Listen to Audio
We all understand that there are a myriad of threats to our personal data in the modern world. Every time we sign up for a new service, we are risking our personal data falling into the wrong hands.
The worst part is that most of the time, there is no indication that our data has been leaked through some proxy server.
Today, there are three potential sources of leaks that you should be especially cautious of.
This is a problem that is more prevalent on Android, owing to the fact that anyone can develop, download, and install an Android app. Apple has iOS locked down quite tight but that doesn’t stop the occasional bad app from making it through the net. There are several different attack vectors that a mobile app can use to acquire your personal data.
Most of us live a significant portion of our lives on our smartphones, making them absolute treasure troves as far as our personal data is concerned. In some cases, apps will ask directly for the information that they want, although they aren’t always completely honest about what they intend to do with it.
In other cases, apps will trick users into entering information with the promise of unlocking various features or triggering some kind of reward or payout. A prominent example of this is the game Fortnite for Android, which, unusually for a major Android release, is not on the Google Play Store. This is because Google takes a cut of all those sweet microtransaction payments that app developers are addicted to.
But because you need to download the Fortnite APK and install the game yourself, there have been numerous examples of criminals setting up fake websites to trick users into installing a malicious app onto their device and running it. The situation is similar for other games, including those available on the Play Store. There are fake apps purporting to be ports of popular games, like PUBG, which can safely be downloaded from the Play Store. Often, users are tricked into downloading these by promises of the app being hacked in some way.
As well as stealing personal and financial data, the same apps that used to leak user data are now beginning to steal user photos and use them to commit identity fraud. Most of us have enough data stored in our smartphones for someone to be able to identify us with relative ease.
Lots of app developers have chosen to fund their or support their apps through the use of advertising. After all, there are now a number of advertising networks that offer code app developers can freely add to their apps. This code will handle everything for the developer, leaving them with nothing to do but collect the revenue that they earn through it. In principle, it’s a great system – app developers get to earn enough money to maintain their apps, while advertisers get to display their ads to large numbers of people.
However, there are also a number of illegitimate ad networks operating. These often have the appearance of being legitimate advertising networks and the majority of them will even pay out what appears to be a fair sum to the developers.
Beneath the surface, though, things are more complicated. By creating advertising overlays that utilize a variety of different methods, malicious advertising networks are able to display ads in places where the user can’t see them and force them to use far more data than they should have to. By doing this, the network’s operators are able to create the illusion of having displayed more than they actually have.
The businesses that pay to be on the network, under the impression that their ads are going to be displayed to mobile users, pay the advertising networks according to the number of views or interactions an advert gets, but it is difficult to verify that ads are being displayed properly. There are ad verification services that can help advertisers to verify their ads are displayed properly. Unfortunately, cybercriminals are using very sophisticated methods to hide more ads on the page and make it look like they are being displayed legitimately.
These malicious adverts have been known to infect legitimate apps, unbeknownst to their developers. This is done by inserting malicious ads into the supply chain of a legitimate ad network. This attack is difficult to pull off but devastatingly effective.
A notorious variant of this, SimBad, was one of the largest malicious adware campaigns ever seen. The attack infected 210 apps with 147 million downloads between them. The attack got its name from the fact that most of the apps infected were simulator games.
Malicious actions performed by the app include showing ads outside of the visible area, constantly opening a browser using a legitimate link within the app in order to engage in targeted spear-phishing of the user, and stealth downloading malware.
Free Proxies and VPNs
A while ago, Facebook, that most trustworthy of businesses, bought a little-known VPN maker by the name of Onavo. Facebook then released the Onavo VPN for free on Android and iOS. Facebook claimed that Onavo, like any VPN, would improve users’ privacy by enabling them to route their data through Onavo’s servers.
The problem was that Onavio’s servers were now Facebook’s servers, and Facebook is always hungry for data. Of course, Facebook logged all of the data that flowed through its servers.
Remember that Facebook is supposedly a reputable business; just think what unscrupulous VPN and proxy services could do! You should avoid free VPNs or proxies like the plague. Running the infrastructure necessary for either is going to require money from somewhere. If they aren’t charging you anything to use the service, then they must be paying for it some other way.
A nefarious proxy is more of a threat than a VPN because with a VPN there is some degree of encryption, limiting what VPN providers can find out about their users. They can still monitor your activity, but with a compromised proxy, they will be able to read all your unencrypted data.
Data is a very valuable resource, so it is only natural that it would attract organized crime. However, few people realize just how prevalent it is and how at risk they might be. Always be careful what apps you install on your phone, especially if they aren’t from an official app store.