Home
Blog
Beware the Balaclava Bandits: What to do about mobile phone-grab crime

Beware the Balaclava Bandits: What to do about mobile phone-grab crime

Paul Ducklin
Paul Ducklin
11/14/2024
Share this article:

If your mobile phone is worth $1000, it’s a really big deal to lose it or have it stolen.

But if your phone is stolen while it’s unlocked, you could end up worrying about way more than $1000.

Here’s what you can do.

The balaclava bandits

You’ve probably seen the videos on social media.

Some of them show the crime scene with the oblique perspective of a street surveillance camera.

Others are apparently shot from the hip – not literally, of course, but extracted after the incident from the dashcam of a passing driver or cyclist.

The perpetrators of this crime are often on bicycles themselves, albeit not in a legal sense.

The velocipedes of choice for these balaclava-clad bandits are legally no such thing, being either illegally-modified e-bikes with their electronic regulators bypassed or removed, or unassuming but unregistered electric motorcycles with no tags that can swiftly and smoothly outwit almost any other vehicle in an urban situation.

Well, almost any other vehicle:

The MO is surprisingly simple: these highway robbers glide around apparently innocently until they spot a pedestrian who is glued to their phone, or someone sitting down in a roadside spot who is focused on their phone and not their surroundings.

One moment you could be staring at a live mapping app trying to find your way to your next meeting from the bus stop, the train station, or the car park…

…and the next thing you know, you’re standing there empty-handed as one of these modern-day snatch-and-run criminals swoops past you at close range and grabs your phone.

They immediately weave into invisibility through the traffic ahead, or zoom off into an alleyway or car-unfriendly side street that they have scoped out in advance for their getaway.

It’s not about your phone

The most worrying thing about this crime, aside from the fact that’s it’s an outright robbery and not just sneak thievery from an unattended bag or backpack, is that these criminals don’t just make off with your phone, which might set you back anywhere from $400 to $1000 to replace.

They get away clean and clear with your phone while it’s unlocked and in active use.

Even if you’ve set an aggressively short time before the phone locks automatically, these crooks aren’t going to let your phone lock up on them if they can possibly help it.

They can keep your phone active as they’re riding away by tapping on the screen with one hand as they steer with the other.

And, on their nimble getaway vehicles, they are hoping to reach a out-of-the-way spot with enough time left to dive into the relevant settings in the phone to reconfigure it to buy themselves yet more time.

They’re probably not planning to hold onto your phone for long.

Firstly, the sooner they pass it along the crime chain, the safer they are against getting caught in possession of stolen property.

Secondly, the sooner they can get the phone into the hands of an expert in “phone draining”, the sooner they can ride back into the urban jungle to prey on their next grab-and-go victim.

Simply put, the primary interest of these criminal gangs generally doesn’t seem to be in the phone hardware they get their hands on.

A stolen phone can be difficult to sell on these days, especially if the criminals aren’t able to register themselves as the official owners before it gets reported and blocked by the legitimate owner or by the networks in the region.

Their immediate interest is the apps and data on the phone, given that it was unlocked when they grabbed it.

They’re betting that their victims are unlikely to have a backup device handy that they can use within a minute or two to lock the stolen phone remotely.

Their criminal plan is therefore to start draining the stolen device, and the online services it gives them access to, as soon and as comprehensively as they can,

What’s at risk?

The average user’s unlocked phone may very well give practiced criminals access to more money (perhaps much more), directly and indirectly, than the price they could get for the phone even if they were able to sell it second-hand entirely legitimately.

