Elyse Betters Picaro (with graphic elements from Ameythyststudio, Aleriimingirov, and Romansa design art via Canva) / ZDNETGiving your phone some extra juice via a public charging station is always a handy option, but it may not be a safe one. As described in a new report from NordVPN, cybercriminals can now turn to a trick called choicejacking, in which they’re able to transfer data from your phone to a device disguised as a charger.What is choicejacking?With this new method, a malicious device that looks like an innocent charging station or port manipulates different functions on your phone. In doing so, your phone is tricked into connecting to the device via data transfer mode without your input or permission. Once that connection is made, the criminal’s device can access and steal your photos, documents, contacts, and other personal files. Also: 7 ways to lock down your phone’s security – before it’s too late”Choicejacking is particularly dangerous because it manipulates a device into making decisions users never intended — all without them realizing it,” Adrianus Warmenhoven, a cybersecurity advisor at NordVPN, said in the report. “Whether it’s granting access to data or downloading malware, these attacks exploit the trust we place in everyday interactions with our smartphones.” Advanced upgrade to juicejackingChoicejacking is actually a more advanced upgrade to the older practice of juicejacking. With juicejacking, hackers install software on charging stations at airports and other public spots that can then automatically scoop up data from your connected phone. In certain cases, your phone may lock down, preventing you from stopping the transfer before it’s too late. Also: Traveling this summer? Consider this before using airport Wi-Fi and charging portsJuicejacking first popped up way back in 2011. But in a win for the good guys, mobile OS developers cooked up a way to stop this threat. Let’s say a smartphone connects to a charging station. If the station indicates that it supports Media Transfer Protocol (MTP) or Picture Transfer Protocol (PTP) for data transfers, that means it’s likely a hacker’s device impersonating a charging station. In that case, the user is asked whether they want to allow a data transfer or just charge the phone. But in the latest twist, researchers from Graz University of Technology in Austria found a way to bypass the OS-level protections against juicejacking. Malicious devices can now impersonate USB or Bluetooth input devices to enable a data transfer mode. Affecting Android and sometimes iOS devices, this tactic can use such technical methods as keystroke injection, input buffer overflows, and protocol abuse to complete a data transfer in as few as 133 milliseconds. Also: The best power banks you can buy in 2025: Expert tested and reviewed”Choicejacking represents a dangerous evolution in public charging threats,” Warmenhoven added. “With a single deceptive prompt, attackers can trick people into enabling data transfer, potentially exposing personal files and other sensitive data. Public USB ports should never be treated as safe, and awareness is the first line of defense.” More