The mobile device has risen quickly. There are now 5 billion unique mobile internet users globally and for well over half of the global population, mobile devices provide their main method of accessing the internet . If this seems significant for global society as a whole, then the effect of the mobile device with business is even more pronounced.
Agility has become a fundamental asset for businesses. Mobile devices have provided the means to work from anywhere, to collaborate remotely and to join disparate parts of the global workforce into cohesive units. Developments like remote work would be nigh-on impossible were mobile devices not a cornerstone of modern, globalised businesses.
The Zimperium Global Mobile Threat Report (GMTR) shows that 60% of endpoints that access enterprise data are mobile devices. Most business is now happening on - or with the involvement of - a mobile device.
The data has migrated and so have the threats
The risks and threat actors that endanger our systems will always go where the data is. Mobile devices are no different. Now that they form such a central part of business infrastructure, they also present a huge - and often unguarded - attack surface for cybercriminals to exploit and from which data can be compromised.
The mobile device is now a key attack vector and offers attackers a route straight towards the enterprise network and the precious data it contains. The agility that the mobile device offers is now an indispensable business asset - but it also introduces previously “firewalled” network infrastructure to the insecurities of the wider world and the potentially dangerous security habits of users.
The potential points of vulnerability are numerous: Mobile apps and devices often get released with vulnerabilities due to oversights in the development process; unpatched mobile software can unearth yet more vulnerabilities; remote workers can be left exposed to the risks of public Wi-Fi or their ill-configured home networks and users even jailbreak their own devices, overriding native security measures and exposing the device.
Amid this array of potential vulnerabilities, it's easy to see how a well-placed attack on an employee can turn their mobile device into a corporate espionage tool. In fact, Verizon’s 2022 Data Breach Investigations report found that 73% of the organisations that had undergone a mobile-related breach called it “major.”
Threat actors have taken notice, and are flooding in to exploit this huge under-defended and over-exposed attack surface.
Mobile malware - as you might expect - is on the rise. Zimperium’s GMTR revealed that mobile malware grew 51% between 2021 and 2022. In 2021, Zimperium researchers found malware on one out of every 50 devices. The next year, we found malware on one of every 20.
It’s not just a growth of the sheer amount of mobile malware, but also the sophistication. Take, for example, how mobile malware developers are evolving their ability to escape detection by using multi-platform development frameworks. These make it remarkably difficult for defenders to detect levels of maliciousness, thus hamstringing their ability to detect and mitigate threats.
Ransomware has also been a particularly good example of this evolution. It has traditionally been very difficult to deploy on mobile devices because mobile devices often use sandboxing techniques which isolate apps from accessing device data and system resources. That’s a problem for ransomware because it can’t then use those apps as a foothold to dig deeper within the device.
However, ransomware authors have developed a number of families to avoid these natural protections. Locker ransomware doesn’t go for the data but instead merely changes the device’s pin number to lock the user out of the phone and adds an overlay informing them of their ransomware infection. Crypto Ransomware encrypts files on a device, and then calls out to a Command and Control server which provides it with a key that prevents victims from decrypting their files. When Leaker Locker infects a mobile device, it threatens its victim with the public release of the information within that device. If they don’t pay - the infected data is then sent to the victim’s entire contact list.
Mobile phishing has also risen precipitously as attackers try to exploit the urgency and ease with which users interact with their devices. In 2021, Zimperium found that 75% of phishing sites targeted mobile and in 2022, that number had jumped 5% to 80%. This is an especially effective vector for attackers. The average user is apparently 6-10 times more likely to be compromised by a SMS phishing attack than an email-based one.
Supply chain attacks
Attackers are also trying to corrupt the software pipelines that deliver to mobile devices. The best example of this is the attempt to insert malicious apps into legitimate app stores. Attackers can leverage the inherent trust that we put in the repositories like leading app stores.
These masquerade as legitimate apps - circumventing app store vetting procedures - but really contain malicious capabilities that can give attackers control over the victim’s device.
Attackers are working deeper within the supply chain too, infecting third party libraries and SDKs; tampering with development tools and Over-The-Air (OTA) updates and compromising ad networks. These all serve to spread malicious software as far and wide as possible, thus capturing the greatest number of devices and gaining access to the most lucrative targets.
On top of that, pressure is coming from another direction: Regulators. There are already sweeping data protection regulations like the EU’s General Data Protection Regulation (GDPR) or the California Consumer Privacy Act (CCPA) which cover huge markets with strict rules around the collection of personal data. These are backed by strict penalties for the non-compliant. Further government directives around mobile security and data handling are also forthcoming.
In the private sector, mobile payments are also coming under greater scrutiny, with standards like Mobile Payments on COTS (MPoC) from the PCI Standards Security Council which demand security assurance from the compliant.
Many organisations satisfy themselves with policing the connections between mobile devices and the central network - but that’s not enough to protect this all-too-soft underbelly. It might stop an attacker from getting to an enterprise’s data centre, but it won’t stop them from infecting a mobile device on which sensitive corporate data is stored and it won’t stop them from using that device to set the stage for a larger attack - like listening in on a board meeting from the comfort of its victim’s pocket. The mobile device is now the frontline in the war against threat actors and corporate spies, and that’s where businesses need to set up their defences - on the mobile device itself.
Enterprises can look to Mobile Threat Defense (MTD) platforms which protect both devices and the apps within them. These platforms can ensure that individual devices haven't been infected, jailbroken or otherwise compromised and alert enterprises to on-device threats as they emerge, quarantining or blocking access as necessary.