NSA shares seven steps iPhone and Android users MUST take to protect from secret smartphone hacks

Cybercriminals are waiting in the shadows of your smartphone, looking for vulnerabilities to unleash a secret attack.

Now the National Security Agency (NSA) has provided seven ways for iPhone and Android users to protect their devices and personal data.

The agency noted that these bad actors are using WiFi networks, smartphone apps and other loopholes to carry out cyber espionage, steal identifies and deploy ransomware.

Because of these flaws, officials are urging users to update their devices, turn off the WiFi when in public and perform other protocols to keep hackers at bay.

Statista reported that 353 million people’s data and personal information was compromised in the US last year including breaches, leaks and exposures.

These findings have made it more important than before to take steps to protect yourself from hackers breaking into your phone. 

1. Update Software and Apps

The NSA advised users to update the software and apps on their smartphones to make devices more secure.

Hackers find secret ways to break into phones by looking for loopholes in the existing software but with each update, companies remove any potential flaws they might have used to break into your phone.

Taking this step is one of the best ways to prevent hackers from accessing your data with the added caveat that it only works for some attacks, according to the NSA.

This method will stop cybercriminals from spying on calls, texts and data and block most spear-phishing attacks, which is when a cybercriminal sends targeted fraudulent emails to steal sensitive information like login credentials.

It will also help prevent zero-click exploits which involves the hacker downloading spyware onto a smartphones without them ever clicking a link.

2. Only install apps from official stores

Smartphone users should be wary when installing apps and make sure they’re only downloaded from official stores like Google Play and the App Store.

Unofficial app stores include Aptoide, SlideMe, ACMarket and Amazon Appstore. 

Hackers will often create a fake version of a legitimate app that will give them full access to your device once it’s downloaded.

They can then install malware on your device and share your data with third parties.

By double-checking whether the app and store is legitimate, you can prevent spear-phishing and audio, video, call, text and data collection as well as stop the hacker from accession your device’s geolocation. 

Google was forced to bar nearly 2.3 million apps from its Play Store last year alone, and banned 333,000 bad accounts ‘for violations like confirmed malware and repeated severe policy violations,’ the company reported in April.

This was an increase of 60 percent from the year before when it prevented 1.4 million apps from the Play Store and banned 173,000 accounts.

Click here to resize this module

3. Turn off WiFi and Bluetooth

Android and iPhone users should also refrain from connecting to public WiFi networks.

But the NASA warned that users who do connect to outside networks should turn off Bluetooth when not in use.

Hackers are constantly looking for vulnerabilities and leaving the WiFi on makes the device susceptible to ‘KRACK’ attacks, also called a Key Reinstallation Attack.

This is a cyberattack that works by manipulating the WiFi’s protected access through encryption keys to establish a secure connection that lets them steal data over the network when they’re in close range of their target.

Likewise, leaving your Bluetooth on can result in a ‘BlueBorne’ attack – when a hacker takes control of your device without any user interaction. 

BlueBorne let hackers carry out cyber espionage, data theft or even a ransomware attack.

Public WiFi networks don’t have the same security in place that your home has, leaving your smartphone open to serious risks of hackers stealing your identity and financial accounts.

Cybercriminals can set up WiFi networks that appear similar to the one you want to use such as ‘Cafe01’ instead of ‘Cafe1’ in the hope that you’ll mistakenly connect to it.

Once you’re connected to the network, hackers can use online victim profiling to steal your identity and pull data from anything you might type online.

They can also install malware onto your device that will allow them to have continued access to your phone’s data, even after you disconnected from the WiFi network. 

According to a 2023 Forbes study, 40 percent of people surveyed said their personal information was compromised while they used public WiFi – primarily at airports, hotels or restaurants. 

4. Use encrypted voice, text and data apps

Encrypted voice, text and data apps can help block hackers from accessing your personal information by converting your communication into a code.

