#CyberSecurityAwarenessMonth: In an increasingly interconnected and digital world, mobile security threats have become a haunting reality for organizations across various industries. As mobile devices continue to play a pivotal role in communication, commerce, and daily life, they have also become prime targets for cybercriminals seeking to exploit vulnerabilities. We spoke with JT Keating, SVP Corporate Development at Zimperium, to discuss the scariest mobile security threats in 2023.
What were, in your analysis, the scariest mobile security threats of 2023?
One of the scariest threats facing mobile devices in 2023 was sophisticated malware that hides itself within mobile devices and applications. Advanced malware can bypass even the most robust security measures, steal sensitive information, hijack devices, or gain unauthorized access to resources. What makes them so scary is that they can hide in devices for prolonged periods of time, undetected and waiting for an opportune time to launch. The rise of fake mobile apps has opened the door to new avenues of malware distribution, as well. All it takes is someone downloading an application they think is harmless, only to discover that malware was baked inside the app, leading to financial fraud, data theft, brand impersonation, user safety risks, and challenges for app store ecosystems.
Mobile malware is continuing to proliferate, both in volume and in the number of variants detected. According to Zimperium’s Global Mobile Threat Report 2023, between 2021 and 2022, the total number of unique mobile malware samples rose by 51%, with more than 920,000 samples detected. In fact, the zLabs research team detected an average of 77,000 unique malware samples each month. Dark Herring, TeaBot and RatMilad were three of the most notorious strains in 2022.
Alongside malware, mobile phishing presents a scary risk for businesses, with 80% of phishing sites either specifically targeting mobile devices or designed to function on both desktop and mobile systems, according to zLabs detections. It stands true that mobile devices are more susceptible to successfully phishing attacks than other devices - it’s easier to click and open something when it’s in the palm of your hand and contains limited information. There’s only so much a screen can show, making it easier for users to unknowingly click something containing malicious content. And the data shows - the average user is six to 10 times more likely to fall for SMS-based phishing attacks than email-based attacks. Additionally, fake QR codes connect the device to scary and nefarious websites that can deliver malicious apps without the user knowing.
What made organizations particularly vulnerable to these threats? Why were these threats more dangerous than others?
Mobile devices serve as the foundation for today’s communication, commerce, business and lives. We work on our phones, conduct business transactions, do taxes, get health care and share highly sensitive information through these devices. As organizations continue to embrace a distributed, mobile-first workforce, cybercriminals see this as a rich attack vector.
Securing mobile apps differs fundamentally from securing web and desktop apps. For one, mobile applications and devices run outside the perimeter. Most mobile apps run on devices that are outside the control of the enterprise that has produced them and as a result, the organization’s risk is significantly higher since the app is exposed to several attack vectors on the device. They also have different exposure points. Mobile apps are typically installed on devices and have access to device resources, such as cameras and GPS, while web apps run in a browser and have access to web resources, such as cookies and HTTP headers. The different exposure points associated with each type of application give rise to different security risks.
What should mobile-powered businesses do to protect themselves from them?
The most important thing is for organizations to realize that they are no longer operating in the old ways of a closed perimeter. In order to capitalize on digital transformation initiatives, they need to embrace a mobile-first security strategy, which consists of five key principles. First, security teams need to prioritize and assess risk as close to the user and device as possible. Second is to operate in a known state by having visibility and vulnerability assessment for every single entry point. Third is to detect anomalies and prioritize remediations based on contextual Intelligence so that the most critical gaps get addressed first. This involves embedding security across the device and application lifecycle. The fourth thing to consider is spearheading the autonomous journey, by automatically isolating compromised devices and untrusted environments. And lastly, organizations must stay ahead of changing regulations in data and privacy across the regions in which they operate to minimize risk compliance failures.
How do these threats impact organizations across different industries? Is healthcare more at risk to one of these threats than finance?
2022 was the most active year in ransomware activity, with thousands of file encrypting malware strains targeting companies of all sizes. zLabs discovered that the top three vectors hit by ransomware were healthcare, critical manufacturing and government facilities.
In terms of mobile phishing, one of the most targeted markets is finance. Many cybercriminals who employ phishing are after one thing: money. Whether gained through ransomware or by stealing access to sensitive information, phishers are money motivated, so this makes sense that they would target the industry with the most lucrative data and a quick payoff. In context, Financial services firms have been targeted 60% more than the next most targeted sector, which was mail services.
Even when compared to the OWASP Top 10, a list of top security safeguards and best practices for creating secure mobile applications, we see that both finance, retail and healthcare experienced a range of common, high severity vulnerabilities. By analyzing the iOS and Android versions of the top 100 apps across three critical verticals (medical/healthcare, financial and retail), Zimperium discovered that a handful of OWASP risks are targeting applications in these three industries. If we zero in on the financial sector, the top OWASP risk areas that the apps faced were Insufficient Cryptography, Insufficient Binary Protections, Network Issues, Vulnerabilities, Insecure File System and Insecure Data Storage.
Across all three of these sectors, however, we see that iOS had significantly more OWASP violations than Android. Are there any specific mobile threats that businesses should be prepared to see as the holidays inch closer?
As the holidays get closer, we are going to see an influx of threats from financially-motivated cybercriminals looking to scam shoppers and businesses alike. Businesses are taking advantage of QR codes to quickly and efficiently get deals and products in front of customers, and threat actors will be ready to take advantage again. Think of all the ways you might be phished on your mobile device: SMS text messages, Near Field Communication tags, QR codes, messaging apps like WhatsApp and Signal, social media apps, the list goes on. Attackers can trick users into entering their corporate, banking, or other sensitive credentials into a rogue site controlled by the attacker, downloading a malicious app onto their device, or otherwise undermining their security with phishing attacks.
Businesses should be ready to educate their employees on the dangers of QR code phishing and how to be skeptical of messages particularly from unknown senders and those containing links. Remember, if it can deliver a web URL, it can deliver a phishing attack.
Are there any external trends (geopolitical, economic, etc.) that influenced the rise or fall of these threats?
The use of unmanaged BYOD devices in the workforce is a trend that will continue to increase the vulnerability gaps companies are dealing with. In today’s modern workforces, users are the administrators and not the organization, so vetting an app is easier said than done. We have even seen an upward trend in both private and public sector organizations banning social media and other apps that could potentially expose information. Companies are starting to see the danger of employees using apps for entertainment that also expose corporate data, and are taking steps to implement mobile-first security solutions and integrating mobile protection through threat defense (MTD) capabilities into their security tool stack. ###