That’s because a phone and the apps available on it will inevitably include some, many, or all of the following:

  • Settings and configuration menus, both for the device itself and the apps. The first things the robbers are likely to do is to increase the lock time, or to turn it off altogether if that option is available. Then they will try to turn off as many security-centric settings as they can, and even to reset the device password and ownership to take it over entirely.
  • Email and calendar. For some users, this may include both work and personal accounts, neatly separated for the criminals. Given that email accounts are often the mechanism for password resets on other accounts, the criminals are likely to try to take over this account first.
  • Browsing history. This may include “remember me” cookies that leave users logged in to some sites, including shopping sites where they have saved payment card details, or government portals that give away data that can be sold on to identity thieves.
  • Photos and videos. This could include not only personal or intimate images, but also snapshots of payment cards, ID documents, and QR codes used to set up multi-factor authentication (MFA) apps.
  • Online banking, perhaps even including access to the Add a New Payee function.
  • Phone call logs, voicemails, and text messages. Combined with other data available on the device, this could enable the criminals to pass identity checks even with businesses that insist on one-to-one calls to ‘know’ their customers.
  • Instant messaging apps, including access to closed groups of trusted friends and family, and to private chat logs.
  • Social media apps, including the ability to post both publicly to the world and privately to trusted contacts.
  • Cloud-based games, possibly including access to in-game purchases or in-game inventory transfers.
  • Fitness apps, perhaps including detailed location history and a diary of the victim’s activities and lifestyle.
  • App store access, with the ability to choose and install new apps (possibly even off-market apps on Android devices), to make in-app purchases, and to agree to subscription terms.
  • MFA codes, either by viewing incoming text messages, opening authenticator apps, or accessing virtual passkeys stored on the device.
  • Password managers, making it easy for a “phone draining” criminal to use a laptop alongside the stolen phone to get into online accounts that are browser-based rather than app-based.
  • Cloud backup access. On an iPhone, for example, a criminal who can take over the victim’s Apple and iCloud accounts could not only steal backed-up data that is no longer stored on the device itself, but also establish themselves as its apparent official owner.
  • Notes, private voice memos, and the like. Many of us have numerous files of transient data that we saved for later ‘just in case’, but never got round to deleting.

Note that if your phone gets plundered while it’s unlocked, access to the sort of data listed above doesn’t just put you, your identity, and your finances at risk, but puts your family and friends in harm’s way, too.

The criminals can now contact them and talk to them – for example, to pitch rogue cryptcoin investments or to beg for emergency financial help – in such a way that that they may indeed be convinced it’s you at the other end of the conversation.

What to do?

The best precaution, and almost certainly the most effective protection, against having your phone snatched while you are walking…

…is also one of the simplest: Don’t walk with your phone unlocked at all.

Lock it and put it away out of sight when you’re on foot; only get it out and use it where you have a reasonable chance of spotting a snatch-and-run attempt before it actually happens.

Although this won’t eliminate the risk of losing your phone or having it stolen by thieves of a more surreptitious sort, it will greatly reduce the risk of crooks getting full control over it while it’s unlocked.

It will also make you more aware (or, to judge by some phone-distracted walkers, aware in any sense at all) of your surroundings, and therefore much less likely to step in front of a moving vehicle or to walk head-first into a road sign or light pole.

Of course, it’s not always convenient or practical to do this, for instance if you’re following a live online mapping app in an unfamiliar area.

In cases like this, there are things you can do to limit your exposure if you get robbed, but they are annoyingly different between Android and iOS devices, and may not protect your device quite as comprehensively as you might expect.

Nevertheless, they’re worth knowing about:

  • On iPhones, the Guided Access accessibility feature can help. It’s fiddly to set up and use, but once activated can keep you locked into a single app until you put in a special 6-digit passcode. If you get the passcode wrong, the phone will prevent you from trying to escape the app again for 10 seconds, then 60 seconds, then three minutes, and so on. A criminal faced with this situation would have little choice but to force-restart the phone, at which point they’d need the phone’s full lock code to get back in.

Beware the Balaclava Bandits: What to do about mobile phone-grab crime - SolCyber

  • On Android, the App Pinning feature can help. This is very slightly easier to use than Apple’s Guided Access, but the ultimate result is similar. If activated, and configured to require unlocking to escape, you can ‘Pin’ an app while you are using it; if you unpin it, you land back at the phone’s lock screen. Unlike Apple’s version, you can’t set a different passcode for App Pinning: whichever unlocking process you have chosen for the phone itself is the one you will need to follow.

