The ChoiceJacking attack: stealing smartphone photos and data while charging via USB | Kaspersky official blog

Can your photos and other data be downloaded or erased from your smartphone while it’s charging from a public charging port — on public transport, in a clinic, at the airport, and so on? Despite manufacturers’ safety measures, it’s sometimes possible.

Hackers first came up with such attacks way back in 2011: if an innocent-looking USB charging port doesn’t just supply electricity but contains a hidden computer, it can connect to your smartphone in data-transfer mode using the Media Transfer Protocol (MTP) or Picture Transfer Protocol (PTP) and extract data from the device. This attack became known as juice-jacking, and both Google and Apple quickly came up with a safeguard: when a smartphone is connected to a device supporting MTP/PTP, it asks the user whether to allow data transfer or just charge. For many years, this simple precaution seemed to solve the problem… until 2025 — when researchers from Graz University of Technology in Styria, Austria, discovered a way to bypass it.

ChoiceJacking attack

In the new attacks — dubbed ChoiceJacking attacks — a malicious device disguised as a charging station confirms on its own that the victim supposedly wants to connect in data-transfer mode. Depending on the manufacturer and OS version, there are three variants of the attack. Each variant finds a different way to bypass a certain limitation in the USB protocol: a device cannot operate in both host mode (as a computer) and peripheral mode (e.g., as a mouse or keyboard) at the same time.

The first method is the most complex but works on both iOS and Android. A microcomputer is disguised as a charging station. This microcomputer can connect to a smartphone as a USB keyboard, USB host (computer), and Bluetooth keyboard.

When the smartphone is plugged in, the malicious station emulates a USB keyboard and sends commands to turn on Bluetooth and connect to a Bluetooth device — the very same malicious computer, now impersonating a Bluetooth keyboard. After that, the system reconnects via USB, now posing as a computer. The smartphone asks the user whether to allow data transfer — and the malicious device confirms the request via a Bluetooth “keystroke”.

The second method only works on Android and doesn’t require Bluetooth. The malicious charger pretends to be a USB keyboard and floods the smartphone with keystrokes — overwhelming the input buffer. While the OS is busy processing this meaningless input, the charger disconnects and reconnects — this time as a computer. A prompt appears on screen asking which mode to connect in, and right at that moment the tail end of the keyboard input buffer plays out, containing a keystroke sequence that confirms connection in data-transfer mode (MTP, PTP, or even ADB debug mode).

The third method — also Android-only — exploits the fact that all tested smartphones incorrectly implement the Android Open Access Protocol (AOAP). The malicious device connects as a computer right away, and when the confirmation screen appears, it sends the necessary keystroke events through AOAP. According to the protocol, simultaneous operation in both USB-host and AOAP modes is prohibited — but in practice, this restriction is often ignored.

Which devices are protected from USB ChoiceJacking?

Both Apple and Google blocked these attack methods in iOS/iPadOS 18.4, and Android 15, respectively. Now, in order to confirm USB data transfer, it’s not enough to simply press Yes — you need to pass biometric authentication or enter a password. Unfortunately, on Android, the OS version alone doesn’t guarantee your smartphone’s safety. For example, Samsung devices running the One UI 7 shell don’t request authentication — even after updating to Android 15.

That’s why Android users who have updated to Android 15 are advised to connect their smartphone to a known safe computer via a cable and check whether a password or biometric confirmation is required. If not — avoid public charging stations.

How serious is this, and how to protect yourself?

While law enforcement agencies have occasionally warned about USB data-theft attacks (1, 2), no real-world attacks have ever been publicly documented. This doesn’t mean they’ve never occurred, but it clearly isn’t a widespread threat.

If you’re concerned about such attacks, you should only charge you devices using your own trusted charger or power bank, or use a USB data blocker — an adapter that allows only power to flow through the cable while preventing data transmission. These adapters, also called “USB Condoms”, are quite effective, but can slow down charging on newer smartphones since they also block the data signals required for Quick Charge mode. Alternatively, you could use a cheap charge-only USB cable (which can’t transmit data), but you should test it first with a trusted computer to ensure no data-transfer prompt appears on the screen; then you’ll need to carry it around with you everywhere — and keep in mind that it also rules out Quick Charge.

The most crucial and widely available protection is updating to the latest versions of Android or iOS.

If you ever find yourself in a bind — with an outdated OS, no blocker, and an urgent need to use the nearest USB charger — just remain vigilant while charging. When you connect the phone, watch the screen: if it doesn’t just start charging but prompts you to choose the connection type, select Charging only. If you’re really worried about your data, it’s better to unplug and look for a less “smart” port.

For more on other unusual smartphone hacks — check these out:

• Trojan embedded in fake Android smartphones
• Hacking Android, macOS, iOS, and Linux through a Bluetooth vulnerability
• The hidden risks of cheap Android devices
• Infected Android app store
• Triangulation Trojan for Apple devices

Kaspersky official blog – ​Read More