Experts warn all iPhone and Android users: lock your phone immediately

Cyberattacks against mobile phones are becoming more sophisticated and have a much wider reach than before. The advanced spyware Sturnus can bypass encryption in apps like Signal, WhatsApp and Telegram and read the content as if the messages had never been protected.

Meanwhile, the US cybersecurity authority CISA has issued a stark warning that several actors are using commercial spyware against both iPhone and Android users.

This does not only apply to journalists, political activists and other classic high-risk groups. The authority emphasizes that private individuals can also be affected because the attackers often target contacts in the victims’ networks.

The attacks usually happen without any obvious signs. Spyware can be installed via messages, links or vulnerabilities in the operating system. Once on the phone, they can provide access to text messages, encrypted messages, microphone and precise location.

– Cyberattacks are constantly evolving and risk affecting far more people than those traditionally targeted, according to CISA.

According to Forbes, the US cybersecurity agency has just updated its guidance with detailed advice for both iPhone and Android, and they emphasize that users should review and implement the recommendations immediately.

Three steps to make your phone much harder to hack

For iPhone owners, CISA recommends enabling Lockdown Mode, which restricts apps, websites and features to reduce the possibility of attacks.

In addition, you should turn off the option to automatically send messages as regular SMS when iMessage is not available and enable iCloud Private Relay to better protect domain name queries.

Both iPhone and Android users should regularly review app permissions and remove camera, microphone and location access where it is not needed.

Android users are also given a number of specific recommendations. CISA points to phones from manufacturers with long-lasting security updates and support for security features in the hardware.

Users should only use RCS messaging when end-to-end encryption is enabled and should configure Private DNS for a trusted service.

The authority also recommends that Google Play Protect is enabled and that Chrome is set up with secure connections and enhanced protection against malicious websites.

Ditch the private VPN on mobile

The UK security authority NCSC also advises mobile users to use a strong screen lock code, enable “Find My Device” and keep both system and apps consistently updated. It’s free, often automatic and removes many known vulnerabilities.

However, the most startling recommendation comes from CISA, which states in its updated guidance that people should not use a personal VPN.

The agency believes that a private VPN instead shifts the risk from the ISP to the VPN company and can increase the attack surface, especially when the provider has unclear security and privacy policies.

CISA makes an exception for corporate VPN clients used to access employer systems.

For ordinary consumers, the agency points instead to a more down-to-earth set of habits such as locking your phone, using a strong passcode, updating systems and apps, and only downloading apps from official stores.