How phones get hacked: 7 common attack methods explained

The smartphone revolution was supposed to provide a second chance for the tech industry to roll out a secure computing platform. These new devices were purported to be locked down and immune to malware, unlike buggy PCs and vulnerable servers.

But it turns out that phones are still computing devices and their users are still people, both fo which will always be weak links. We spoke to security experts to better understand the most common ways attackers might go about breaking into the powerful computers in your users’ pockets. Here’s what we found.

7 ways to hack a phone

Zero-click spyware
Social engineering
Malvertising
Smishing
Fake apps
Pretexting
Physical access

Zero-click spyware

The scariest and most sophisticated attacks on smartphones are zero-click attacks, because they don’t require obvious user intervention to succeed. Roger Grimes, data-driven defense evangelist at KnowBe4, explained how commercial surveillance vendors (CSVs) weaponize these exploits.

CSVs — sometimes called commercial spyware vendors — are criminal organizations that sell malware and exploits to the highest bidder. “CSVs are responsible for the vast majority of zero days that we find today, especially on cellphones,” Grimes says. “In 2023, zero days were used more than non-zero days to exploit people.” The most dangerous variants require no user interaction: “The victim does nothing,” he explains. “The zero day launches without any end-user contact, or the user simply needs to read a message, open an email, open an attachment, or click on a link.”

Grimes emphasized that many exploits are as simple as sending a background push message or a WhatsApp text — “whether the user even sees it isn’t important.” He adds: “With zero-click attacks, you get almost 100% of the victims you are able to contact.” These attacks are often sold for six- or seven-figure sums to commercial vendors or nation-states. “It is rumored that sufficiently capable nation-states, like the US, have thousands of zero-click attacks … and use them when they need them.”

Grimes noted that many of these attacks rely on long-established techniques such as buffer overflows. “A buffer overflow allows the malicious code to redirect the execution of the legitimate handling program into executing the malicious code,” Grimes explains. “You didn’t need to open the message or interact with it — just receiving it could trigger the exploit.” He pointed out that while most modern exploits require user interaction, “probably 15% of exploits simply ‘hit’ the underlying service or app and the exploit just launches.”

David Redekop, CEO at ADAMnetworks, emphasized that while zero-click exploits pose a serious and ongoing threat to high-value targets, “it just isn’t for the masses,” he says. Ordinary users face a host of lower-tech attacks — but in many cases they can be just as dangerous.

Social engineering

The easiest way for any hacker to break into any device is for the user to open the door themselves. Making that happen is easier said than done, of course, but it’s the goal of most social engineering attacks.

Smartphone operating systems generally have stricter security regimes than PCs or servers, with application code running in a sandboxed mode that prevents it from escalating privileges and taking over the device. But that much vaunted security model, in which mobile users need to take affirmative action for code to access protected areas of the phone’s operating system or storage, has a drawback: It results in an abundance of pop-up messages that many of us learn to tune out.

“Applications on mobile devices segregate permissions in order to protect the user from rogue apps having a free for all with your data,” says Catalino Vega III, security analyst at Kuma. “The prompt becomes familiar: ‘Do you want to allow this application access to your photos?’ Because of the way the user experience has conditioned the acceptance of most prompts as a gate to accessing functionality, most users will just allow the app access to whatever it is requesting.”

Joshua McKenty, CEO and co-founder of Polyguard, says that new technical tools wielded by organized groups are driving a resurgence in social engineering attacks, such as “various forms of phishing and social engineering now supercharged by AI,” he says. “This includes deepfakes, hyper-personalized email, and text scams that take advantage of identity data from breaches.”

Malvertising

One traditional mechanism for spawning those deceptive dialog boxes are so-called “malvertisements,” which piggyback onto the infrastructure developed for the mobile advertising ecosystem, whether in a browser or within an app.

Khadem Badiyan, CTO and co-founder of Polyguard, calls this a classic that’s dying off. “Malvertising has become far less effective due to advancements in browser sandboxing, stricter app store policies, and the general shift toward app-centric mobile use over traditional web browsing,” he says.

But ADAMnetworks’ Redekop believes that malvertising still occupies an important niche in the cybercrime ecosystem. “Considering that Google reports regularly the number of domains removed via their TAG bulletins and that third parties report that Google blocked 5.1B harmful ads and suspended 39.2M advertiser accounts in 2024, it is clear that the malvertising problem is far from out of date,” he says.

Smishing

Another vector attackers use to get tappable links in front of their victims is SMS text messaging, with a practice known as SMS phishing or smishing.

