5 recent hacks that show smartphones are more vulnerable than we thought

Aaron Holmes
FILE - In this Dec. 17, 2018, file photo people walk by a building in New York. You carry your smartphone everywhere. But the way you use it could leave you vulnerable to specific forms of identity theft, including robocall scams and hackers looking to hijack your phone number. (AP Photo/Mark Lennihan, File)

Associated Press


  • Hackers are increasingly targeting mobile users, with a series of attacks targeting smartphone carriers and software in recent months.
  • Many of the hacks are undetectable, but this information could help you rule out whether you've been a possible target, and shield your device from future hacks. 
  • Specific hacks targeted iPhones, Android phones, and everything in between.

With news of a major hack breaking almost every week this year, it can be hard to keep track of whether your data is safe.

Hackers have targeted mobile devices with increasing frequency, aiming to track users' activity, steal their data, or trick users into disclosing sensitive information for financial gain.

Most of the attacks are specific to a smartphone's operating system, carrier, or a specific app, so in some cases it's possible to rule yourself out as a potential hacking victim. 

If that's not possible, your best bet may be to monitor your device closely for unusual activity and contact your provider to check whether your smartphone has been compromised.

Here's a rundown of recent smartphone hacks, and what we know about who might be affected.

SimJacker: Malware that infiltrates your phone with a text message.

Alex Wong/Getty Images

In one of the largest breaches so far this year, hackers are using a flaw that exists in most cell phones' SIM card to track users' locations and, in some cases, take control of their device.

The malware is known as SimJacker and was discovered by cybersecurity firm AdaptiveMobile in September. As its name suggests, the hack contains malicious code hijacks a user's SIM card. All it takes to spread is a single SMS — or text message — containing the code.

SimJacker is platform-agnostic, meaning it can potentially affect any type of hardware or software — instead, it exploits an interface used by cell carriers, Ars Technica reports.

Sprint, AT&T, Verizon, and T-Mobile have released statements saying their service wasn't affected in the US, so if you use any of those major networks and stayed in the country, you can rule yourself out as a potential victim. Most affected countries were in the Middle East and Africa, according to ZDNet, so customers who traveled to these areas and used their phone in roaming mode could potentially be affected.

If it sounds like you might be vulnerable, contact the carriers and check whether they've implemented network filters to block the SMS messages carrying SimJacker.



Phishing attacks bait Android users with text messages.

Kyodo News via Getty Images

A slightly different SMS attack, also uncovered earlier in September, targeted Android-based devices with messages aiming to trick users into changing their settings to give hackers access to their information.

Phones manufactured by Huawei, Samsung, LG, and Sony were vulnerable to the attacks, which were uncovered by cybersecurity research firm Checkpoint Research.

Hackers sent users messages posing as a network operator and instructing them to download Client Provisioning software. If users accept the download, their device will reroute its data through the hackers' server, granting them access to emails, contact lists, and browser activity.

Samsung and LG have already patched the vulnerability, while Huawei planned to roll out a patch later this month. Sony does not believe its devices are vulnerable, according to Checkpoint Research.

If you're unsure whether your device has the software update with the patch, be sure to refuse to download any software from an unrecognized number, and contact your provider directly if you receive suspicious messages.



Android devices were vulnerable to an attack that launches if owners watch a video.

Thomson Reuters

Earlier this summer, cybersecurity watchdogs realized Android phones were vulnerable to being hacked by simply watching a video with embedded malware.

Researcher Marcin Kozlowski identified the vulnerability and posted a proof-of-concept showing how Android users could be exposed to a hack if they downloaded and played a video file with malicious code. 

Google released a patch for the vulnerability in July, but millions of users were still waiting for the patch to be rolled out by their device manufacturers in the weeks that followed.

If you haven't downloaded a video file on your Android device, you're likely in the clear (videos played through third-party apps like WhatsApp or Facebook Messenger aren't vulnerable to the malware). Otherwise, ensure your Android software is fully up to date to ensure you're protected in the future.



A “watering hole” attack infiltrated iPhones that visited certain websites.

Crystal Cox/Business Insider

In a massive breach that called into question the supposed impenetrability of Apple's iOS, a Google cybersecurity team revealed in August that a handful of websites hacked iPhones over a period of years.

The exact number of users affected remains unknown, and the malware runs in the background of the devices without any way of detecting it. Google did not name the specific websites that could infect users' phones.

However, once it was notified of the attack, Apple included a security patch in its iOS 12.1.4 update. If you're unsure whether your iPhone was affected, your safest option is to ensure you're running on iOS 12.1.4 or later.



Hackers used a WhatsApp exploit to install malware on iPhones and Androids.

Reuters

Hackers installed surveillance malware on the smartphones of users who answered their calls via WhatsApp, the Financial Times reported in May.

The scope of the attack is unknown and the malware is largely undetectable. If you answered any suspicious calls on the app earlier this year, you may be affected — but in some cases, the malicious calls disappeared from call logs, and malware could have been transmitted even if users didn't pick up the phone.

Any brand of smartphone with WhatsApp installed was vulnerable to the attack, according to Facebook, WhatsApp's owner. 

Facebook pushed out a security patch in a WhatsApp software update in May, so if WhatsApp is up to date, so users should be protected now.