The Nigerian Communications Commission has warned Nigerians to take preemptive measures when charging their phones in public as hackers have devised new ways of gaining access to mobile devices plugged into public charging stations.

The cyber security arm of the NCC known as the Nigerian Communications Commission’s Cyber Security Incident Response Team (NCC-CSIRT), said the method is known as ‘Juice Jacking’ and it allows the hackers gain access to the phone’s camera as well as all data being transmitted as text or audio.

The NCC-CSIRT also identified ‘Facebook for Android Friend Acceptance Vulnerability’ as another cyber vulnerability which hackers use to gain access to information of Android phone users.

This was disclosed in a statement titled, ‘NCC-CSIRT Identifies Two Cyber Vulnerabilities,’ signed by the Director, Public Affairs, Dr Ikechukwu Adinde.

“The CSIRT, in its first-ever security advisories less than three months after its creation, has solely identified the two cyber-attacks targeting the consumers and proffer solutions that can help telecom consumers from falling victims to the two cyber vulnerabilities.

“The first is described as Juice Jacking, which can gain access into consumers’ devices when charging mobile phones at public charging stations and it applies to all mobile phones. The other is a Facebook for Android Friend Acceptance Vulnerability, which targets only Android Operating System,” the statement said.

It further explained how Juice Jacking works and how the hackers gain access to the unsuspecting phone users’ devices via the public charging stations made available at public spaces, restaurants, malls and even in the public trains.

“However, an attacker can leverage this courtesy to load a payload in the charging station or on the cables they would leave plugged in at the stations.

“Once unsuspecting persons plug their phones at the charging station or the cable left by the attacker, the payload is automatically downloaded on the victims’ phone. This payload then gives the attacker remote access to the mobile phone, allowing them to monitor data transmitted as text, or audio using the microphone. The attacker can even watch the victim in real time if the victims’ camera is not covered. The attacker is also given full access to the gallery and also to the phone’s Global Positioning System (GPS) location,” the statement explained.

According to the statement, symptoms of attack may include sudden spike in battery consumption, device operating slower than usual, apps taking a long time to load, and when they load they crash frequently and cause abnormal data usage.

The NCC-CSIRT however offered some solutions to this problem, including charging with only USB cables to avoid Universal Serial Bus (USB) data connection; not granting portable devices prompt for USB data connection; and using one’s AC charging adaptor in public space.

“Other preventive measures against Juice Jacking include installing Antivirus and updating them to the latest definitions always; keeping mobile devices up to date with the latest patches; using one’s own power bank; keeping mobile phone off when charging in public places; as well as ensuring use of one’s own charger, if one must charge in public,” the statement read.

With regards to the Facebook for Android Friend Acceptance Vulnerability, the NCC-CSIRT said Facebook on Android devices are vulnerable to a permission issue which gives privilege to anyone with physical access to the android device to accept friend requests without unlocking the phone.

According to the statement, the products affected are versions 329.0.0.29.120 of Android OS.

“The attacker will be able to add the victim as a friend and collect personal information of the victim, such as Email, Date of Birth, Check-ins, Mobile phone number, Address, Pictures and other information that the victim may have shared, which would only be visible to his/her friends.

“However, to be protected from the Facebook-associated vulnerability, NCC-CSIRT in the security advisory recommends to users to disable the feature from their device’s lock screen notification settings,” NCC-CSIRT added.

The NCC-CSIRT was inaugurated in October, 2021 to help deal with issues relating to the security of critical infrastructure in their possession, and periodically assess, review and collate the threat landscape, risks, and opportunities affecting the communications sector, in order to provide advice to relevant stakeholders in those regards.