10 Unexpected Ways Your Android Phone Could Be Hacked
You might imagine that a hacked Android phone shows some signs. Perhaps a text console screen mysteriously appears, and you see that someone named BlackHatBob is typing inscrutable commands at lightning speed. But often, attacks come in under the radar and are basically undetectable, at worst slowing your phone down slightly. And even if you're pretty security-conscious, modern hacks can come from some very unexpected directions.
Your phone's behavior might change if it's been hacked, depending on the goals and methods of the attacker. A simple adware infection will make itself known, of course — what use are ads that aren't seen? If your phone shows that you've made calls or sent texts that you're unfamiliar with, or if unexpected charges are showing up on your phone bill, those are other signs of attackers.
A hacked phone sometimes appears to be in use more than you're using it — perhaps it's using a lot of data or battery charge for no apparent reason, or it's hot when you're not using it. Those might be signs of unauthorized use. And while there are a lot of potential causes for poor performance, if your phone is suddenly, dramatically, and inexplicably slow, it's a good idea to look into that.
Zero-day exploits
The sorts of hacking you normally hear about often involve the discovery of a new way of attacking a phone's software, hacking a phone by exploiting a software vulnerability — in software you're using, for example, or in the Android operating system itself — isn't exactly an unexpected possibility. What is unexpected is that these vulnerabilities can sometimes persist in Android far longer than you'd expect, often for months. So it's helpful to understand the issue and to get a handle on what you can do about it.
So-called "zero-day vulnerabilities" are among the most confusingly named entities in an industry famous for confusing names. They are exploitable flaws in a device's software — the OS itself, an app, or some other component — that was previously unknown and could be used to launch an attack immediately. The Android "Fortnite" installer bug is a good example. Once the responsible vendor becomes aware of the problem, it has zero days to correct the issue, regardless of how long it has been around. Ideally, a security patch or updated version of the software is issued as quickly as possible to address the flaw.
The trouble is that the process for updating Android and Android apps can be long, which makes the vulnerability available to hackers for long expanses of time. According to the Google Security Blog, 17 of the 41 zero-day vulnerabilities were variations on previously known vulnerabilities, which sometimes indicates an incomplete mitigation process. The solution? To the extent that there is a solution, the best approach is to keep your OS and software updated and hope the industry does its part to distribute better bug fixes more quickly.
Zero-click exploits
Just when you think you have a handle on phone security, some guy (in a hoodie with digital graffiti floating around him in a dark room, judging from media images) figures out a way to hack your phone invisibly, without your participation, using methods no one has even heard of even though it's been around for six months.
This typically works because some classes of apps accept data from outside the phone and then handle it in some way. If that handling can be used to execute malicious code on your phone, someone will certainly do it. The scenario looks something like this: software listens for incoming data in some form (an SMS message, for example) and then launches processes to act on it, perhaps decoding, formatting, storing, or displaying it. A vulnerability in the software (yes, this scenario is a zero-day exploit as well) makes it possible for the attacker to execute some command during that processing.
Keeping your device and apps up-to-date and only installing apps from trusted, reputable sources are your best defenses against zero-click vulnerabilities.
Malicious replacement parts
Zero- and one-click exploits are, well, exploiting a vulnerability in Android or some piece of software on an Android phone. These get patched (eventually), so the attacker community is constantly looking for new vulnerabilities. But there are other ways of getting the job done, and one of the least expected might be by embedding malicious components in simple replacement parts like screen replacement kits.
While unexpected, this mode of attack is completely intuitive. A chip positioned between a touchscreen and a phone's processor is in a position to both intercept and simulate touch events. In a 2017 paper called "Shattered Trust: When Replacement Smartphone Components Attack," Omer Schwartz and his co-authors revealed the reason this approach could be so devastating. The device drivers that operate internal components like touchscreens "exist inside the phone's trust boundary." So, with access unfettered by security measures, these chips can impersonate the phone's real user and compromise data in almost any way.
This problem is largely hypothetical at this point, but until the industry addresses the device driver trust problem, it's best to stick with OEM replacement parts.
