Mobile Security Threats Every Smartphone User Should Know About

Research conducted by RUSI's Cyber and Tech research group reports that 41% of UK consumers have experienced mobile fraud, malware, or cyberattacks.

Cybercriminals are targeting smartphones for financial gain at staggering scale: approximately 34 million cyberattacks targeted mobile devices globally in 2023 and zero-day vulnerabilities exploited against both Android and iOS devices increased by over 50% between 2022 and 2023. 

Since smartphones are becoming required if not essential for banking, communication, authentication, and daily activities, users must be aware of the threats and take practical steps to protect themselves and their money.

Social Engineering is the most prevalent and dangerous threat targeting mobile users. In these attacks criminals manipulate victims into taking actions or giving out sensitive information. These attacks come in multiple forms:

• Smishing are fraudulent SMS text messages designed to trick users into giving personal information, payment cards or clicking malicious links. These attacks are predominantly sent via the regular mobile network or messaging apps like WhatsApp, Viber, Telegram and similar to massive number of users. The messages claim various seemingly urgent events like an undelivered package, parking or traffic fine, some reward, all trying to get the victim to click on a link, open a malicious site or app and give information or install malware.
• SMS Blast Smishing: Lately criminals have started using hardware to bypass the mobile network spam protections: They use SMS blasters devices which emulate a mobile network antenna, give out a strong signal in a small area with a lot of people (think shopping district in city centers). Nearby mobile phones connect to the SMS blaster fake signal, and then the blaster can send thousands of fraudulent messages to these phones bypassing the entire mobile network
• Vishing uses voice calls where attackers spoof caller IDs to appear as legitimate banks or government agencies, pressuring victims to share account details or transfer money. With the advent of simultanous voice translation with AI, these are now global mostly automated campaigns trying to scam people anywhere in the world using a single infrastructure and criminal team.
• Qishing uses QR codes that direct victims to malicious websites designed to steal credentials or install malware. These attacks often serve as gateways to more elaborate scams, including romance scams where criminals build emotional relationships with victims over social media (with 98.5% of Facebook users accessing the platform via mobile devices), eventually convincing them to invest in fake cryptocurrency schemes through counterfeit mobile applications that display false profits until victims attempt to withdraw funds.

Malicious applications are the second most critical threat, especially for users who download apps from outside official app stores, a practice called sideloading. Apps listed on the Apple App Store or Google Play Store undergo security reviews, however imperfect, it's still better than no such controls in an app that is just placed as a file on the internet. 

Sideloaded applications have been found to contain 50 times more malware according to Android data. These malicious apps can:

• Harvest personal data and banking credentials
• Display unwanted advertisements and conduct click fraud
• Spoof mobile banking sessions to steal money
• Access device cameras, microphones, and location data
• Monitor keystrokes to capture passwords and PINs

Financial institutions and anti-fraud organizations confirm that malicious applications are becoming increasingly common in financial crime schemes. Criminals distribute these fake apps through phishing messages, social media, or unofficial websites, disguising them as legitimate banking apps, games, or utility tools.

Physical device theft have become the next frontier of compromise. Criminals have evolved beyond simply selling stolen devices for profit; since phones contain authenticators, banking apps and other connected services, criminals that gain control of unlocked or poorly secured devices first exploit the phones to commit additional crimes using victims' banking applications, even draining accounts before victims can respond. Then they sell the physical device for profit.

The UK National Crime Agency warns that stolen devices provide criminals with access to saved passwords, authentication apps, personal photos, emails, and entire digital identities, enabling identity theft and fraud that can continue for months after the initial theft.

Phone thefts in England and Wales have jumped by 153% from 2023 to 2024, averaging 200 snatch thefts daily. London recorded approximately 80,000 stolen devices in 2024, an increase of 16,000 from the previous year. This trend makes the UK responsible for two-fifths of all mobile phone thefts across Europe. 

What can the average user do to protect themselves?

• Enable two-factor authentication (2FA) or multifactor authentication (MFA) on all critical accounts, preferably using authenticator apps or passkeys instead than SMS-based verification which can be intercepted.
• Be skeptical of unexpected calls or messages implying some benefit or urgency, requesting personal information regardless of how legitimate they appear, be extra skeptical if they are persistent in calling or sending more messages to create pressure.
• Never click links in unexpected messages or emails; instead, manually type official website addresses into your browser or use bookmarked links.
• Only download applications from official app stores and carefully review app permissions before installation; deny access to unnecessary features like cameras, GPS receiver or contacts.
• Enable built-in device security features including automatic device locking with biometric authentication, remote locking and wiping capabilities through Find My Phone or Find Hub services, Theft Detection Lock on Android devices (which automatically locks phones when snatched), and protection against factory reset to prevent criminals from wiping stolen devices.
• Keep devices updated with the latest security patches
• Use strong unique passwords managed through password managers
• If your device is stolen, immediately report it to your network provider to block service, contact your bank to freeze accounts and cards, change passwords for all critical accounts using another device, and file a police report.