The volume of mobile threats is increasing and attackers are growing more sophisticated, with almost a third of zero-day attacks now targeting mobile devices, new data shows.
In its annual mobile threats report published this week, cybersecurity firm Zimperium says data from its services shows that nearly a quarter of mobile devices encountered malware last year, while 13% had their data intercepted by a machine-in-the-middle attack and 12% were directed to a malicious website. The rising cyber-risk comes as the attack surface area of mobile applications has grown, with more than 900 Common Vulnerabilities and Exposures (CVEs) reported in 2021 that directly affect Apple iOS or Google Android. In addition, risks have risen from the third-party components used by developers, and a variety of misconfigurations have undermined the security of the cloud services underpinning mobile applications.
The data suggests that adversaries are finding ways to exploit the traditionally strong software ecosystems surrounding mobile devices, says Richard Melick, director of threat reporting at Zimperium.
"There was a pivotal change in the landscape as mobile devices are being increasingly targeted by attackers," he says. "These mobile devices are critical to our everyday lives, and they are critical work tools, [so] organizations have to approach the mobile device with the same security in mind as traditional endpoints."
The mobile landscape has changed over the past two years, as the coronavirus pandemic forced employees to work from home, often using their own devices. Two-thirds of organizations currently have an active bring-your-own-device (BYOD) policy for workers, with another 11% looking to add the option in the next year, according to Zimperium's report. Before the pandemic, only 40% had a BYOD policy in place.
In addition, more employees say they consider their mobile devices to be a necessary tool to accomplish their work. For that, more than three-quarters of technology professionals rely on at least four applications on their mobile devices, the report states.
"Mobile and traditional devices are converging, and the mobile versions are increasingly replacing their traditional counterparts, capable of accessing and processing high amounts of data far from the confines of an office," says Esteban Pellegrino, chief scientist at Zimperium, in an essay in the report. "With each new application's advancement in technology, there are unknown risks and threats to overcome."
About one in four Zimperium users — 22% in North America — "encountered" malware in 2021. The term, which is typically not well defined in industry reports, refers to clicking on a malicious link or opening a malicious attachment. Someone would have to engage with the link or attachment, Zimperium's Melick says.
Not only is malware more likely to be encountered, but the malicious programs have more tricks, he says.
"We are seeing malware that is targeting multiple services; we are seeing malware that forces a factory reset of the device," Melick says. "The complicated nature of traditional malware is spilling over into the mobile space."
Phishing attacks also took off during the coronavirus pandemic, with 61% of survey respondents who said they are seeing a spike in phishing attacks. In addition, attackers are tailoring phishing sites for mobile browsers and to take advantage of the limited screen real estate on the typical device.
"When phishing sites are adapted to the mobile device — because the user cannot always see the URL or some of the other signals of fraud — mistakes are easier to make on these small screens, so it is much more likely that they will click on the wrong link," Melick says.
Over the past decade, attacks on mobile users have increased, with attackers trying to adapt to the ubiquity of the devices. However, while encounters have increased, that does not mean that successful attacks have taken off. In addition, Zimperium's focus on the 466% increase in exploited zero-day vulnerabilities seen by mobile devices in 2021, compared with the prior year, speaks less to an increase in threats and likely more to an increase in research and bug bounties.
The data comes from Google's Project Zero, which documented three vulnerabilities that impacted iOS, Android, or the WebKit Web browser engine in 2019 and 2020. In 2021, however, there were four iOS, six Android, and seven WebKit vulnerabilities reportedly exploited. The WebKit browser engine is used by Apple — and some Linux — products.
Between phishing sites and more zero-day exploits, the data suggests that attackers have more options for compromising devices.