Cybersecurity  ·  Podcast

The increasing use and expanded functionality of smartphones means that they have become the main gateway for cyber-attacks. The new episode of the podcast ‘Beware of hidden macros’ discusses new authentication systems, such as biometrics solutions, to strengthen the security of these devices.

May 2021. A Moroccan newspaper publishes an article reproducing some of the WhatsApp conversations that journalist Ignacio Cembrero had conducted with Spanish authorities. It is something that "grabbed my attention straight away and I came to the conclusion that they had read or had access to my WhatsApp messages" explains the editor specialized in the Maghreb in 'A spy in your pocket', the new episode of the podcast 'Cuidado con las macros ocultas'. After that first suspicion, two months later, Cembrero receives a call from the international research group Forbidden Stories confirming that his phone is among the 50,000 numbers hacked by Pegasus, a spyware developed by the Israeli company NSO and purchased by governments and state security forces to remotely infiltrate mobile devices. It is the same spyware that was the protagonist of the recent cyber espionage scandal which would have infected the cell phones of the Spanish Prime Minister and the Minister of Defense and more than 60 Catalan and Basque pro-independence leaders.

«They had access to everything I had on my cell phone, from WhatsApp conversations and email, which is what most interested them, to all the private sections of photos and phonebook»

Ignacio Cembrero, journalist

Since then, and following the advice of experts, Ignacio Cembrero has changed his cell phone and computer. Furthermore, he has protected them with different tools and has initiated a legal battle to identify those responsible for the espionage of which he has been a victim. Like him, heads of state, activists and other reporters have suffered this type of cyber-attacks. Even one of the richest people in the world, Amazon owner Jeff Bezos, has been the target of hacking allegedly also through spyware. These stories are an example of how mobile devices have become the main entry point for cyber threats.

Nearly half of all attacks come in via cell phone, according to Hiscox

First entry point for a cyberattack

Company-owned server


Corporate Cloud Server


Corporate website


Employee error


Company mobile device


Employee mobile device


Supplier asset


Internet of things owned by the company


Source: Hiscox 2021

90% of enterprises are addressing an IT strategy shift where cybersecurity is one of the top three investment priorities for the current year of 2022, according to an IDC report.

Are companies protecting mobile devices sufficiently?

There are two types of threats with the cell phone as an entry point, as highlighted by Hispasec CEO Fernando Ramirez in the Cuatroochenta podcast. One is those that aim to steal information and the other are those that focus on a person's importance or money. And although not all people will be targeted by spy malware such as Pegasus, Ramírez stresses, there are other more widespread threats, such as a banking Trojan that would like to get hold of the double authentication factor.

«All the information we host on our mobile, from personal information to health or even access information to other platforms, such as the bank, is susceptible to being stolen through manipulation or a malicious virus.»

Fernando Ramírez, CEO of Hispasecec

Ramírez feels that, large companies, which have been investing in cybersecurity for some time, do take mobile security into account, but there are other, smaller companies that are not as advanced and have put it on the back-burner. Although there is an increasing number of tools and controls to keep mobile devices safe, Ramírez reminds us that the first line of defense for any organization should be the security perimeter, since it is the gateway to cybercriminals. But what is that perimeter? Everything exposed, he points out, from public IPs to domains to email addresses.

«The user’s first response should be not to trust any technology, an attitude also known as 'Zero Trust’ “. This basically assumes that we are going to be breached and that there is going to be a malware inside our mobile capturing our information or visualizing what we have stored and, in that case, we take action about it.»

Ángel López, CEO of Sofistic