Spear phishing
Spear phishing is just a cutesy name for a highly targeted phishing campaign. In this scheme, knowing a little about a target allows hackers to impersonate a trusted individual who's asking for sensitive information, access, or even money. Basic phishing attacks might cast a broad net and attempt to trick any user caught in it. Spear phishing is more effective — and potentially more devastating — because it directly targets individuals with convincing attempts to make the target trust the spear phisher, if only briefly.
Spear phishing works largely by gathering publicly available information on the target or targets (74% of organizations in the U.S. experienced phishing attacks since 2020, according to Verizon research, including the United States Nuclear Regulatory Commission). The attacker liberally and convincingly provides details gathered in advance that lend credibility to their claims. The spear of the attack is usually a carefully crafted e-mail that attempts to get the user to act in a particular fashion. This could include sending the attacker money, opening an attachment containing malware, or revealing credentials for a vital online service.
There are many types of spear phishing goals, so the ways you can protect yourself are numerous as well. Don't click on e-mail links unless you are absolutely sure of their provenance. Never share your passwords. Keep Android and your apps updated. Use multi-factor authentication on your e-mail and other key accounts. And verify suspicious e-mail senders using an online verification service or by simply making a phone call to the supposed sender.
SIM swaps
When a hacker wants an easy way around all of the two-factor authentication security you've added to your various accounts, a SIM swap is one way to pull it off. Hackers simply use one of the various methods to get reissued SIM cards associated with your account assigned to their phones instead. This gives the attacker access to all your phone calls and text messages. Once an attacker has what is basically your phone, access to most services (even many with two-factor authentication enabled) is a snap: a simple password-retrieval process that uses phone- or text-based 2FA can compromise your financial and other sensitive accounts.
Protecting yourself against the SIM swaps scam requires alertness and covering many bases. Protect your phone account with a strong password and difficult security questions. Take care not to use phone- or text-based 2FA for all your important accounts. Use authentication apps that generate access codes — this makes your security tied to your actual phone rather than merely a phone with your account info on a SIM card. And watch out for e-mailers, texters, or callers that might be trying to get identifying information from you that they will then use to convince your phone company to send them a replacement SIM for your account.
Supply-chain hacking
There are several ways attackers can bypass security protections, such as multi-factor authentication. This includes supply-chain hacking, in which a trusted vendor (a security company used by your phone's manufacturer, for example) is compromised, taking your supposedly secure information with it. The prominent 2020 attack against enterprise security company SolarWinds is an example of just such a hack. Dozens of governments and up to 250 organizations were penetrated by the attack. Bitsight estimates the cost of the SolarWinds hack to be around $90 million. Other supply-chain attacks have cost more than $10 billion.
These attacks work by compromising a company, usually a tech company, that is in the supply chain of one or more desirable targets. Any creator of software used by other companies is a potential supply-chain-hacking target because the software can be used as a vector for attacks and information gathering in advance of another attack. This is increasingly a problem as companies use open-source software, which can contain vulnerabilities as often as 11% of the time, according to Sonatype.
Unfortunately, there's nothing individuals can do to forestall supply-chain attacks, so they must rely on their companies' insistence on partnering with vendors who use security best practices.
Counterfeit USB cables
Using a public charging station, borrowing a USB charging cable, or simply using a cable when you aren't sure of its provenance are ways of eventually inviting attackers to gain control of your Android phone. And it doesn't just apply to cables but also to USB sticks and public USB ports you might use to charge your phone.
The O.MG Elite cable is a commercially available $180 device identical to a standard USB cable, but which gives hackers the capabilities found in $20,000 hacking tools, according to 9to5Mac. The cables can be used on Android and other platforms, includes built-in Wi-Fi, and enable hackers to access your phone's camera and photos, microphone, address book and contacts, clipboard, SMS messages, and just about anything else, according to the cable's developer, Hak5, on YouTube. And O.MG is not the only one — USB hacking devices have been around for years.
This one's difficult to avoid. You could only use pricey OEM cables, but even those could be swapped for a fake as good as the O.MG Elite, which is virtually indistinguishable from a legitimate cable. It's best to find a way to keep up with your cables and protect them from being swapped.
