The last few years have changed the modern workforce in ways we could only have imagined a decade ago. Distributed and hybrid workforces, ever-connected devices, high speed 5G connectivity, and increased access to critical data from remote locations have meant enterprises are now spread worldwide.
Traditionally, the focal points for IT and security teams were primarily on internal infrastructure to support employees. However, the exponential increase in working from home meant that previous off-site services like VPNs were no longer sufficient alone to handle the influx of communications back to the business. Thus, security organisations have begun to invest in advanced security controls.
Enterprises began investing in cloud-based services and applications, moving data from on-site storage servers to scalable solutions across the globe. Consequently, the COVID-19 pandemic acted as a catalyst for this transition. This is because flexibility, scalability, and accessibility were now primary and crucial requirements.
Unfortunately, due to the fast pace of workplace evolution, many organisations were forced to sacrifice security controls in order to maintain productivity and business continuity. Thus, now more than ever, both managed and unmanaged devices are connecting to corporate data through unknown and unmanaged networks, this of course raises the relevant security concerns. Therefore, security teams must approach every endpoint with a new mindset. The main emphasis should be on visibility into all devices that are connected to corporate systems. Otherwise, the threats and risks introduced every day through devices will be unobservable. Ultimately, traditional mobile device toolsets need to evolve in order to address the significant security challenges that mobile devices introduce.
66% of organisations have active BYOD programs in place, with 11% looking to implement the policy over the next year
Moreover, as critical data systems are introduced to more applications, the enterprise attack surface grows with each new application. This means that new risks will move beyond the mobile device itself. These applications of course have their merits, although, each of these applications introduces unique sets of risks to an environment, from misconfigured code and exposed APIs to leaky cloud connections uncovering customer data. Thus, it is important to stress the need for improved security controls to be put into place to provide secure access to enterprises from all endpoints.
The business of cybercrime is growing year over year, with the cost of a data breach in 2021 increasing from $3.86 million to $4.24 million.
2021 Highlights
Research has uncovered that data and news coverage of mobile threats increased in 2021. There was a particular focus on iOS and Android attack vectors. In 2021, the Zimperium zLabs team discovered numerous threats impacting over 10 million devices in at least 214 countries.
Here are a few of the most notable discoveries:
Grifthorse
- An active Android Trojan attack that is believed to have been active since November 2020.
- Distributed through Google Play and third-party application stores.
- A very versatile attack that targeted mobile users in more than 70 countries. This campaign could change the language and content displayed based on the user’s IP address.
- Between November and September 2021, it infected over 10 million devices.
- Google removed the malicious applications after being reported by the Zimperium team.
PhoneSpy
- This spyware infected thousands of victims’ devices. The main aim of these malicious Android apps was to constantly spy on their victims.
- They run in the background ensuring that they do not raise suspicion.
- The actors have gathered significant amounts of personal and corporate information on their victims.
- After public disclosure, the campaign was deactivated, and the command-and-control server was taken down. Thus, infected devices were no longer in the control of attackers.
FlyTrap
- This campaign has been running since March 2021, these malicious applications were distributed through both Google Play and third-party application stores.
- The actors take advantage of users’ misconceptions that logging into the right domain is always secure.
- The targeted domains are social media platforms, and it has been effective in harvesting data of users from 144 countries.
- Actors were able to boost the popularity of specific pages, sites, and products to spread misinformation or political propaganda.
- Once reported by Zimperium, Google removed the malicious applications.
Android System Update
- The system update app was identified using the Zimperium z9 malware engine.
- Investigations determined the app to be a sophisticated spyware campaign with complex capabilities.
- This application posed a threat by functioning as a Remote Access Trojan (RAT). The application receives and executes demands to collect and exfiltrate a wide range of data and perform a wide scale of malicious actions.
- Once in control hackers can record audio, phone calls, take photos, review browser history, access WhatsApp and more.
Unsecured & Misconfigured Cloud Storage
- Zimperium‘s analysis found that 14% of iOS and Android apps distributed globally had several significant configuration issues.
- These apps used cloud storage with unsecured configurations.
- The misconfiguration issues exposed personally identifiable information (PII), enabled fraud and exposed IP addresses or internal systems and configurations.
mobile devices within the corporate ecosystem
IT and security teams will continue to be under increasing pressure as the threat of cyber-attacks grows, as CISOs implement more stringent cybersecurity policies, and as employees express rising concerns about privacy. Over half (61%) of survey respondents agree that trying to set and enforce corporate policies around cybersecurity is nearly impossible as lines blur between personal and professional lives. Whilst 46% say mobile devices in the corporate ecosystem are acceptable, 34% are concerned about privacy.
