Last weekend, an international consortium of media organisations published an investigation around a leaked list of 50,000 phone numbers from across the world, called the >Pegasus Project. The leaked list reportedly comprises surveillance targets for authoritarian governments around the world using the Pegasus spyware (developed by Israel's NSO Group), to hack into the smartphones of critics, journalists, activists, politicians and business executives.
However, a sophisticated spyware like Pegasus isn't the only way someone's personal device can be hacked into. From malicious links to hijacking public Wi-Fi, there are some fairly easy to complex tools and techniques to hack into a user's smartphone:
Hack level: Easy
One of the most common hacking tool is a fake app. Google Play store and Apple App Store regularly take down hundreds of apps that may be fake or malicious.
Hackers usually create fake apps imitating a popular app, and embed it with spyware or other malware. A majority of these apps are found on third-party app stores, on social media, as pop-up ads on the internet, or sometimes, hackers target users via messages and links on websites.
Malicious links are another popular way to hack a smartphone, and can sometimes even be a precursor to leading a user to fake apps.
These malicious links or attachments are usually sent via e-mails, SMS or third-party chatting apps. All these need from a user is a click/tap on the link. Once done, the link injects a user's device with virus/malware, giving the hacker the control over (a part or entire) data on the device.
Phishing is a method used by hackers where they impersonate a company or trusted individual in order to gain confidential data.
Here, hackers often use official-looking communication, commonly shared via email or text messages, usually leading to a login page for a service which looks legitimate, but is in fact faked. When you follow phishing links to a login page and enter your details -- for example to your bank account -- your personal information has basically been stolen. This applies for banks, social media accounts, or any service that requires a login and password.
Bluetooth file transfers
It's likely that you've experienced this at least once before: a random Bluetooth file transfer from someone you don't know. This is typically viral malware from another infected phone, trying to dump its payload into your device. Never accept unsolicited Bluetooth file transfers.
Hack level: Moderate
Via Public Wi-Fi
Any network, including public WiFi, can be snooped upon. Unencrypted traffic can be trivially stolen. Your Facebook login? Your bank details? All free game for a motivated hacker.
It's simple; until absolutely necessary, always avoid public Wi-Fi. And if you make financial transactions from your smartphone, then it's best to give it a miss. Also, turn off your Wi-Fi when not in use.
Using a smartphone/tablet/laptop on public Wi-Fi makes the device vulnerable to hacking.
SIM card swap
SIM card swapping or a SIM hijack isn't exactly the easiest ways of hacking smartphone data, but it is becoming increasingly popular. This method enables a hacker to trick a mobile carrier into transferring a number to them, potentially leading to the user losing control over their social media accounts, banking apps and other sensitive logins and data. Essentially, any service that uses an OTP for authentication can be compromised by this method, making it very dangerous. Remember: your Aadhar authentication also happens via OTP.
Hack level: Difficult
Bluetooth hacking, also called bluebugging, steals data from another Bluetooth-enabled device without permission. For this technique of hacking, cyberattacker use a specialised software that automatically detects nearby devices with enabled Bluetooth. With bluebugging, hackers can track a user in real-time and even take control over their device.
Hacking via phone numbers
Another hacking method is via phone numbers. For this to work, hackers need to know the technicalities of phone hacking.
To hack through phone numbers, SS7 signaling " a set of protocols used to set up and tear down phone calls " are exploited.
With this, a hacker can record calls, forward calls, read messages, and find locations of a particular device.
These are vulnerabilities in your device hardware or software that are unknown even to phone/software makers. Such exploits are highly prized by criminal organisations and governments alike, because they allow discreet access to devices indefinitely, or until the vulnerability is patched. The exploit may take the form of something preventable -- like clicking a link in a message, or as has been used by Pegasus in the past, a "zero-click" vulnerability in Apple's iMessage app on iPhones. WhatsApp has been used as an attack vector in the past, with Pegasus infecting target devices simply by placing a WhatsApp call. The user did not even need to respond to be infected. WhatsApp sued NSO group over this in the past.
Unfortunately, the very nature of 0-day exploits is that they are unknown, so protecting oneself from them is near-impossible.
How to prevent your smartphone from being hacked
While in the case of a sophisticated spyware like Pegasus, there is often not much a user can do to prevent hacking, but in most cases, small things can dramatically reduce your chances of being hacked.
When it comes to your smartphone, not sharing is caring
The easiest way a hacker can steal your information is if they get access to your smartphone. Use six character passcodes (and not your birth date) or complex patterns. Also, secure all apps with additional app locks, in case they may carry any sensitive information.
SIM Card locking
Putting a passcode on your SIM card can protect it from being hacked.
On an iPhone, head to Settings > Cellular > SIM PIN. Enter your existing PIN to enable the lock.
On Android, head to Settings > Lock screen and Security > Other security settings > Set up SIM card lock. Here, enable the option to lock your SIM card.
Keep your Wi-Fi and Bluetooth off, when not in use
It is possible to hack a smartphone using Wi-Fi or Bluetooth. So, whenever you are not using it, and especially when you are in public, turn off your Wi-Fi and Bluetooth.
Adopt a security-aware posture
We're used to things "just working" on the internet and with smartphones. However, any technology can be circumvented or exploited. Some things you can do online to protect yourself:
Ensure any WiFi networks you connect to use WPA2 security and not the older WEP, and certainly do not connect to open networks without security
Do not blindly accept Bluetooth file transfers
Do not click on links in messages or emails unless you are confident of the sender
Do some due diligence on received links and addresses -- check the email address of a sender carefully to ensure it matches what you know. Check the URL of a link to ensure that it matches what you normally type in a browser to go to a site. Telltale signs of a phishing/malicious link " a legitimate domain name prefix with something else tacked on to the end such as ICICIBANK.SIGNIN.URLXYZABCFOO.CO, Note the end of the link; that's probably not your bank.
Read notices and prompts thrown up by your device; don't blindly click "OK"
Enable two-factor authentication (OTP/Authenticator) for all your online accounts
Do not scan random QR codes, especially related to payments. These can potentially lead to harmful links or at worst, empty your bank account
Avoid face unlock on Android phones. It is known to be less secure than on iOS devices
When called by telemarketers, pay attention if you intend to stay on the call. Ask questions. Which credit card company are they calling from? What are they offering? What are they asking of you? Phone phishing is on the rise and there is little recourse if you're successfully stolen from
Use a VPN to encrypt your communications. It may make things a wee bit slower, but the added security is worth it. You absolutely should use a VPN on public or hotel WiFi networks