Stingray cell tower hack
Impersonating a cell tower to spy on your phone sounds like the stuff of government spy operations... and it is. But it's also easy enough to create an IMSI catcher (like the government's Stingray) and make a rogue cellphone base station to capture users' private information en masse. The most well-known device of this type is the Stingray (or the more recent Crossbow), a law enforcement IMSI catcher that can identify and track users, redirect web traffic so that malware can be installed, or even directly install malware on certain phones. And the Stingray casts a broad net, collecting information from any phone near it.
Back in 2016, Vice reported that the Stingray cost $148,000, and its mobile sibling KingFish sold for $157,000. But don't let the expense fool you into a sense of security. With a Raspberry Pi and a $520 software-defined radio board, Julian Oliver created a fake GSM cell tower and embedded it in an office printer. Fake cell towers can also be used against LTE phones, as described in a presentation at the 2016 0x7e7 conference.
You can protect yourself against fake cell tower attacks to some degree. Try to use only secure public networks. Use a VPN. And perhaps try out an IMSI catcher detector app like Security Research Labs' SnoopSnitch.
Hook VNC control
We imagine that malware does things like intercepting your keystrokes and deciphering your phone's security but a new and well-known bit of malware simply makes your phone's interface accessible via a remote desktop application. That means attackers can simply use your phone as if it were their own. The best part? You can buy the malware code online.
A new malware called Hook, apparently based on the ERMAC Android banking trojan, gives attackers access to your Android phone via the popular Virtual Network Computing (VNC) protocol. It essentially allows the attacker to navigate and use your phone, including your graphical user interface, as if it were in the hacker's hand. This sort of tool is appropriately called a Remote Access Tool (RAST), and this sort of attack is called a Device Take-Over (DTO), and that's as bad as it sounds.
Hook requires the use of Android's Accessibility Service, and fortunately, it has some difficulty taking hold on Android 13, which will not allow sideloaded apps to gain Accessibility Services privileges.
Issues with public Wi-Fi
Using public Wi-Fi hotspots is second nature to many of us, often a thing we desire and actively pursue, so much so that we sometimes just tell our phones to connect to any available network. The problem is that attackers can use these habits to intercept and steal personal information in several ways. Without even exploiting any vulnerability in Wi-Fi, anyone can set up an open Wi-Fi access point and spy on unencrypted traffic that goes through it.
Unfortunately, other approaches expose far more information than what you're doing online. Man-in-the-middle (MITM) attacks, for example, can be used to capture and modify information that flows to and from your phone. Attackers can replace ads on legitimate websites with malware-infected ads. File-sharing services you log into over public Wi-Fi can be infected with ransomware. Session hijacking allows your current website session with your bank, preacher, or mistress to be co-opted by the attacker, who suddenly has the same access you do. Your Android phone can even be remotely controlled in some circumstances.
There are some ways to protect yourself. Avoid using public Wi-Fi whenever possible. When you must use it, always use a VPN. Use 2FA or MFA for vital accounts. Delete your browser's history, cache, and cookies before signing onto the network. And, by all means, turn off the auto-connect feature on your phone.
Spy apps
It won't surprise anyone that spy apps can spy on you, so maybe you're careful about what you install. But you aren't necessarily the only person installing software on your phone — and sometimes, other people have bigger concerns than vulnerability to hacking. Suspicious spouses and parents are prime examples. Indeed, such spyware apps are sometimes called "spouseware." All this is despite Google's half-hearted ban on such apps.
Android spyware provider XNSpy brags that its software can record calls and the phone's environment, monitor messaging and social media apps, track the phone's location, take screenshots, provide a stealth mode to avoid detection, and even function as a RAT. (Again, that's a Remote Access Tool. But it's fun to call it a "rat.") Lest you think this sort of thing is rare, XNSpy publishes a rundown of its top 14 competitors, and the inventory is chilling.
You can reduce your odds of falling prey to spyware. Keep an eye on your phone at all times. Use a strong password or biometric lock (like a fingerprint) to secure your phone. Don't unlock your device with a password or PIN where it might be viewed or recorded. Note any unusual activity and excessive or unexplained data usage. And finally, search for spyware using a tool like Malwarebytes Mobile Security.