WhatsApp is one of the most popular encryption apps followed by Telegram that provide end-to-end encryption – a security method that keeps phone calls, messages and other data private from anyone, including the app itself.

However, even encrypted apps aren’t 100 percent safe from attacks as WhatsApp because vulnerable to zero-click exploits in 2019.

The exploit was triggered by a missed call, allowing the hacker to gain access to the app and install malware on the device.

Zero-click attacks are one of the most dangerous because the user doesn’t need to click on a malicious link or download a compromised file for their data to be targeted.

Kevin Briggs, an official at America’s Cybersecurity and Infrastructure Security Agency, told the Federal Communications Commission (FCC) earlier this year that there were ‘numerous incidents of successful, unauthorized attempts’ to steal location data from cellphones in the US.

The hackers had also monitored voice and text messages and delivered spyware and delivered text messages from abroad to influence American voters, Briggs reported.

5. Don’t click links or open attachments

The NSA warned Android and iPhone users against opening unknown email attachments and links, in its Mobile Best Practices document.

‘Even legitimate senders can pass on malicious content accidentally or as a result of being compromised or impersonated by a malicious actor,’ the NSA wrote in the report.

Hackers can access your personal information one of two ways: by keylogging or using a Trojan malware.

Keylogging works like a stalker following your every move that allows them to access information in real-time as your type or surf the web and other apps – even listening to your phone conversations.

Trojan is an invisible malware that is used to extract important data including credit card account details and your social security information if it’s saved on your phone. 

‘Falling for social engineering tactics, like responding to unsolicited emails requesting sensitive information, can result in account compromise and identity theft,’ Oliver Page, the CEO of cybersecurity company Cybernut, told Forbes.

‘These phishing attempts often mimic legitimate entities, deceiving individuals into divulging confidential details,’ he continued.

‘Trusting phone calls or messages without verification can lead to serious consequences, as scammers manipulate victims into disclosing sensitive information or taking actions that compromise their security.’ 

6. Reboot your device every week

Smartphones should be turned off and on once every week to prevent zero-click exploits and spear-phishing.

If users don’t reboot the system, a hacker can manipulate open URLs to run a code that installs malware onto the device.

Turning the phone off resets all open web pages and apps and logs out of bank accounts to prevent cybercriminals from accessing sensitive information. 

This has the same result on spear-phishing attack because it removes a hackers ability to send targeted fraudulent emails because they won’t be able to access your personal information.  

A 2015 Pew Research study found that nearly half of all smartphone owners rarely or never turned their cell phone off, while 82 percent said they never or rarely rebooted their phone.

Although restarting your phone only sometimes prevents attackers from accessing your data, it makes hackers work harder to breach your phone’s defenses.

‘This is all about imposing cost on these malicious actors,’ Neal Ziring, technical director of the National Security Agency’s cybersecurity directorate, told The Denver Post in 2021.

7. Use a mic-drowning case and cover the camera

Using a protective case to drown out the microphone and block background audio could stop a ‘hot-micing attack’ in its tracks, the NSA said.

These cases have a microphone jamming system built into it that prevents unwanted eavesdroppers from hearing your conversations through apps or an external cyberattack. 

It’s also important to cover the back and front-facing camera on both Androids and iPhones because hackers can turn the mobile camera on and off and save media from your camera roll if they gain access to your phone.

You can cover the camera with a sticker, tape or a camera cover built into the case to protect you from a hacker observing your every move.

How to know if you have been hacked

There are some possible signs that indicate if your Android or iPhone has been hacked such as if the camera light stays on, even after you’ve closed the app, or it could turn on unexpectedly.

Other signs that you’ve been hacked include your battery draining more quickly than usual, if your phone is running slow or gets unexpectedly hot and if apps suddenly quit or your phone turns off and back on seemingly of its own accord, according to the security company, McAfee.

Users should also be on the lookout for any unrecognized text, data or unknown charges on your phone bill.