State of Eavesdropping on Mobile Devices

Eavesdropping is a prevailing threat among many on mobile phones, with technology capable of tracking users, listening to their conversations and even logging their application usage becoming more pervasive and easier to come by.

“Mobile devices contain access to all of our personal and corporate data. They are capable of tracking our location, listening to our conversations and seeing what we see, all in real time,” said Andrew Blaich, head of device intelligence at Lookout, a mobile security and antivirus company. “We’ve seen an increase in attackers’ use of surveillanceware, which can be used to eavesdrop on people, year over year.”

The number and frequency of such incidents are substantial. Data Theorem has identified more than 100 million eavesdropping attempts on iOS and Android applications since its TrustKit release in 2015.

But apps are not the only vulnerability in mobile.

A recent Positive Technologies research report on Signaling Systems 7 (SS7) telecom protocol vulnerabilities and attack exposures found it is possible to intercept a subscriber’s conversation or text message in almost every network in Europe and the Middle East. A subsequent report by this group found that telecom network conditions are not improving, with 4G subscribers across Europe and Asia exposed to the same threats as subscribers of previous-generation networks.

It is the diversity in types of attacks that makes building a strong defense against eavesdropping all the more challenging.

The Threatscape

“Mobile devices have rapidly become ground zero for a wide spectrum of risks that includes targeted surveillance, a range of malware families, non-compliant apps that leak data and vulnerabilities in device operating systems or apps,” Blaich said. And the threats are growing: Lookout tracked just nine malware groups in 2016, but has already tracked 22 groups so far this year.

There are numerous ways that malicious eavesdropping can occur on mobile phones, according to Lookout. These methods include:

  • Installing a malicious app that asks for permission to sensitive data (contacts, calendar, photos) or functionality (microphone or camera access).
  • Visiting a malicious website that exploits the phone and silently install surveillanceware.
  • Connecting to a malicious cellular or WiFi network that intercepts the communications being sent and received from the device.
  • Falling victim to SMS SIM swapping or cloning attacks.
  • Falling victim to SS7 attacks.

Network Vulnerabilities

The idea of secure calls being the standard is delusional if additional security steps are not taken on devices, apps and networks.

The Positive Technologies report on SS7 networks used by large telecom operators in Europe and the Middle East found:

  • Nine out of 10 SMS messages can be intercepted.
  • Attempts to tap or redirect terminating and originating calls were successful in more than half (53 percent) of all cases.
  • It was possible to intercept a subscriber’s conversation or text message in almost every network.
  • Seventy-three percent of subscriber traffic interception attacks were successful.

The company noted that Diameter networks (used in 4G) are prone to attacks aiming to cause denial of service, disclose subscriber and operator information and defraud operators. However, according to its report, while the “scope of attacks is limited in comparison with previous-generation networks, intruders can force a subscriber’s device into 3G mode and carry out further attacks on the less secure SS7 system, including eavesdropping, SMS interception, and other actions targeted against subscribers.”

All is not lost, however. While the company found 100 percent of mobile networks were prone to subscriber traffic interception in 2015 and 2016, only 89 percent of networks were in 2017, suggesting that mobile operators are starting to take SS7 security issues more seriously.

Why Eavesdropping Has High Returns

“Surveillance and eavesdropping have a wide variety of use cases, but they all essentially boil down to spying on a targeted user with an intended purpose. Nation states have been known to use advanced tooling and techniques like the Pegasus malware or SS7 attacks to spy on the communications of a phone and steal all of the data from it,” Blaich said. “Non-nation states, like suspicious spouses, will use commodity malware, a.k.a ‘spouseware,’ to spy on their partners, friends and other family members.”

But criminals and competitors also eavesdrop to obtain sensitive information from unsuspecting victims.

“For some businesses and institutions, the ability to make secure calls can make or break a company, safeguard the future of others and even save lives. Whether you’re a government, the military, a financial institution or simply a business where valuable calls are made, you need to be part of a proactive security culture,” said James Hart, senior director of global marketing operations at Jabra, a Bluetooth headset maker.

The list of dangers is growing, however, given the proliferation of the internet of things (IoT), many of which connect to or are accessible by mobile networks.

The Positive Technologies report on the Diameter (4G) telecom protocol found that attack exposures could potentially “cause service disruptions, major financial losses and even life-threatening accidents. Additionally, vulnerabilities could lead to sudden failure of ATMs, payment terminals, utility meters, car alarms and video surveillance systems.”

Adding Security on the User End

While telecoms and IoT device makers work to secure flaws on networks and devices intended to, in many cases, spy on users, mobile device users can at least take steps to secure their communication devices such as mobile phones and tablets from eavesdropping.

Lookout recommends users take the following steps. Enterprises may want to encourage these steps as well in their bring-your-own-device (BYOD) programs:

  • Download apps only from the official app stores such as Android’s Google Play or Apple’s iOS App Store.
  • Avoid clicking on sketchy links from unknown contacts—simply visiting a page could put your device at risk.
  • Avoid connecting to unsecured wireless networks or networks where everyone has the same password.
  • Use a VPN that encrypts your traffic from prying eyes on a local network.
  • Check your cellular carrier bills in case someone has requested a new SIM card for your account.
  • Use secure messaging apps and services—standard phone calls and text messaging are not secure. However, services and apps such as Signal, WhatsApp and iMessage do provide a higher level of protection against eavesdropping.
  • Install a mobile security solution to detect whether your phone’s security has been compromised and you’re being spied on.

Other steps users can take include turning off Bluetooth when not in use, adding two-step authentication to apps and using passwords specific to apps rather than use one for all financial apps or all apps in general.

Featured eBook
The Complete Guide on Open Source Security

The Complete Guide on Open Source Security

This joint report by Microsoft and WhiteSource discusses the difference in finding & fixing vulnerabilities in open source components opposed to proprietary code, how to grasp the unique challenges of open source security and how to tackle them, as well as how to master the best practices of managing your open source security risks. This ... Read More