Mobiles: the main target for hackers

As the top cybersecurity companies warned only a few months ago, hackers are now setting their sights on mobile device infiltration. This new trend was flagged up by Kapersky in its November 2019 Security Bulletin and also by McAfee in its Mobile Threat Report for 2020, warning that, this year, hidden mobile applications would represent the big cyberattack threat for users. According to UOC Faculty of Computer Science, Multimedia and Telecommunications professor Helena Rifà, "Hackers target computers and mobiles, but the focus is increasingly turning to the latter. This is because we are more lax about the security on our mobiles, despite using them more. As a result, hackers find them easier to infiltrate."

In fact, one of the most recent cyberattacks that led police in Spain to issue a pubic warning on Twitter was circulated on mobiles across the nation via WhatsApp. It was a bogus promotion offering a free subscription to Netflix during the COVID-19 lockdown period. "It was a phishing attack, as the form you needed to complete, rather than linking to Netflix, was a false web page designed to resemble that belonging to the platform," explained Rifà, who is also a member of the UOC's K-ryptography and Information Security for Open Networks (KISON) research group.

This type of cybercrime represents a direct attempt to obtain bank details, and, although such attacks are extremely common, they are not the only kind of threat we need to watch out for. "Approximately 40% of attacks are seeking our financial data, but others aim to collect general user profile information to sell private data on to third-party companies or to obtain additional personal information in order to carry out more targeted attacks at a later date," warned the UOC professor. She added that one of the most common examples of this in recent weeks has been to use coronavirus monitoring maps as 'hooks', saying: "We have been downloading them to find out where the virus was most active and many of those maps contained malware."

Cybercriminals are able to use this malicious software to track where we are, the journeys we make, and may even include spyware to see what we type and track our phone calls, giving them almost complete access to our private data.

A third common threat to our mobiles corresponds to the installation of unofficial applications. Although we tend to be more cautious when it comes to our computers, we download numerous applications onto our mobile phones. According to the Mobile Report for Spain and the World produced by Ditrendia, mobile users in Spain have an average of 17.8 applications installed on their devices. The problem in the majority of cases does not lie with the applications themselves but with the permissions granted during installation.

In the words of Helena Rifà, "We tend to say yes to everything, granting permissions that are often unrelated to the application we are installing. That is where we need to be suspicious. For example, when installing a photo retouching application that asks us for access to our voice service." Such inconsistencies should, therefore, raise a red flag. The installation of antivirus software is another way of protecting ourselves from mobile hacking. Experts recommend installing this despite the downside of a slight slowing of operability and battery draining.

Social engineering in times of pandemic

The repercussions of cyberattacks, be it in relation to our mobile devices or computers, translate into huge financial losses. According to a report by the cybersecurity company RiskIQ, €2,646,000 was lost every minute as a result of cybercrime in 2019. And professor Rifà predicts that the figure for 2020 may be even higher, as the number of attacks has skyrocketed since the state of emergency was declared. That is not the only new trend that cybercrime experts have detected. There has also been a shift in terms of the targets being identified by cybercriminals. As pointed out by Rifà, "Instead of attacking companies directly, hackers are now focusing on the end users because employees are working from home rather than in company offices."

Many of these kinds of attack use social engineering, which operates by manipulating users on an emotional level. According to the UOC professor, the current context makes social engineering attacks much more likely to succeed because the hacker knows that the user is concerned about a specific topic, in this case the coronavirus, and therefore uses that as a hook to launch an attack by sending news related to COVID-19. Rifà said: "A hacker's success rate is multiplied by knowing a user's interests. An emphasis placed on the value of certain information makes it easier to infiltrate users with that information. We are more vulnerable."

And it is precisely this type of cybercrime carried out during the state of emergency and the way it has been perpetrated that will form the basis of the discussion for the opening day of the UOC-Con Special Congress on 27 May. Under the heading, "Cybersecurity and cyberattacks during the state of emergency", this online conference will look at effective security measures for combating such threats.

The second day will go on to address Control measures during COVID-19: a threat to our privacy?, with experts discussing the privacy of applications aimed at containing the pandemic by monitoring citizens. Helena Rifà summed it up by saying: "This issue will not only be addressed from a legal point of view but also in relation to technology: looking at whether there are any solutions or tools that do the same job while also safeguarding privacy."

Certain initiatives do already exist that are capable of protecting us from this kind of breach of privacy, one example being the COVIDSafe application being used in Australia, which incorporates a number of design elements that focus on privacy. According to the experts, although this is by no means a fail-safe solution, the fact that it does not use GPS geolocation data and therefore does not reveal the location of the users does make it less invasive.