As mobile devices have become a central part of our daily lives, cybercriminals have consistently sought new ways to exploit them. One of the latest — and most insidious — attack methods is choicejacking.
What Is Choicejacking?
Choicejacking is a sophisticated cyberattack targeting mobile devices, particularly when they are charged using unfamiliar USB ports or charging stations. Unlike the older and more widely known “juice jacking” threat — which simply sought to steal data or inject malware by exploiting a direct connection — choicejacking goes a step further by manipulating your device’s user interface. In this scenario, a malicious charging station or USB port can simulate user approval, tricking your phone into enabling data transfer mode without your real consent.
How Does Choicejacking Work?
- Attackers create malicious USB chargers or ports capable of emulating input devices such as keyboards, or running software that can simulate taps and keystrokes.
- When a user connects their device, the compromised station actively responds to prompts — such as selecting “data transfer” instead of “charge only” — by generating fake input events before the user can react.
- These attacks typically take advantage of timing glitches or race conditions in mobile operating system firmware, allowing the attack to succeed invisibly.
- Once unauthorized data transfer is enabled, attackers may exfiltrate contacts, photos, and documents, or even install malware.
Juicejacking vs. Choicejacking
While both juicejacking and choicejacking exploit USB connections, choicejacking is considerably more advanced:
| Juicejacking | Choicejacking | |
|---|---|---|
| Attack Method | Passive malware/data exfiltration | Active manipulation of UI to fake user permission |
| User Action | None required (if auto-connect enabled) | Simulates user choice, bypasses genuine user consent |
| Detectability | Often unnoticed until after infection | Nearly invisible; user interface appears normal, but actions are forged |
| Affected Devices | Primarily Android, some iOS | Both Android and iOS, depending on firmware and OS version |
Steps to Protect Your Mobile Devices from Choicejacking
Proactively defending your devices from choicejacking – and similar threats – requires a combination of technical diligence and smart behaviors. Here are practical steps to stay secure:
- Keep Your Operating System Up to Date
Major vendors have released patches that counteract choicejacking. Apple (iOS/iPadOS 18.4) and Google (Android 15) now require biometric or password authentication before enabling data transfers. Check your phone’s software version and update promptly. Note: Some devices, particularly with third-party firmware (e.g., Samsung One UI 7), may still be partially vulnerable. - Avoid Public Charging Stations
Do not connect your device to random USB charging ports in airports, hotels, or cafés. These are prime targets for attackers. - Use a USB Data Blocker (USB Condom)
A USB blocker is a small adapter that plugs between your cable and the public port. It allows only power to flow, physically disabling the data pins and preventing any data exchange. - Carry Charge-Only Cables
These special cables lack the wiring needed for data transfer. Their use ensures only power, not data, is delivered during charging. - Be Vigilant to Prompts and Device Behavior
When connecting your phone, ensure that the expected “Charge only” vs. “Transfer data” prompt appears. If it does not, or your device initiates data transfer on its own, disconnect immediately. - Keep Your Device Locked
Most modern devices prevent unauthorized actions when locked. Ensure your phone stays locked while charging in public places. - If in Doubt, Don’t Plug In
If you’re unsure of a charging source, it’s safer to let your device battery run low or seek a trustworthy wall charger rather than risk compromise.