“There are multiple ways cybercriminals can use SMS phishing, depending on their intention and goal,” says Rasmus Holst, CRO of Wire. “If the objective is to install malware onto a device, then a file is usually attached, accompanied by a message that tries to persuade the user to click and download it. For example, cybercriminals can impersonate someone trusted, such as an employer or manager asking an employee to review the attached document, laying a trap for a busy and unsuspecting victim.”

Smishing is a tried-and-true hacker technique, but today, says Polyguard’s McKenty, “the challenge is to make links ‘clickable.’ Over the past few months, we’ve seen exploits of a number of vulnerabilities in Apple’s SMS link defenses. This includes funneling malicious links through trusted domains like Google (using the AMP and Google Sites vulnerabilities), taking advantage of exceptions for ‘basic auth-protected’ URLs by using empty credentials in the rarely used user:pass@host format, and even an apparent parsing vulnerability around empty subdomains.”

Fake apps

Another social engineering trick to convince people to infect their phones with malware is convincing them to download an app they think they want but is malicious. McKenty notes that “toys and games that have access to the camera, microphone, or location” are particularly potent versions of these apps.

Because mobile phones have a sandboxed model that isolates application code from the OS, these types of apps used to specifically target “jailbroken” iPhones, which users had modified to install apps that didn’t meet Apple’s standards. But those days are largely behind us, according to Rocky Cole, who spent years at the NSA and is now co-founder and COO of mobile security company iVerify.

“When it comes to mobile phone hacking of iOS, the word ‘jailbreak’ doesn’t have much meaning anymore,” he says. “We haven’t seen a jailbreak associated with an iOS exploit in years. Actual hacks of iOS are sophisticated, and usually the purview of state actors and commercial spyware vendors. For Androids, most ‘hacks’ involve somehow loading a malicious app, either by sneaking it into one of the app stores, convincing the user to sideload it, or somehow getting it to run in a more sophisticated way.”

Pretexting

If the user won’t give up control of their device willingly, an attacker can go over their head to their mobile provider. You might remember the mid-2000s British media scandal in which tabloids used what they called “blagging” techniques to access the mobile voicemail boxes of celebrities and crime victims. This process, also known as pretexting, involves an attacker piecing together enough personal information about their victim to impersonate them in communications with their phone provider and thus gain access to the victim’s account.

The tabloids were just after scoops, but criminals can use the same techniques to do more damage. “If successfully verified, the attacker convinces the phone carrier to transfer the victim’s phone number to a device they possess, in what’s known as a SIM swap,” says Adam Kohnke, information security manager at the Infosec Institute. “Calls, texts, and access codes — like the second-factor authentication codes your bank or financial providers send to your phone via SMS — now go to the attacker and not you.”

Gaining physical access to your phone

One of the most obvious — but overlooked — ways to install malware on someone’s phone is to do it manually, once you gain physical access to their device. This is of particular importance in domestic violence or stalking scenarios, but it is used for corporate espionage as well.

“When someone has physical access to a device, the risk landscape changes significantly,” says Polygaurd’s Badiyan. “Tools like FlexiSPY, mSpy, or Xnspy can be installed quickly and run silently, capturing text messages, call logs, GPS location, and even activating microphones or cameras without user awareness. For corporate espionage, malicious configuration profiles (especially on iOS) or sideloaded APKs (on Android) can be deployed to reroute data, manipulate network traffic, or introduce persistent backdoors. There are also hardware-based threats: malicious charging cables, keyloggers, or implanted devices that can exfiltrate data or inject malware. However, these tend to be less common outside of high-value targets.”

Badiyan says that biometric defenses can be bypassed if someone with access to your phone knows your PIN. “If an attacker unlocks your device with your passcode, they can add their own fingerprint or facial scan, creating lasting access without leaving visible traces,” he says. “Mitigation comes down to strong device passcodes, biometric controls, disabling USB accessories when locked, and auditing installed profiles and device management settings regularly.”

Bluetooth and Wi-Fi hacks have fallen out of favor

Two once-common means of gaining access to phones and their data — Bluetooth and Wi-Fi — have largely been secured, according to the security experts we spoke to.

ADAMnetworks CEO David Redekop lists a number of factors that have closed off Wi-Fi as an attack vector: “Public users on legacy Wi-Fi networks are more and more VPN-literate and simply protect themselves with a VPN; common big-brand Wi-Fi hosts are implementing modern-day hardware that closes vulnerabilities; and, since Edward Snowden, more and more of our public websites and services are encrypted such that even a Wi-Fi MiTM (miscreant-in-the-middle) is unable to get much useful information.”

