Trojans and cyber espionage: some tips to secure mobile communications

Instant messaging is, to date, the preferred means of communication for most people, both in personal and business spheres. Reports and statistics confirm this: the reasons are linked to the greater speed and ease of communication combined with free of charge, ease of use and immediate availability in stores, which over time have favored a massive adoption of these tools.

However, like any other online means of communication, instant messaging also comes with cybersecurity threats . In part, the problem is related to the type of digital attacks that cybercriminals carry out on messaging apps, and in part, the criticality is related to vulnerabilities in the code . The attractiveness on the part of the attackers depends on the diffusion, i.e. on the large success that the apps have among users and, therefore, on the traffic generated between users, while the vulnerabilities are linked to the failure to apply security practices and precautions in the design and in the deploy.

The best known messaging apps are WhatsApp , Messenger, Snapchat, Viber, Wechat, Signal , Telegram , but often these same names make headlines for security issues. To overcome the problem, however, and lock down your communications, it is possible to implement a responsible defense by choosing instant messaging tools designed to put user safety at the centre.

Digital threats to communications

Already in 2020, messaging apps had surpassed social networks by 20% in terms of popularity among users , becoming the most used communication tool (source: “ The Most Popular Communication Method Globally in 2020 & Beyond ”). With the pandemic and smart working, the trend has consolidated. In fact, the results of a survey carried out in October of this year show both that in 2020 the total number of users of these apps , globally, was equal to 2.7 billion , and that by 2023 the number of users is expected to grow to reach 3.1 billion .

This sum represents almost 40% of the world's population , a particularly attractive user base for cybercriminals who try to violate their data, accounts and identities by any means. The risk, however, is not just for the single person: in fact, the adoption of messaging apps in the corporate and business sphere is a common practice, and in this case corporate data for attackers is even more attractive. The practice of Bring Your Own Device (BYOD) in this sense has exacerbated the problem. The latest edition of the ENISA threat Landscape 2021 highlights the phenomenon of instant messaging spam among the rising trends, i.e. the sending of large quantities of unwanted messages, generally commercial and more often containing harmful and fraudulent links for malicious purposes.

In fact, messaging apps are frequently used by digital scammers who adopt phishing techniques or those who use social engineering attacks to get their victims' attention, offering unmissable offers, free downloads, contests or even declaring that the Your device is infected and you need to click on the security check link. The ultimate goal is always to mislead the victim, so that he shares confidential information or carries out specific actions related to the disclosure of his passwords, or personal or company codes (source: Digital Agenda ).

Kaspersky has released some data on the matter. These include anonymous clicks on phishing links in popular messaging apps, which between December 2020 and May 2021 recorded 91,242 cases globally . The highest number of malicious links were detected on WhatsApp, while Telegram, Viber and Hanghouts counted the fewest. Tatyana Shcherbakova , Senior Web Content Analyst at Kaspersky explains that “ Sometimes it can be difficult to understand when you are facing a phishing attack, because even just a character or a negligible detail can make the difference. In the fight against phishing in messaging apps you need to be very careful but also use anti-phishing technologies " . Remember that phishing is the first step in the compromise chain of different types of malware: trojans, ransomware and APT in general. Finally, in the banking sector the risks associated with instant messaging constitute a specific category of study and in-depth study (source: SANS ORG ).

No less formidable is also the threat linked to communications espionage (infiltration or digital intrusion), aimed at stealing intellectual property information or linked to state-type intelligence operations, implemented in order to assume someone else's identity, supervise, track, monitor specific individuals or groups. In the personal sphere, however, the interception of messages takes on contours linked to the theft of personal information for unauthorized disclosure (bullying, shaming, harassment).

The intrusion can take place by compromising the mobile device that hosts the messaging chat and theft by means of keylogger-type malware – history analyzers – is also possible, but movement controls using GPS tracking or geofencing are also fearsome.

Among the often overlooked threats is the ingenuity on the part of users to use free, unsecured wireless networks, which can lead to data sniffing and unauthorized capture of personal or corporate information. finally, it is necessary to pay attention to what is installed on your device to avoid introducing malware hidden in apparently legitimate apps, capable, however, of interfering with device information, including messaging apps.

Messaging vulnerabilities

In addition to the risks related to the methods of attack, it is necessary to consider the intrinsic problems of today's messaging apps, which may not be properly equipped with security features. Examples of this type include:

• the absence of unencrypted or unprotected data backups on premise or in the cloud (depending on where the app saves the data);
• the transferability of personal information without the user being aware of it; the lack of permanent deletion of personal data exchanged in chats;
• lack of software certification;
• failure to apply source code security checks to highlight bugs or vulnerabilities.

Many messaging apps, being public and hosted in the cloud, can include security flaws which, if exploited, allow a digital attacker to access the victim's address book and exfiltrate their contacts, access their location, view photos and videos, carry out environmental interceptions via microphone and take screenshots via fraudulent access to the camera.

In general, there are, therefore, few controls on the security, management and archiving of data and, therefore, on their RID (Confidentiality, Integrity and Availability), with the result that the data is modified, altered and transmitted externally.

Security best practices

Even if many think they have nothing to hide, the crucial issue is the distorted and harmful use that the attacker can make of the individual's data. Therefore, it is necessary and dutiful to protect yourself and your company by adopting and choosing messaging apps according to different protection criteria. The Australian Cyber Security Center (ACSC) has issued and periodically updates a document of suggestions both for the security in the use of social networks and for the security of messaging apps for personal and corporate use.

Among the measures suggested, the first concerns the need for end-to-end encryption so that communication is secure, making one's data inaccessible, considered the new bargaining chip by cybercriminals. To combat phishing, it is necessary to pay attention to spelling errors or other details in the links.

Luca Feletti , Project manager of Crypty of the Uniquon Group , suggests some security practices related to messaging apps: " the communication channel between two interlocutors should be encrypted with robust encryption to avoid Man-In-The-Middle (MITM) attacks and credential theft. The transit channel should also be protected and such as to keep the client/server communication management metadata secure, for example through a special VPN. Everything should be controlled by systems that can understand if there are problems, such as telemetry for routing checks or verifications. In the event of critical issues highlighted by the monitoring, an alerting procedure that also reaches deep wiping for the permanent deletion of data could prevent unauthorized exfiltrations. These layers of defense generate a security bubble within which nothing can be breached. For the protection of data privacy from a GDPR perspective, encryption measures are also required on the media exchanged in the messaging app; clients and servers should be authenticated with two-factor authentication and anonymized accounts to not show phone numbers that can identify the end user (ie no Personal Identifiable Information, PII, visible explicitly). Finally, it is preferable that the app's service management data center resides in Europe ”.

In terms of good habits for users it is advisable to use VPN for connections outside the company , robust rotation of passwords between various accounts and devices, enabling multi-factor authentication , secure browsing options and antivirus software (source: NJCCIC ).