Last week cybersecurity firm Zimperium published its annual mobile cyberattack threat report, and the news was not good. Unfortunately, it revealed a steep rise in malware and zero-day attacks focused on mobile devices. (In fact, almost a third of zero-day attacks now target mobile devices.) If you aren’t familiar with the term “zero-day attack”, here you go: These occur when hackers take advantage of an existing software security flaw that software developers are not yet aware of. By the time developers discover it and try to fix it, they are already too late. In other words, there are “zero days” left to fix the vulnerability because it has already been exploited.
Invasion of the data snatchers
The report data also reveals that the bad guys are finding their way into and around the mobile software “ecosystem”. This had traditionally been very secure, but hackers are now finding their way in. The attack surface area of mobile apps has grown, with more than 900 Common Vulnerabilities and Exposures (CVEs) reported in 2021. Risks have also increased from third-party components used by developers. And the security of the cloud services that support these applications has become destabilized, thanks to a variety of reported misconfigurations.
Timing is everything
This news couldn’t come at a worse time, as organizations widen their acceptance of personal devices for work. Thanks to 2 years of shifting to remote and hybrid work, two-thirds of organizations currently have an active bring-your-own-device (BYOD) policy for workers, according to the report. And another 11% are considering adding the option within the next year. (By comparison, only 40% of organizations said they had a BYOD policy in place before the start of the pandemic.) The survey shows that more employees this time around say they consider their mobile device to be a necessary tool to get their work done. And more than three-quarters of technology professionals say they rely on at least four applications on their mobile devices.
Some mobile cyberattack stats
According to the Zimperium data:
- 22% of mobile device users encountered malware last year
- 13% had their data intercepted by a machine-in-the-middle attack
- 12% were redirected to malicious websites.
- 61% said they had seen a spike in phishing attacks
The bottom line, according to their Director of Threat Reporting, Richard Melick: “There was a pivotal change in the landscape as mobile devices are being increasingly targeted by attackers,” he said. “These mobile devices are critical to our everyday lives, and they are critical work tools, [so] organizations have to approach the mobile device with the same security in mind as traditional endpoints.”
Why mobile devices are prime targets
Hackers are clearly adapting to the omnipresence of the devices. And there are other reasons why they love them: Mobile devices are designed in a way that is optimal for malicious shenanigans. My colleagues and I have written about this in the past, but I’ll quickly review:
- Screen size: The smaller screen size makes it harder to see the headers of emails, where a spoofed address might be detected. It’s also more difficult to view multiple pages without toggling back and forth or hitting links. This creates a greater chance of accidentally clicking on something malicious. Phishing attacks via mobile really took off during the pandemic, in great part for this reason.
- Distraction: When users are reading messages on their phones, they may also be on other devices at the same time. This is especially true if they are doing so as part of their remote work. Furthermore, they may have multiple apps running at the same time and are bouncing back and forth between them. This lack of focus can be their downfall.
- Reaction-based interface: Mobile graphical user interfaces foster action – accept, reply, send, like, etc. – and are designed to make it easier for users to respond quickly to a request. However, these snap decisions can be costly, as they may miss clues to malicious intent.
Back to school…for everyone!
We say it all the time, and for good reason: Cybersecurity training is an essential in this day and age. And as mobile use for work is increasing, cyber safety refreshers specific to mobile use are critical, now more than ever. Make sure your staff know basic phishing protections, and how to be careful when using mobile devices: Slow down. Focus. Don’t react to requests immediately. After all, just because the number of mobile cyberattacks continues to go up, does not mean we should help them succeed.