Hackers could be using your cellphone to commit crimes without your knowledge, a Virginia technology company has found.
Researchers at Distil Networks headquartered in Arlington estimate bots operate on 5.8 percent of cellphones and tablets.
“If you extrapolate that to the potential billions of mobile devices that are out there, that’s a pretty staggering number,” said Edward Roberts of Distil.
That’s perhaps 15 million infected devices in the U.S. alone.
Instead of using their own computing power to run illicit programs that crack passwords, steal gift cards, scoop up tickets and post spam on social media, hackers dispatch bots to covertly use other people’s data and battery power to help them commit the crimes.
“You’re making requests when it’s sitting in their pocket,” Roberts said. “They have no idea it’s happening.”
The strategic new bots are designed to minimize red flags, Distil said.
They hide in the background and use phones about 50 times per day the extra data use goes unnoticed. Then they time their exploits when the phone is moving — when its IP address is changing as it hits different cell towers — making it tougher to track.
“It’s another one of those techniques where the bot operators are trying to hide and escalating the problem, and it’s a problem that’s going to be very difficult to solve,” Roberts said.
Malicious web links or attachments open the door to the malware, Distil said.
“Phones are far more vulnerable to attack than most people realize,” said Aaron Cockerill, chief strategy officer at Lookout Security in San Francisco.
Lookout, which helps people protect mobile phones, contends “mobile phishing is the biggest unsolved problem in cybersecurity.”
Cockerill offered four steps for preventing malware, including bots:
- Set a passcode. He said it’s shocking how many people don’t.
- Turn on auto updates, because hackers exploit bugs in old software.
- Only install apps from the official store – never from links.
- Consider buying security software for your phone.
“That’s exactly what we do,” Cockerill said.
Lookout and other services offer real-time scans that warn you as soon as you click something shady — like a bot.
“We jump in front and say, ‘Hey, you shouldn’t follow this link. We think it’s bad,’” Cockerill said.
“They keep changing and keep hiding and keep trying to appear more human-like in order to avoid detection," Roberts said.
Cellphones are just hand-held computers, so the same rules that apply to your home or work computer apply: Don't click on any links or attachments that you aren't sure about.
Reported by Susan Hogan, produced by Meredith Royster and edited by Perkins Broussard.