If only Pixel/iPhone secure, why the vast majority still have their money not stolen?

Privacy Questions
1

Maybe silly but genuine question. I prioritize security over privacy and after hours of reading the topic, can’t figure what are the risks I embrace if I have a regular non-EOL phone. All defaults: locked bootloader, stock ROM, not even debloated with universal android debloater. e.g. budget Samsung.

Why there’re no large-scale banks and crypto wallets thefts for such users?
Think about:
• population of poor countries.
• high net-worth individuals without Pixel/iPhone.

1 Like
2

Welcome to the forum. The question you asked is worded a bit weird but I will do my best to answer!

Summary:

  • Tech is important, but so is how you use the device.
  • Unsecure means there are known exploits, however this exploit still has to be delivered to the device some how (either physical access, or remote exploits, zero clicks, etc. )
  • There are various levels of skills among threat actors ranging from no skill at all, to very specialized labs. The less secure a device is, the less skill threat actors need to exploit it. For a current example search “Kia boys”. Kia cars can be started with a USB stick. This became common knowledge and cars all over the country were being stolen. Once people find an easy or profitable exploit, it does become popular in many cases.
  • The crime you mentioned is actually becoming more common. I’ve heard in certain countries phones are being stolen and criminals are bypassing the unlock to hack your online banking. Why isn’t it common everywhere? Trends take time to catch on.

Long answer

Lets say the person has an unsecure device, and also downloads random files from the web, installs spyware, malware, or ransomware. Now their credentials could be stolen. On a more secure device such Graphene maybe the security hardening would prevent the attack, but ideally its still not a good idea to be downloading risky random stuff online.

Basically, the devices you listed have more exploits available, but the malicious payload still needs a way to get onto the device.

There is a wide range of skill levels for threat actors. A random street level criminal (most likely) won’t be able to get into a locked Samsung phone with a password. However something like Cellebrite could get into a locked Samsung almost instantly. A skilled threat actor would not be able to unlock a properly configured Pixel with Graphene.

Secure devices are more protected against high level attacks. Unsecure devices have known exploits that haven’t been patched.

And to answer “why aren’t people using these exploits to steal cash”, it simply means the current threat actors aren’t at this skill level yet. If you look at areas like car theft it has gotten very sophisticated over the years, because criminals now know cars that use key fobs are mostly unsecure.

Google “Kia boys”. Good example of how unsecure technology became common knowledge, leading to mass exploitation.

2 Likes
3

To me it is actually a good question. Here’s my thought:

In short, because usually phone is not the only (or best) point of entry to cyber criminals’ target.

Your phone has 3 types of values
a. Value of the device,
b. Information it stored locally (e.g. cold wallet, offline password manager vault, stored NFC tag, etc.), and
c. Access to other resources (e.g. bank account, being a MFA key of some platforms)

There are multiple factors determining how “risky” you are, e.g.:

  1. The security level of the device itself (What rom is it using? Is it still getting patched? Is there any known and actively exploited vulnerabilities?)
  2. What applications you installed on your device
  3. Your digital hygiene
  4. Whether you keep telling people what you stored on your device (e.g. saying “I have 10 BTC in my phone!”)
  5. Resale value of your device
  6. Where you go / live
    P.S. We are only talking about normal dudes, not journalists, activists, lawyers, businessman, drug dealers, high rank officials, whistleblowers, etc.

In a very simplified way, your phone faces two major threats:
i) Physical (Device being stolen)
ii) Digital (Data being accessed / stolen / being hijacked to use as BOTNET)

For threat i), you face higher risk if you go to rough areas, or you own a multi-million device, or you tell and show people the 10 BTC you have in your digital wallet in your phone.

For threat ii), you face higher risk if you use a EOL device, install bunch of random, dodgy or even pirated apps, or you use the same email you registered for your phone account everywhere and reuse same password everywhere.

Since you are talking about large-scale issue, I’d assume your primary concern is threat ii).

And for threat ii), your phone is only one of many attack surfaces. It is in fact much more effective (and rewarding) to attack (breach) a service provider, or tricking people via social engineering / phishing, than digging thousands of compromised hardware. But of course, Crypto draining can happen through client side.

When you build a house to protect (secure) your asset, its important to

  • Build with good building materials (secure hardware ← this is where your phone belongs to, alongside with many other things)
  • Have a good building plan
  • Build and maintain your house according to your plan
  • Not to abuse your house
  • KEEP YOUR POSSESSIONS IN YOUR HOUSE
  • KEEP YOUR KEYS SAFE
  • NOT TO ADVERTISE YOUR HOUSE AND YOUR POSSESSIONS
1 Like