mobile devices and computers. However, mobile users are often more vulnerable to these attacks because smaller screen sizes limit the amount of information that can be seen in a malicious email at any one time. This increases the chances that users will click on a link without considering the consequences.
How to minimize risk: Never click on a link in an email or text message, even if it appears to be from a trusted sender. Instead, enter the URL in the address bar of your web browser so that you can verify that the link is legitimate.
4. Practicing poor cyber hygiene
It’s more important than ever for people to practice good cyber hygiene, but many people continue to use weak passwords, recycle credentials across accounts, share data with friends and colleagues, and refuse to update applications and operating systems.
Out-of-date devices can also contribute to a slew of mobile cyber security issues. Whether it’s due to the manufacturer failing to offer updates or because a user chooses not to download new versions and software, this leaves gaps that an attacker can use to infiltrate a device.
In addition, users can fall victim to mobile security threats due to improper session handling. Many apps use tokens to make the experience more convenient for users (i.e., allowing them to perform actions without reauthenticating). But these tokens can sometimes be unintentionally shared with bad actors if sessions remain open.
How to minimize risk: Use strong passwords, deploy multi-factor authentication (MFA) tools, set your devices to automatically update, and log out of apps and websites when you’re finished using them. And of course, keep your personal information and logins to yourself.
5. Operating with broken cryptography or without end-to-end encryption
With people spending more time at home, there’s been a huge uptick in the use of video conferencing tools on mobile devices. While these are great for helping colleagues and families keep in touch, there are risks involved—especially if you use an app or service that doesn’t encrypt conversations, operates using weak algorithms, or otherwise leaves devices vulnerable to attacks.
How to minimize risk: Whether you’re a business owner or a concerned individual, ensure that you—and everyone else you’re communicating with—is using applications and online tools that prioritize keeping identities and data secure.
6. Falling prey to botnets
A botnet is formed when a group of computers fall under the control of a hacker. Typically they’re used to overload an organization’s resources during malicious acts, such as Distributed Denial of Service (DDoS) attacks—which can be executed on mobile devices via Trojans, viruses, and worms.
How to minimize risk: Like many other mobile threats, botnets can be avoided by only downloading legitimate apps, never clicking links or attachments in emails, using secure wireless networks, and being aware of unusual activity on devices.
How organizations can protect themselves from mobile threats
While IT and security teams are largely responsible for protecting company, employee, and customer data, there’s also a lot that end users can do to secure their devices. Let’s take a look at how each group can improve security at work and at home.
What IT and security can do
More than ever before, employees are working remotely from different locations and on various devices. However, only 13% of organizations deploy four basic protections: data encryption, need-to-know access, no default passwords, and regular security testing. Furthermore, nearly 50% of organizations don’t have an acceptable use policy in place, which is vital to fighting mobile data security threats and sets the standard for employee behavior on devices and networks.
IT teams can benefit by implementing mobile device management, deploying tools like MFA and single sign-on (while moving away from SMS authentication), and adopting a Zero Trust approach to security at their organizations. They should also provide regular training for employees to ensure security is always top of mind and advise everyone of the latest, most prominent threats they could face on a daily basis.
What individuals can do
Employees can also prevent mobile security attacks by making sure they have a robust understanding of common threats. Not only should they know what they are—but they should also be able to recognize the telltale signs that an attempted attack has been made.
In addition to following the policies set by their organization, employees can take security into their own hands by implementing secure password practices and enabling stronger authentication tools (like MFA and biometrics) across their devices. They can also ensure their home networks are secure, and avoid using free WiFi networks when working remotely.
What’s next in mobile device security?
To keep their employees and company data safe, it’s essential for organizations to stay on top of mobile device security risks—especially as the world becomes increasingly more remote.
Here are a few trends to keep in mind:
- Dynamic work is a model that gives employees the freedom and flexibility to work from anywhere, and requires a highly secure, integrated IT stack. Considering mobile security is a crucial part of this so that employees can collaborate effectively and safely—at any time, from any location, on any device.
- Bring your own device policies have been around for a long time now, but they’re even more important in our current working environments. Organizations need to ensure that employees are able to work on any device, which makes tools like MFA and a Zero Trust approach to security absolutely crucial.
- The Internet of Things is growing rapidly as more people rely on connected devices at work and at home (e.g., smart refrigerators and voice assistants). Being aware of what these devices are and how they may change the security landscape is key to preventing bad actors from gaining unauthorized access to information and networks.
Being informed about the latest mobile security attacks is the first step to a more secure workforce. For more information about mobile device security, and advice on how to secure your company and employee data, check out the following resources:
- Mobile Device Security: 4 Challenges to Overcome (Blog post)
- How BYOD Impacts Device Security (Blog post)
- How to Secure Your Workforce’s Devices with Okta (Blog post)
- Okta Device Trust: Get the Most out of Integrating Identity and Endpoint Management (Blog post)
- Secure Remote Work Toolkit (eBook)