Secure your smartphone now, CISA warns.

SOPA Images/LightRocket via Getty Images

Updated November 28 with CISA recommendations regarding the use of VPNs on smartphones, additional security agency advice from the U.K. National Cyber Security Centre for iPhone and Android users, as well as the already published public service advisory from the U.S. Cybersecurity and Infrastructure Security Agency.

Hot on the heels of reports of Sturnus spyware being used to effectively bypass encryption and read private messages sent by Signal, Telegram and WhatsApp to your smartphone, the U.S. Cybersecurity and Infrastructure Security Agency issued an urgent alert that “multiple cyber threat actors” are “actively leveraging commercial spyware to target users of mobile messaging applications.” Now CISA has released further urgent guidance that it says individuals at risk of being targeted should “immediately review and apply.” Here’s the step-by-step instructions to secure your smartphone, with guides for both iPhone and Android, from spyware attack according to America’s Cyber Defense Agency.

ForbesApple Podcasts App Hack Warning — What You Need To KnowBy Davey Winder

Cyber Attacks Target iPhone And Android Smartphone Users

Cyber attacks come in a myriad of shapes and sizes. From the newly reported attacks against London councils, to those against users of Amazon, Netflix and PayPal, to the highly-targeted and constantly evolving spyware threats facing smartphone users. It is the latter that is of concern to CISA, and should be to you as well, especially if you fall into the high-risk category of individual. That is, dear reader, a broad remit: journalists, political activists, government employees, the military, and, well, the list goes on. Better to assume you could be a target, even if only in terms of collateral damage to get to a bigger fish, and secure your smartphones as best you can.

The CISA Mobile Communications Best Practice Guidance document, classified as traffic light protocol clear, meaning I am able to share the information contained within, has just been updated and, as well as including recommendations for securing end-to-end encrypted communications, has step-by-step guides to enhance the security and privacy of both iPhone and Android smartphones.

ForbesFBI Warns That Hackers Are Posing As Fake Feds — What You Need To KnowBy Davey Winder

iPhone recommendations:

• Enable Lockdown Mode to limit apps, websites and features to effectively reduce the attack surface.
• Disable the send as text message option that would otherwise allow SMS use if end-to-end encrypted iMessage were not available.
• Use Apple iCloud Private Relay for enhanced security and privacy by protecting Domain Name System queries.
• Review and restrict app permissions, revoking those that are not essential, especially when it comes to location, camera and microphone.

Android recommendations:

• Use smartphone devices from those manufacturers with a commitment to long-term security updates and that support hardware-level security features.
• Only use RCS messaging if end-to-end encryption is enabled.
• Configure the Android Private DNS option to use a high-privacy resolver such as Cloudflare’s 1.1.1.1, Google’s 8.8.8.8 Resolver, and Quad9’s 9.9.9.9.
• Ensure ‘always use secure connections’ is enabled in the Android Chrome browser.
• Ensure ‘enhanced protection for safe browsing’ is enabled in the Android Chrome browser.
• Ensure ‘Google Play Protect’ is enabled to detect and prevent malicious app downloads.
• Review and restrict app permissions, revoking them in the same way as for the iPhone advice.

ForbesAmazon Issues Attack Alert — 300 Million Customers Are Now At RiskBy Davey Winder

National Cyber Security Centre Advice For iPhone And Android Smartphone Users

The National Cyber Security Centre, part of the U.K. Government Communications Headquarters, better known as GCHQ, has a mission-based strategy to “make the UK the safest place to live and work online.” So, it is hardly surprising to learn that it has also published recommendations for smartphone users on how to keep them, and the data stored within them, secure.

Number one, the NCSC advisory stated, is to ensure that you are using a secure lock screen password or PIN, not “a simple one that can be easily guessed or gleaned from your social media profiles.” That is very solid advice, and you can read more about lock screen PINs to avoid here.

Next, we have enabling the built-in find me or tracking function, a feature of your smartphone, so that lost or stolen devices can be tracked and, most importantly, locked and data deleted if necessary.

Keep your smartphone updated with the latest security patches, it’s free, mostly automated, and can save you from being vulnerable to hack attacks.

Ditto, but for your apps.

Finally, and most controversially in my never humble opinion, is the “don’t connect to unknown Wi-Fi hotspots” advice. While it is true that someone could have setup a malicious hotspot in a coffee shop or at the airport, the reality is that this is extremely unlikely and, given the near-ubiquity of HTTPS encryption during communications, the risk is massively reduced when it comes to the majority of snoopers. Yes, if you are a high-value individual, then you could be targeted, but someone just sweeping an entire coffee shop on the off chance of finding a profitable enough mark is slim. Indeed, most cybersecurity professionals of my acquaintance will happily tell you they connect to such networks without fear. If you are concerned, using your mobile 4G or 5G network is recommended if available, like you’d be using a free hotspot if it weren’t.

ForbesGoogle Chrome Security Update — 7 Zero-Day Reasons To Restart BrowserBy Davey Winder

America’s Cyber Defense Agency Warns iPhone And Android Users: Do Not Use A VPN

CISA’s newly updated Mobile Communications Best Practice Guidance went further than just the aforementioned guidance for iPhone and Android users to tighten up their security strategy when it comes to the settings of their smartphones; it also included a strict do-not-use policy, and one that might surprise many readers.

“Do not use a personal virtual private network.” Yes, you read that right. America’s Cyber Defense Agency, an independent operational component agency within the U.S. Department of Homeland Security, is telling smartphone users they should not use a VPN. The reason is both simple and compelling, from the perspective of such a security agency tasked with protecting a nation-state’s critical infrastructure from cyber attacks: “Personal VPNs simply shift residual risks from the internet service provider (ISP) to the VPN provider, often increasing the attack surface.” Obviously, for enterprises and other organizations, there is a caveat: using a corporate VPN client to access data is an acceptable use case. There is something within this advice that applies to consumers, though, and it’s a warning that may sound familiar to some of my readers. “Many free and commercial VPN providers have questionable security and privacy policies,” CISA said.

This echoes the recent and highly timely critical VPN threat warning from Google, in the wake of the Online Safety Act in the U.K., and state-based legislation in the U.S., that effectively make accessing online pornography much harder. Rather than focus on the questionable policy angle as CISA has done, Google’s vice president of trust and safety, Laurie Richardson, took aim fair and square at the “malicious applications disguised as legitimate VPN services across a wide range of platforms to compromise user security and privacy.”

ForbesDo Not Download These Windows Security Updates, Experts WarnBy Davey Winder

The threat actors behind such apps, Richardson continued, not only impersonate trusted consumer VPN brands, but also use social engineering, phishing, in other words, to target vulnerable users looking for information on geopolitical events or by exploiting sexually suggestive content as bait.

“These applications serve as a vehicle to deliver dangerous malware payloads including info-stealers, remote access trojans and banking trojans,” Richardson said, “that exfiltrate sensitive data such as browsing history, private messages, financial credentials and cryptocurrency wallet information.”

The mitigation advice, other than don’t use a VPN, is to only download your apps from legitimate, verified, official sources. Google said that you should check for apps displaying the VPN badge in Google Play, for example. Certainly do not sideload VPN apps, or be tempted to just hit accept when that ‘free’ VPN app asks for a host of permissions to access everything from your camera and microphone to your contacts and private messages. iPhone and Android users certainly nee, at least, to be alert to the risk.

ForbesPassword-Stealing AI HashJack Threat To Web Browsers ConfirmedBy Davey Winder