Do you consider your phone security when you think about general IT security? Unfortunately, many of us have it only as an afterthought…if we consider it at all. While a majority of folks have come around to understanding the need for extra steps to protect ourselves and our businesses while on a PC, it may not be as evident that a phone can be a security breach in many of the same ways a PC can.
After all, we use our phone for many of the same basic tasks. We commonly enter passwords and access sensitive and personal material. Because of these things, phone security is tantamount to any IT security in most ways.
Luckily, many of the same processes and protections we use for PC use can also apply to phone security. We’ve covered many different techniques, approaches, and ideas in past blogs posts which can apply to both traditional PCs and mobile devices. (Here are some quick links to articles on 2022 IT Resolutions, security while traveling, and business continuity if you’d like a refresher.)
More specific to phone security, however, is a recent malware example called BRATA. Belonging to a family of tools called RATs—Remote Access Trojans—the Brazilian Remote Access Tool Android has been around for a few years but has reared its head with some nasty new features. Generally speaking, a software trojan (named after the Trojan Horse of Greek Mythology) is any malware that attempts to trick a user as to its true intent. As outlined in this article from Bleeping Computer, BRATA has tailored approaches to attempt to convince a user to download the seemingly helpful app, including via SMS indicating a security app specific to a certain bank.
The user may then be sent to a website intended to impersonate the actual website of the intended bank. In some cases, live technicians are available to help with the install. As Paul Wagenseil at tomsguide.com describes:
Of course, the technician is really a crook, and the permissions you’ve given the new app hand over control of your phone. They include the abilities to see what you type and do on the phone, make phone calls, send and view text messages, access saved photos and files and — most importantly — act as a “device administrator” that can lock and unlock the screen, modify system settings and remote wipe the device.
This, of course, is a very scary prospect as it would allow theft of sensitive passwords and destruction of any evidence remotely.
This can lead to issues for individuals and businesses alike. One could have all the phone security in the world, but if it is intentionally or unintentionally bypassed, that phone security is rendered inept.
A few tips for remaining safe against BRATA and other RATs:
- Only download apps from Play/Apple store
- Do not grant/revoke unnecessary access (and grant “only when using app” access for things that do make sense)
- Use MFA whenever possible, to include apps or sites
- Only plug phones in to trusted charging OEM devices
- Don’t trust SMS messages from unknown sources or even known sources with unusual requests
- Use a trusted bank app (downloaded from the appropriate app store) rather than clicking a link to a browser, especially from an SMS message
- Install antivirus on Androids for increased phone security
- Create company mobile management policies for any devices that access work assets
There’s no doubt…it can be a lot to think about. If your business needs a helping IT hand to work on phone security or general IT issues, don’t hesitate to CONTACT our team of experts and we can get you headed in the right direction!