CheckPoint’s 2020 Mid-Year Report stated that mobile cyber attacks are on the rise, tying with botnet attacks as the second-largest attack category worldwide. As mobile device traffic has exploded over the past few years (representing 53% of global internet traffic) along with corporate BYOD policies (present at 69% of organizations), and the transition to remote work continues to blur lines between personal and corporate devices (67% of employees use personal devices at work), this attack vector has grown in popularity and interest among attackers.
In this blog we’ll look at three main types of mobile device attacks: mobile phishing, malicious applications, and exploits that take advantage of built-in device vulnerabilities.
Lookout’s 2020 Mobile Phishing Spotlight Report stated that mobile phishing increased 37% between the Q4 2019 and Q1 2020. The recent Twitter attack, which compromised the accounts of 130 high-profile users and was analyzed by my colleague Darren Thompson in this blog post, was instigated by a mobile spear phishing attack. Additionally, the FBI and the Cybersecurity and Infrastructure Security Agency (CISA) recently issued a warning of vishing (voice phishing) attacks targeting employees’ cell phones. Increased employee training can help to spot techniques like URL padding, which takes advantage of small screens to pad malicious domains by inserting hyphens; tiny URLs, or shortened URLs used in smishing (SMS phishing) attacks; screen overlays, when a malicious app page appears on top of a trusted app; and over-the-air (OTA) provisioning spoofs, where attackers send text messages with embedded links pretending to be system update notifications.
Recent months have seen an increase in the number of malicious applications in the official Google Play store, with as much as 7% of all apps containing hidden backdoors. Recent mobile malware strains including banking malware such as Black Rock, spyware such as Joker, and disrupting adware such as ChartreuseBlur, primarily target Android users, but iOS users should also be aware of their exposure to malware. Last year’s WhatsApp spyware attack infected 1,400 iOS and Android users, including government and human rights organizations dependent on covert channels of communication. In an effort to increase iPhone security, Apple recently released a dedicated Security Research Device (SRD) for researchers to identify vulnerabilities and attack vectors. In April, researchers reported a Cerberus malware variant, aimed at stealing credentials and data, spread by a company’s mobile device management (MDM) server to infect 75% of employee devices.
The number of Android O/S flaws has increased 50% from 2019 to 2020, according to Skybox. Two notable flaws this year are the critical flaw uncovered in Android’s bluetooth implementation enabling remote code execution without user interaction, and the Snapdragon flaw in Qualcomm chips putting 1 billion Android users at risk of data theft. On August 5th, the NSA issued a warning regarding location data leaking from smartphones via several channels, including Bluetooth, WiFi, location services, advertisements, and apps. The variety of attacks enabled by built-in vulnerabilities underscores the importance of vulnerability and patch management for mobile devices.
In general, mobile devices should be treated with the same level of protections as traditional endpoint computers and workstations. Understanding this attack vector and related cyber risk scenarios, including those involving mobile malware and phishing attacks, via products like CyberCube’s Portfolio Manager, can help insurers break down the aggregation impacts and risk levels facing companies today.