Polyguard CEO Joshua McKenty adds, “Bluetooth-based exploits like BlueBorne, which relied on vulnerabilities in Bluetooth stacks, have also diminished. Regular patching and tightened permissions across mobile operating systems have closed off most of those avenues.”

They’ve broken in. Now what?

Once an attacker has used one of the techniques above to gain a foothold, what’s their next step?

While smartphone OSes are ultimately derived from Unix-like systems, an attacker who’s managed to force a breach will find themselves in a very different environment from a PC or server, says Callum Duncan, director at Sencode Cybersecurity.

“Most apps interface with the operating system and other applications on what are essentially API calls,” he says. “The kernels for iOS and Android are so vastly different from anything that would resemble their Unix base that shared exploits would be almost impossible. Command lines do exist for both devices but are only accessible by the highest level of privilege for both devices and can usually only be accessed but rooting or jailbreaking the device.”

But just because it’s hard doesn’t mean it’s impossible. “Exploits of that type do exist,” Duncan says. “Privilege escalation would be key to this process and working around in-built safety mechanisms would be hard, but any attacker with the ability to run code on a user’s device is doing just that — running code on a user’s device — so if they’re smart enough they could make that device do whatever they please. State-sponsored groups like the NSO group have built entire business models using these techniques to spy on people for governments and high-profile individuals.”

Caitlin Johanson, director of the Application Security Center of Excellence at Coalfire, says that a surprising amount of sensitive data is accessible to attackers who gain a foothold on a device.

“Data stores such as SQLite get created by installed apps and could contain everything from web request and response content to potentially sensitive information and cookies,” she says. “Common weaknesses observed in both iOS and Android include caching application data within memory (such as authentication credentials), as well as persistence of thumbnails or snapshots of the running application, which could inadvertently store sensitive information to the device. Sensitive information — most often left unencrypted — is found in abundance within browser cookie values, crash files, preference files, and web cache content created in easy-to-read formats stored right on the device.”

“The very tools created for development purposes are what makes it easier for an attacker to extract, interact with, or even modify this kind of data, such as abd on Android or iExplorer or plutil on iOS,” she continues. “Standard utilities can be used for the examination of any database files copied from the device, and if we run into the need to decrypt, there’s tools like Frida to run scripts to decrypt stored values.”

Thick as thieves

None of this is easy. Most users don’t click smishing links or give enhanced privileges to dodgy applications. Even when hackers gain a foothold on a device, they’re often stymied by built-in security measures on the phones they’ve hacked.

But attackers do have one thing in their favor: sheer determination. “Attackers create highly repeatable and automated models that pick and pry at every angle of a mobile app or a new operating system version in hope of finding a weak point,” explains Hank Schless, director of product marketing at Lookout. “Once they find an exploitable weakness, they try to use it to their advantage as quickly as possible before a fix is released.”

Perhaps the biggest vulnerability out there is human complacency: Despite more than a decade of evidence to the contrary, many people assume smartphones are secure, falling into a different bucket from the rest of infosec. “What’s remained pervasive is the idea that somehow phones are not traditional endpoints, and with rare exception, they aren’t incorporated into the body of standards and practices for other devices such as desktops,” says iVerify’s Cole. “We’re past the point where mobile security should be a niche topic or a home-brew solution. They need to be included in any comprehensive endpoint detection and response strategy.”

How can I tell if I’ve been hacked?

Worried that your phone has been hacked? Two of the experts we spoke to suggested looking out for these red flags:

David Redekop, CEO at ADAMnetworks:

Be wary if a phone has apps installed that you didn’t request.
If an app is installed that has simplistic features, it could be offering one useful function while secretly performing another.
Beware of any apps that have permissions that aren’t absolutely required. For example, geolocation is not generally required except for maps.

Chris Hauk, consumer privacy champion at Pixel Privacy:

Has your device suddenly started using more data than normal, regularly bumping up against your monthly data limit, yet you haven’t changed your online habits? That could be spyware phoning home or doing the work of bad actors.
If your smartphone begins rebooting for seemingly no reason, someone could have installed malware or spyware on your device.
Back in the day of analog phone lines, we were used to noise in the background like buzzing or other voices leaking onto our calls. However, today’s digital phone networks have all but eradicated such noises. If you’re hearing other voices or unknown sounds, someone could be spying on your calls.
While seeing your device’s battery life deteriorating over the years is simply part of having a smartphone, a sudden drop in battery life could mean spyware or malware is making your device work overtime, running processes in the background. The harder your phone must work, the shorter its battery life. You may experience this alongside increased data usage

The original article found on How to hack a phone: 7 common attack methods explained | CSO Online Read More