Researchers have observed an increase in the number of mobile-specific zero-day exploitation attempts and phishing attacks in 2021.
A recent Global Mobile Threat Report, released by Zimperium this week, said the increase demonstrates how mobile devices, including phones and tablets, pose a significant challenge for enterprises. End users are becoming increasingly more reliant on mobile devices, particularly with the COVID-19 pandemic accelerating the transition to remote or hybrid work models - however, these devices have not traditionally come with the same level of security found on laptops and desktops. If companies attempt to apply legacy security tools to mobile devices, they encounter various challenges: For instance, sandboxing tools on mobile devices do not deliver all the information needed for advanced threat detection, said researchers.
“When you couple the insecurity of mobile devices with the fact that those devices are now gateways to sensitive corporate and personal assets, it is no surprise that these devices are increasingly the focus of attackers,” according to researchers with Zimperium in their report.
The report found that the use of zero-day flaws in active attacks against mobile devices in 2021 had exploded, with a 466 percent increase. Also in 2021, iOS vulnerabilities accounted for 64 percent of mobile-specific exploited zero-day attacks. These iOS flaws have been at the center of several high-profile exploit attempts; including one fixed a few weeks ago by Apple, which was a WebKit vulnerability in iOS and macOS (CVE-2022-22620) under active attack. Another Apple zero day in iOS 14 called FORCEDENTRY was fixed in September and utilized by attackers to deploy the Pegasus spyware.
“The increased reliance on and growth of the mobile market has presented viable opportunities for malicious actors to exploit typically unsecured systems, with over 30 percent of known, zero-day vulnerabilities discovered in 2021 targeting mobile devices,” said researchers with Zimperium. “This trend represents the most significant increase in zero-day exploits in the history of smartphones and tablets.”
At the same time, researchers found that the number of mobile-specific phishing websites increased by 50 percent since 2019, with 75 percent of the phishing sites in 2021 specifically targeting mobile devices to deliver content appropriate for the mobile format. Phishing attacks against mobile devices are lucrative for attackers because the smaller screen formatting may disguise red flags present in a phishing message, such as the address of the sender. The potential number of communication channels - email, SMS message, in-app messaging or otherwise - are also numerous on mobile devices.
“In our research, when asked about risks that most concerned them, 'exploitation via phishing' was the top-rated response,” said researchers. “Further, crafting phishing attacks continues to get easier: tools and phishing kits now enable even novice users to deploy deceptive sites with just a few clicks.”
Organizations are recognizing the security risks that come in an increasingly mobile environment. According to the report, 66 percent of organizations surveyed said they have active Bring Your Own Device (BYOD) policies in place, with 11 percent saying they are looking to implement BYOD programs over the next year. These policies govern how employees should use (or should not) their personal phones for work purposes.
“Despite their best efforts, the reality is that the workplace evolved much faster than many of these teams and strategies had planned for,” said Shridhar Mittal, CEO of Zimperium. “During the last two years specifically, many organizations sacrificed security controls in order to support productivity and ensure business continuity.”