New Choicejacking Attack Steals Data from Phones via Public Chargers

If you thought using a public phone charger was safe, it’s time to think again. Despite years of updates aimed at protecting smartphones from “juice jacking” attacks, cybersecurity researchers have identified a new threat that sidesteps those very safeguards.

A new study now outlines how attackers are now using a method called Choicejacking to exploit smartphones into granting unauthorised access, often without the user realising anything happened.

Juice jacking first made headlines over a decade ago, when hackers used infected charging stations to either steal data or inject malware into connected phones. In response, smartphone operating systems began requiring users to approve any data transfer when a device is plugged into an unknown port. That change gave users the option to choose “charge only” or allow file access.

But researchers from Graz University of Technology in Austria have found a way (PDF) to sidestep those security prompts altogether. The technique tricks phones into thinking the user has allowed data transfer, even when they haven’t touched the screen.

Instead of relying on traditional malware, this attack spoofs USB or Bluetooth input devices to fake user actions. A malicious charging station could simulate keyboard inputs, overflow input buffers, or abuse device communication protocols to quietly switch your phone into data-transfer or debug mode.

The entire process takes less than 133 milliseconds. That’s faster than you can blink, meaning the phone reacts before you even have a chance to notice.

Adrianus Warmenhoven, a cybersecurity advisor at NordVPN, said the danger lies in the illusion of control. “Choicejacking is particularly dangerous because it manipulates a device into making decisions users never intended, all without them realising it,” he explained.

Once access is granted, the attacker can quietly browse photos, read messages, or plant malicious software.

The rise of choicejacking reinforces what cybersecurity experts have said for years: public USB ports should not be trusted. Even at airports, hotels, or cafés, a compromised charger could be waiting to hijack your device.

Warmenhoven adds, “With a single deceptive prompt, attackers can trick people into enabling data transfer, potentially exposing personal files and other sensitive data.”

That warning applies to both Android and iOS users. While some platforms offer more visible prompts or charge-only settings, the underlying vulnerabilities still exist, and attackers are always looking for ways to get around them.

While the Choicejacking technique was detailed in a research paper, it has been accepted for presentation at the 34th USENIX Security Symposium, taking place in August 2025.

Nevertheless, researchers suggest keeping your phone’s software updated and avoiding unfamiliar charging ports whenever you can. It also helps to be prepared. Carrying a portable power bank is one of the easiest ways to stay in control while you’re out. If you do need to plug in, try to use a wall outlet with your own cable and adapter instead of a public USB port, especially ones that look suspicious or overly complicated.

Some devices let you select “charge only” mode, which prevents any data from being transferred. Turn that on if it’s available. While attackers keep finding new tricks, staying cautious and informed can still keep you a step ahead.