Beware the Balaclava Bandits: What to do about mobile phone-grab crime - SolCyber

  • On Android, you can create a Guest user account and switch to it. The account settings, lock code, and data files of the Guest are entirely independent of your main account. A robber who snatches your phone while you are switched to Guest will only be able to use that account and the files associated with it. (Debugging mode, which is much more powerful and dangerous on Android than on Apple devices, and can be exploited to copy files off the phone, cannot be turned on by a Guest user.)

Beware the Balaclava Bandits: What to do about mobile phone-grab crime - SolCyber

Further tips for phone safety

Here are some additional phone-based data protection tips to help you improve your security more generally, including against phone-grab criminals:

  • Log out from apps and websites when you are finished. This is admittedly inconvenient on a phone, because you will need to log back in via the fiddly phone keyboard next time you want to use the app. It also doesn’t stop attackers from trying to reset your account passwords if they already have access to your email account and MFA codes. But it does make it harder for criminals, and it also protects you from forgetting you are logged in and posting or interacting with an account by mistake.
  • Make use of additional security-locking features in phone apps. Both Google Android and Apple iOS allow you to lock away some or all of your photos, for example, so you need to put in your lock code before you can view them. Google’s protection is called Locked Folder; Apple’s goes by Hidden Album. Some apps, especially banking apps, allow you to set a PIN that you need to enter before the app will load at all, which provides additional protection against phone-snatchers getting into your high-value apps.
  • Set the very shortest automatic lock time you can tolerate. Avoid anything longer than 2 minutes. Even if you find it annoying at first, you will soon get used to it.
  • Set a SIM PIN if you still have a physical SIM card. Even if your phone is locked or unbootable, a criminal who extracts a SIM card with no PIN and puts it into a new device will immediately begin to receive your text messages, possibly including MFA codes. A SIM PIN only needs to be typed in when you restart your phone, so unlocking it is a very minor inconvenience.
  • Make a plan for your immediate response if your phone is lost or stolen. You might not have time to carry out all the steps if your phone does get grabbed, but if you have a well-thought-out plan (perhaps even written out in bullet points on an index card that you carry with you!), then at least you have a fighting chance of reacting quickly enough to beat the crooks at their “phone draining” game.
  • Tidy up from time to time. Remove apps and data that you don’t need, or use only occasionally.

Be aware of your surroundings every time you use your phone or laptop: If in doubt, don’t get it out.


Why not ask how SolCyber can help you do cybersecurity in the most human-friendly way? Don’t get stuck behind an ever-expanding convoy of security tools that leave you at the whim of policies and procedures that are dictated by the tools, even though they don’t suit your IT team, your colleagues, or your customers!

Beware the Balaclava Bandits: What to do about mobile phone-grab crime - SolCyber


More About Duck


Paul Ducklin is a respected expert with more than 30 years of experience as a programmer, reverser, researcher and educator in the cybersecurity industry. Duck, as he is known, is also a globally respected writer, presenter and podcaster with an unmatched knack for explaining even the most complex technical issues in plain English. Read, learn, enjoy!

Paul Ducklin
Paul Ducklin
11/14/2024
Share this article:

Table of contents:

The world doesn’t need another traditional MSSP 
or MDR or XDR.

What it requires is practicality and reason.

Related articles

Businesses don’t need more security tools; they need transparent, human-managed cybersecurity and a trusted partner who ensures nothing is hidden.

It’s time to move beyond the inadequacies of current managed services and experience true security management.
No more paying for useless bells and whistles.
No more time wasted on endless security alerts.
No more dealing with poor automated services.
No more services that only detect but don’t respond.
No more breaches caused by all of the above.

Follow us!

Subscribe

Join our newsletter to stay up to date on features and releases.

By subscribing you agree to our Privacy Policy and provide consent to receive updates from our company.

CONTACT
©
2024
SolCyber. All rights reserved
|
Made with
by
Jason Pittock

I am interested in
SolCyber XDR++™

I am interested in
SolCyber MDR++™

I am interested in
SolCyber Extended Coverage™

I am interested in
SolCyber Foundational Coverage™

I am interested in a
Free Demo

9789