55%
of tablets within the enterprise are employee-owned
39%
of tablets within the enterprise are purchased by the company
66%
of smartphones within the enterprise are employee-owned
29%
of smartphones within the enterprise are purchased by the company
The mobile threat landscape in enterprises
In 2021, Zimperium analysed a range of mobile threats, including malware, unauthorised access, and vulnerabilities by device. Successful mobile attacks affect the bottom line, costing enterprise organisations millions of dollars. Penalties include loss of consumer trust, legal fees, fines, reputational damage, theft of sensitive data, and more.
Insider threats can cost the most to detect and remediate. While, corporate-owned and BYO devices are used to access corporate data, without tools such as mobile threat defence, mobile devices provided limited visibility for IT departments and can take longer to detect malicious activity, if at all. According to survey data, the Finance department is the group that poses the biggest internal threat to enterprises due to the sensitive financial and corporate data these teams process daily. These statistics underline why CEOs and CISOs must focus on this issue and increase investment in endpoint security.
Threats Affecting Enterprises in the Past 12 Months:
54%
46%
42%
42%
Malware (Virus, Phishing, Ransomware)
Identity or Account Theft
Mobile or Web Application Security Exposure
Unauthorised App or Resources Access
SUMMARY of the android and iOS vulnerabilities in 2021
Android Vulnerabilities:
According to vulnerability tracking, the Android operating system saw a dip in the number of vulnerabilities discovered in 2021, with 574 CVEs tracked. In 2020, 859 were discovered. The most common vulnerabilities were code execution, system bypassing, and overflow of code or memory.
79% had low attack complexity
21% had medium attack complexity
18% had critical attack complexity
iOS Vulnerabilities:
According to vulnerability tracking, Apple iOS had 357 CVEs assigned throughout 2021. This is an increase from the 305 discovered and reported in 2020. The most common vulnerabilities were code execution, followed by memory corruption and overflow of memory or code.
24% had low attack complexity
74% had medium attack complexity
17% had critical attack complexity
Tracked Vulnerabilities
Zero-Day, in the wild exploits
These are vulnerabilities detected in actual attacks against users where neither the public nor the vendor knew of the vulnerability. This means that no patch was available when the attack took place.
2021 was the year of mobile-specific zero-day exploits
In the last three years, zero-day vulnerabilities targeting mobile endpoints have grown 325%
(iOS vulnerabilities accounted for 64% of mobile-specific exploited zero-day attacks)
Why the rise in zero-day exploits?
This is due to the ever-increasing amounts of personal, private, and critical data systems connected to mobile endpoints. When malicious threat hunters seek out new, exploitable opportunities, they look for devices with data access and low-security coverage. Thus, mobile endpoints present viable targets that, when exploited, become key assets for malicious agents.
The Rise of mobile-specific phishing
Current Trends
Recent reports find that phishing was present in 36% of breaches and unfortunately the practice itself has grown by 10% between 2020 and 2021. Interestingly, further research has found that phishing emails were the leading point of entry for ransomware, constituting around 54% of these attacks.
The Pandemic and its Implications on the Digital Security Space
Research has found that 61% of respondents reported a spike in phishing attacks during the COVID-19 pandemic. This is mainly due to the recent trends over the years in which individuals and organisations have become increasingly reliant upon their mobile phones. As a result of the pandemic, this transition has been accelerated which consequentially has multiplied the associated risks.
Vulnerable Channels
Typically, attackers target victims through electronic channels such as email, website hijacking and SMS messaging. Although attackers are also capable of using phone interactions to dupe a target. With reference back to the social engineering side of phishing, it’s no surprise to learn attackers strategise and methodically target victims. The most common tactics employed are:
- Spear Phishing: An attack that will target a specific organisation or person, in the hopes that the victim falls for the mass attack.
- Whaling: Attacks targeting senior high-level executives and other high-profile targets. These attacks, when successful, can be especially harmful due to the level of confidentiality that is associated with the targets.
Why Are Mobiles More Vulnerable?
Typically, mobile endpoints lack any form of security or at least the recommended measures, thus this means that the mobile security mechanisms are not equal to those on a traditional endpoint such as a computer.
