Installing trouble

Is your phone compromised? Look at your apps


WhatsApp’s revelation that chats and calls of prominent politicians, journalists and activists across India were hacked by an Israeli spyware has added to the paranoia of Indian users who were worried about the absolute lack of privacy online. To use a comment, we might well be running naked and blind on a busy cyber highway, not knowing when something will hit us.

Is just a missed call enough to hack your phone? Trishneet Arora, ethical hacker and CEO of TAC, who works with law enforcement agencies around the world on IT security, says, “It is true and false at the same time. If somebody says I can make a call and (through it) install a spyware on a phone, that is not how technology works. But yes, when you install any app, you give permissions to these apps to access your data.”

Pegasus, the malware developed by the Israeli company NSO/Q Cyber Technologies, used a different route to breach phones. WhatsApp has an end-to-end encryption. “Once a message is typed and you press go, it is encrypted using a key not known to anybody but to the organisation (installed along with the app or while it was updated), which is decrypted at the receiver’s end. Normally, hackers will not be able to read it because it is encrypted,” says Siddharth Vishwanath, partner and leader (cyber security), Pricewaterhouse Coopers.

So it is pretty clear that the messages were not intercepted while being transmitted. Instead, Pegasus exploited a vulnerability in WhatsApp’s Voice-over-Internet-Protocal (VoIP) stack used to place video and audio calls—just a missed call was enough for Pegasus to gain access to the target’s device. “If the spyware is already on your device and clubbed to your app, then (that means) that encryption has no value (because) the app already has all the permissions to access your information,” says Arora.

Reading Orwell’s 1984 or watching a near-future surveillance society unravel in Black Mirror may be gripping, but it is frightening when the chicken comes home to roost. “We live in a digital India where there is no law yet to govern online privacy, where judges are not ready, many state police departments do not have a cyber cell and people are not aware,” says Sandeep Sengupta, security consultant and founder & director of the Kolkata-based Indian School of Ethical Hacking (ISOEH). “Today, we commute, shop, pay, bank and chat all on our mobiles, but we do not realise that mobiles are even more vulnerable.”

The biggest culprits are the apps we install on our phones. “By installing random apps, you are giving unknown entities access to everything on your phone, including your messages inbox where your bank or credit card’s OTP comes. It is your bank’s last line of defence,” says Sengupta.

Corporate India is not better off, either. “Most companies have not invested or have under-invested in online protection. In fact, a lot of organisations may be under breach, but they may not even be knowing they have been compromised,” says Vishwanath. A 2019 mid-year report by Check Point Research, one of the world’s leading cyber security firms, says banking malware infiltration in the mobile cyber area has risen 50 per cent compared with last year.

That is not reassuring. Experts suggest vigilance as the best option—be smart about identifying phishing emails, be careful while clicking on links, be cautious while downloading apps and always think twice about what they may use the data for and update your phone’s OS and apps regularly. As Arora says forebodingly, “There are two types of people: those who have been hacked, and those who don’t know they have been hacked!”