2023’s Mobile Threats: A Persistent Pocket Danger
More than 80% of the world’s population now owns a smartphone. They have become so ubiquitous and important to everyday life, that according to research by Google, around a third of smartphone owners use their devices exclusively to access services like online banking, shopping, and email. As much of the world’s workforce moves into hybrid working, mobile devices have also become increasingly common among staff – and not always under the protection of an organisation’s cybersecurity team. A study by Microsoft in 2022 revealed that more than two-thirds (67%) of workers use their personal smartphone for work-related tasks.
Our mobile devices represent a very real vulnerability, not just when it comes to our personal data, but when it comes to potentially sensitive work data too. This year has seen that vulnerability increase as mobile threats continue to grow in number and sophistication. Check Point Research revealed that the majority of organisations experienced a mobile malware attack in 2022, with phishing (52%), command and control (25%), and automatic browsing to infected websites (23%) among the most common types of malicious traffic. Banking trojans, designed to steal users’ online banking credentials, and premium dialers, which subscribe to premium rate services without the users’ knowledge, are also on the rise.
In Check Point’s 2023 Mid-Year Cyber Security Report, mobile devices continue to prove a common attack vector. The “FluHorse” malware, for instance, camouflages itself as a popular Android application, aiming to extract Two-Factor Authentication (2FA) codes and other sensitive user data. Another malware, known as “FakeCalls”, simulates over twenty distinctive financial applications and generates fraudulent voice calls, further highlighting the innovative tactics employed by cybercriminals.
Learn From the Past, Prepare for the Future
While mobile devices offer convenience and efficiency, they also present a unique set of vulnerabilities. Their ubiquitous nature combined with often lax security measures makes them prime targets.
One of the most alarming revelations of 2023 is that despite the advancements in technology and the increasing reliance on mobile devices, they remain one of the most unsecured attack modes. This is partly because the onus of security has traditionally been placed on suppliers, like Apple or Android, rather than on additional, layered security measures. Time will tell if we see a course correction on this issue in the coming years.
The Inherent Risks
The risks associated with mobile threats are multifaceted. Beyond the immediate threat of data theft, mobile devices can serve as gateways for attackers to access corporate networks, potentially leading to larger-scale breaches or supply chain attacks. The lateral movement within networks, facilitated by compromised mobile devices, can have cascading effects, compromising multiple systems and data repositories.
Mobile devices are, of course, network endpoints, and that means they are often part of complex supply chains. Vulnerabilities can be introduced to these supply chains at any stage, from device manufacturing and software development, right through to the deployment of services to end users. Mobile phones, particularly those that are not business-owned or carefully monitored, are currently the weakest part of the chain.
Outside of business, mobile devices are also prime targets for phishing attacks and social engineering. The smaller screen sizes can make it harder to identify malicious URLs, and users are more likely to click on fraudulent links in text messages or social media apps when they are distracted or on the move. There are also concerns that mobiles are creating a culture of over-reliance on technologies like biometric authentication. While facial recognition and fingerprint scanning are convenient, they are not infallible and can be spoofed by malicious actors.
Who Is Responsible for Mobile Security?
While suppliers play a crucial role in patching known vulnerabilities, organizations and individuals must take proactive measures to secure their devices. Relying solely on the supplier is a reactive approach that leaves devices vulnerable to zero-day attacks. Instead, a multi-layered security approach, including regular software updates, robust authentication methods, and user education, can significantly reduce the risk posed by mobile threats.
As we look to the future, the mobile threat landscape is expected to become even more complex. With the increasing integration of IoT devices and the blurring lines between personal and professional device usage, the potential attack surface continues to grow. Organisations and individuals must remain vigilant, prioritising mobile security not as an afterthought but as a fundamental aspect of their overall cybersecurity strategy.
While mobile devices have revolutionised the way we live and work, they have also introduced a new set of challenges in the realm of cybersecurity. By understanding the evolving threat landscape and taking proactive measures, we can enjoy the benefits of mobile technology without compromising security.