New data shows that the scale of mobile threats is increasing and attackers are becoming more sophisticated, with nearly a third of zero-day attacks now targeting mobile devices.
In its annual Mobile Threat Report published this week, cybersecurity firm Zimperium said data from its services shows that nearly a quarter of mobile devices encountered malware last year, while 13% had data intercepted through a mid-device attack and 12 % redirected to a malicious website. The increased cyber risk comes with the growth of the attack surface area for mobile apps, with more than 900 common vulnerabilities and exposures (CVEs) reported in 2021 directly affecting Apple iOS or Google Android. In addition, risks from third-party components used by developers have risen, and a variety of misconfigurations have undermined the security of cloud services that underpin mobile apps.
The data suggests that adversaries are finding ways to exploit traditionally powerful software ecosystems surrounding mobile devices, says Richard Mellick, Zimperium’s director of threat reporting.
“There has been a pivotal change in the landscape with the increasing targeting of mobile devices by attackers,” he says. “These portable devices are very important in our daily life, and they are very important business tools, [so] Organizations have to treat the mobile device with the same level of security in mind as traditional endpoints.”
The mobile phone landscape has changed over the past two years, as the coronavirus pandemic has forced employees to work from home, often using their own devices. Two-thirds of organizations currently have an active Bring Your Own Device (BYOD) policy for workers, with another 11% looking to add the option next year, according to a Zimperium report. Before the pandemic, only 40% had a BYOD policy in place.
Additionally, more employees say they consider their mobile device a necessary tool to get their work done. Therefore, more than three-quarters of tech professionals rely on at least four apps on their mobile devices, according to the report.
Esteban Pellegrino, chief scientist at Zimperium, says in an article in the report. “With the advancement of technology with each new application, there are unknown risks and threats that must be overcome.”
About one in four users of Zimperium – 22% in North America – “encountered” malware in 2021. The term, poorly defined in industry reports, refers to clicking on a malicious link or opening a malicious attachment. Zimperium’s Melek says someone will have to deal with the link or attachment.
Not only are you likely to encounter malware, malware has more tricks, he says.
“We see malware that targets multiple services; we see malware that forces the device to reset to factory settings,” Milik says. “The complex nature of traditional malware is spreading in the mobile space.”
Phishing attacks have also taken off during the coronavirus pandemic, with 61% of survey respondents saying they are seeing a rise in phishing attacks. In addition, attackers design phishing sites for mobile browsers and take advantage of the limited screen space on a typical device.
“When phishing sites are mobile-adapted — since the user can’t always see the URL or some other sign of fraud — mistakes are easier to make on these small screens, so they are more likely to click on the wrong link,” says Melek.
Over the past decade, attacks on mobile phone users have increased, as attackers try to adapt to the ubiquitous proliferation of devices. However, while confrontations increased, that did not mean that successful attacks took off. Additionally, Zimperium’s focus on a 466% increase in exploited zero-day vulnerabilities experienced on mobile devices in 2021, compared to the previous year, does not speak much about increased threats and is more likely to increase search and bug bounties.
The data comes from Google’s Project Zero, which documented three vulnerabilities that affected iOS, Android, or the WebKit web browser engine in 2019 and 2020. However, in 2021, four vulnerabilities were exploited in iOS, Android 6, and WebKit 7. Apple – and some Linux products – use the WebKit browser engine.
Between phishing sites and more zero-day exploits, the data suggests that attackers have more options for hacking devices.