Security news that informs and inspires

Threat Groups Prey on Mobile With Evolving Malware, Tactics


In 2020, most enterprises grappled with mobile threats that stemmed from network attacks, malicious applications and operating system vulnerabilities, highlighting an influx of cybercriminals targeting mobile devices with more sophisticated tactics.

According to a Monday report from Check Point Research, over the course of 2020, 97 percent of organizations reported facing mobile threats that used multiple attack vectors - with 93 percent of these attacks originating from a device’s network. In these types of attacks, attackers utilized the network to gain a better foothold in the device, by attempting to trick the victim into installing a malicious payload through infected websites or URLs, said researchers.

Mobile-based threats are not new - however, due to the expanding attack surface, more sophisticated actors are updating their malware and honing their tactics around mobile devices, making it difficult for defenders to keep up, researchers said.

[The biggest change in 2020] is the level of sophistication that actors from the 'general threat landscape' bring with them to the mobile front," said Aviran Hazum, team leader for products R&D with Check Point. "With the shift to remote working and the pandemic, malicious actors have come up with several nuances to exploit the public.

More enterprise workers utilize mobile devices, with the IDC predicting that the U.S. mobile worker population will soar from 78.5 million mobile workers in 2020 to 93.5 million workers in 2024. The past year’s explosion of remote work, triggered by the COVID-19 pandemic, escalated this expansion of mobile workers, according to Check Point’s 2021 Mobile Security Report, which is based on data that was collected from Jan. 1, 2020 through Dec. 31, 2020 from 1,800 organizations.

Due to this explosion in remote work, cyberattacks in 2020 "have increased significantly, as remote working has allowed malicious actors to exploit new methods and people are much less oriented (training-wise) for those kind of threats," said Hazum.

Beyond network-based attacks, organizations struggled with threats in mobile devices themselves (such as flaws found in August in Qualcomm’s Snapdragon chip) or that stemmed from malicious applications. Up to 46 percent of organizations reported that at least one employee downloaded a malicious mobile application, for instance.

"With the shift to remote working and the pandemic, malicious actors have come up with several nuances to exploit the public."

This growth continues to attract various advanced persistent threat (APT) groups. These groups have included DomesticKitten (also known as APT-C-50), which has utilized malicious Android applications to steal sensitive personal information from its victims, RoamingMantis, which has targeted U.S. mobile device users with the Wroba mobile banking trojan, and Hamas (also known as APT-C-23), which targeted devices with Android espionage malware.

At the same time, malware authors are also updating their mobile-based tools to include more capabilities, with researchers reporting a 15 percent increase in banking trojan activity in 2020, putting users’ mobile banking credentials at risk of being stolen. A new variant of the Rana Android malware, discovered in December, came packed with new surveillance capabilities, for example – including the ability to snoop on victims’ Skype, Instagram and WhatsApp instant messages. And, the Black Rose Lucy Android-based malware dropper, originally discovered in September 2018, last year pivoted its attacks from info-stealing to ransomware.

In addition to updating their malware, cybercriminal groups have also adopted new tactics, allowing them to avoid detection or to increase the impact of their attack. For instance, last year the DoNot APT group in October was spotted targeting mobile users with the Firestarter malware, which used Google’s legitimate Firebase cloud messaging service to notify the authors of the final payload location. The malware was spread via a malicious app that victims were persuaded to download on their mobile device. And a new Cerberus malware variant last year targeted a company’s corporate-owned Mobile Device Management (MDM) server in order to infect over 75 percent of the company’s devices.

In the year ahead, researchers predicted that cybercriminals will shift away from "direct malware" on official marketplaces and instead use droppers in order to better control which payload is served, or to bypass security evaluation by official markets. They also warned of more malware implementing malicious behavior by using native-code - a tactic used previously with the Joker Android malware, making it difficult for security vendors to detect malicious behavior.

“Due to the fact that malicious behavior is implemented in native code (as opposed to via Java) it also becomes harder to analyze and, therefore, harder to detect,” said researchers.

Hazum said, enterprises can stay protected by installing security solutions for their employees' mobile devices, keeping mobile operating systems and apps updated to the latest version and using only official markets for downloading apps.