US cybersecurity officials updated their mobile security recommendations this week, warning that sophisticated hackers are bypassing device protections by manipulating users directly.
The Cybersecurity and Infrastructure Security Agency released revised guidance on November 24, adding new warnings about social engineering tactics targeting encrypted messaging apps. While the recommendations target high-risk individuals in government and politics, the advice applies to smartphone users globally.
Why the Update Matters
Nation-state hackers from foreign countries breached commercial telecommunications networks in 2025. They stole customer call records and intercepted private communications for targeted individuals. The attacks prompted CISA to expand its December 2024 mobile security guidance.
The threat extends beyond technical vulnerabilities. Hackers are tricking people into compromising their own security.
Four New Warnings About Messaging Apps
CISA identified specific tactics hackers use against apps like Signal and WhatsApp:
Fake security alerts. Hackers claim your account is compromised to trick you into giving them control. They send messages that look like security warnings, even inside the app itself, requesting PINs or one-time codes. Be suspicious of unexpected security alerts.
Malicious QR codes and invitation links. Avoid scanning group-invitation links or QR codes from unknown sources. Verify group invitations by contacting the creator through a different channel.
Compromised linked devices. Foreign threat actors abuse the legitimate linked devices feature to spy on Signal conversations, according to a February 2025 Google report. Check your messaging app's linked devices section. Remove anything you don't recognize immediately.
Message retention. Turn on message expiration features that automatically delete sensitive messages after a set time. Check workplace policies first if using a work device.
Essential Security Steps for Everyone
Switch to encrypted messaging. Use apps like Signal that provide end-to-end encryption and work across iPhone and Android. Standard text messages are not encrypted.
Stop using SMS for security codes. Hackers with access to phone networks can intercept text messages. Use authentication apps like Google Authenticator or Microsoft Authenticator instead. Physical security keys like Yubico or Google Titan offer the strongest protection.
Some services default to SMS during account recovery even after you disable it. Check each account individually.
Use a password manager. Apps like 1Password, Bitwarden, Google Password Manager, or Apple Passwords generate strong passwords and alert you to weak or compromised ones. Protect your master password with a long, random passphrase.
Set a carrier PIN. Most mobile phone carriers let you add a PIN to your account. This blocks SIM-swapping attacks where hackers transfer your number to their device. Add the PIN, then change your carrier account password.
Update everything regularly. Enable automatic updates on your phone. Check weekly to ensure updates installed correctly.
Buy recent hardware. Older phones cannot support the latest security features, even with software updates. New hardware includes protections that older models physically cannot run.
Skip personal VPNs. Free and commercial VPNs often have questionable privacy policies. They shift risk from your internet provider to the VPN company, frequently making things worse. Work VPNs required by employers are different.
iPhone Security Settings
Enable Lockdown Mode. This feature restricts apps, websites, and features to reduce attack opportunities. Some functions become unavailable.
Turn off SMS fallback. Go to Settings, Apps, Messages and disable Send as Text Message. This keeps messages encrypted between Apple users.
Use iCloud Private Relay or encrypted DNS. Private Relay masks your IP address and encrypts DNS queries in Safari. Free alternatives include Cloudflare's 1.1.1.1, Google's 8.8.8.8, or Quad9's 9.9.9.9 DNS services.
Review app permissions. Check Settings, Privacy & Security to see which apps access your location, camera, and microphone. Revoke unnecessary permissions.
Android Security Settings
Choose secure phones. Buy from manufacturers with strong security records and long update commitments. Android maintains an Enterprise Recommended list of devices meeting security standards. Look for phones with hardware security modules, monthly security updates, and five-year update guarantees.
Enable RCS encryption. Only use Rich Communication Services when end-to-end encryption is enabled. Google Messages enables this automatically when all participants use the app.
Configure encrypted DNS. Set up Android Private DNS with Cloudflare's 1.1.1.1, Google's 8.8.8.8, or Quad9's 9.9.9.9.
Check Chrome security settings. Confirm Always Use Secure Connections is enabled to force HTTPS. Enable Enhanced Protection for Safe Browsing for extra protection against phishing and malicious downloads.
Verify Google Play Protect is running. This scans apps for malicious behavior. Hackers try to trick users into disabling it. Check app scans regularly and exercise caution if using third-party app stores or sideloading apps from other sources.
Limit app permissions. Go to Settings, Apps, Permissions Manager. Remove unnecessary access to location, camera, and microphone.
The Bigger Picture
CISA says to assume all communications between mobile devices and internet services face interception or manipulation risks. No single fix eliminates all threats, but combining these protections significantly reduces vulnerability.
The guidance acknowledges that organizations may already require some measures like secure communication platforms and multi-factor authentication. Where they don't, individuals should implement these protections themselves.
Notes: This post was drafted with the assistance of AI tools and reviewed, edited, and published by humans. Image: DIW-Aigen.
Read next:
• Study Finds AI Tools Already Match Human Skills in More Than a Tenth of U.S. Wage Value
• Want To Rank Better In ChatGPT? Data Shows Sites With Strong Authority And Depth Earn Most Citations
by Web Desk via Digital Information World
No comments:
Post a Comment