The nature of a mobile phone means that the devices inherently present additional challenges. The smaller screens of mobile endpoints may assist in hiding clues that would normally tip off a user about a malicious site, as the screen size may hide a key red flag from view.
As they are used for a variety of communications, this increases the number of attack surfaces for criminals to exploit.
How Attackers Target Mobile Devices:
Adaptive Websites
Able to load completely different content and redirect to alternate sites, depending on the device being used. Attackers adapt content based on the user agent of the mobile endpoint. Through this approach, an attacker can exclusively target mobile devices.
Responsive Websites
Responsive websites adapt the placement and size of objects according to the screen size of the endpoint in use and show OS appropriate dialogue interfaces. While this responsiveness enables legitimate app developers to provide a better user experience, these same capabilities can give attackers an edge in phishing.
Figure 1: An example of a mobile user’s view of a responsive phishing site targeting chase customers.
Figure 2: An example of a desktop user’s view of the same phishing site.
Risks and Attacks: Mobile Malware, bugs and profiles
Malware has become the single biggest source of profit for attackers. This is due to the unique variants and the ease of access, with 5,000 being the average amount of new malware samples being detected daily.
In 2020, attackers took advantage of the pandemic that forced companies worldwide to adopt a distributed workforce. These situations accounted for a significantly larger attack surface as staff used both company-supplied and personal devices to maintain productivity. Ultimately, this situation contributed to increased malware, ransomware, and exploitation across enterprises.
In 2021, data showed that new mobile malware variants increased from October and reached a peak in December. Bad actors leverage online, and retail discounts promoted through links in emails and text messages during shopping holidays, hoping users will download malware through their mobile phones.
Not only is detecting mobile malware increasingly sophisticated, but mobile devices collect high-value data. This creates a perfect situation for malicious actors who want to carry out a quick, high pay-out attack.
Apple IOS' INCREASED ATTACK SURFACE
It’s not just malware that can directly impact the security of an iOS-powered device. iOS configuration profiles give businesses the capability to install and run applications signed by the provider without the scrutiny of Apple’s App Store submission and were initially designed for configuration management. Once approved, Apple provides the developer with a signed certificate for the business to apply to the device, enabling them to install any app they have produced in-house onto the device. However, this feature also allowed end-users to sideload unapproved and often unsecured apps without established OEM protections from third-party stores, increasing the risk of data theft and exploitation on the device as there is limited or no vetting of submitted apps in these third-party stores.
Each iOS configuration profile type exposes the user to a different potential risk. While a profile used to set up a font on the device or to install a printer through Airplay could be considered a low-risk profile to a user, the installation of a new certificate authority could allow a potential attacker to decrypt all the secured traffic from a specific device. While a malicious VPN profile or proxy configuration can redirect all the network traffic on the device to a server controlled by a malicious actor.
A malicious profile would enable system-wide settings and allow untrusted certificates to be installed on the device. From free VPNs to proxy configurations, data can be re-routed and shared in its unencrypted state, or data such as contacts and email credentials shared with malicious parties. There is no way to know where any data from compromised devices is sent or decrypted after a malicious profile is loaded.
Risk Distribution of Unmanaged iOS Configuration Profiles
Three ways to mitigate threats
1
Detect
Monitor smartphones using machine learning detection algorithms because the polymorphic code capabilities used by many malware developers elude signature checkers. Then send an alert if a device is believed to be under attack or contains known vulnerabilities.
2
Protect
In addition to capabilities for detecting threats, the device should have additional automated cybersecurity features.
For example:
- Automated downloading and application of the latest authenticated cybersecurity patches
- Protection from phishing messages using sandboxing techniques
- On-demand VPN capabilities to protect data from untrusted gateways and (especially) Wi-Fi routers
- Access controls to compartmentalise sensitive information and processes
For enterprises, it is especially important to scale policy enforcement to be confident cybersecurity risks are properly addressed.
3
Defence
- In addition to detection and protection, defence is about scaling an enterprise’s defensive efforts
- It includes device-agnostic cybersecurity systems, centralised web security for both devices and servers; as well as tools for unified Identity and Access Management (IAM), Data Loss Prevention (DLP), and Cloud Access Security Broker (CASB)
How we can help
Threats to the mobile sphere are ever-increasing and ensuring you have your sensitive company data protected is an essential consideration.
Zimperium protects mobile endpoints and apps so they can access enterprise data securely, Mobliciti can support deployment on a variety of operating systems and if you’d like to find out how we can help you, get in touch.
