2022 Global Mobile Threat Report -1

2021 Mobile Threats in Review

In a recent survey, technology leaders were asked to highlight the five threats that had the most significant impact on their systems in the previous twelve months. 42% of respondents reported that mobile devices and web applications have led to a security incident. It is not just mobile endpoints introducing risk into corporate systems: another 42% of respondents reported unauthorized apps and resources accessing enterprise data, and 10% reported unsecured applications due to the lack of authentication or encryption. 7 It is now more critical (and more challenging than ever) to strike a balance between enabling mobile access and minimizing the enterprise’s exposure to attack. Whether a business relies on managed, corporate-owned endpoints or has an active bring-your-owndevice (BYOD) program, mobile endpoints and applications introduce increased risks. 56% of technology leaders surveyed rely on at least four to eight enterprise applications for productivity. 17% of the surveyed technology leaders depend on more than eight work specific apps on their mobile device.8 Although these applications vary between vendor provided services and internally developed toolsets, both categories rely on access to corporate data systems for effectiveness.

As we analyzed the mobile threat landscape, 2021 was the year of big revelations and reboots of previously discovered malware. Pegasus, the spyware program sold to governments around the world, reappeared in the news after revelations of a campaign targeting 50,000 journalists, human rights activists, political leaders, and more. Initially unveiled by Amnesty International, the spyware campaign featured zero-day exploits targeting iOS devices. Shockwaves of this discovery have continued for months as additional information about the attacks and victims is revealed. Initially discovered in 2017, the Joker Trojan reappeared in 2021, targeting Android devices with updated capabilities. These trojans are malicious Android applications that have been notorious for performing bill fraud and subscribing users to premium services. As with previous forms of these attacks, the newly discovered trojans had the same objective: financial gain. Successful infections of mobile devices often slide under a victim’s radar until long after the money is gone, leaving them with little to no recourse for recovery.

Over 1,000 samples of the Joker malware were discovered in mid-2021, and these more recent variants had new security-bypassing techniques built into their code.

In 2021, discovered numerous threats impacting over 10 million devices in at least 214 countries.

Here is a summary of the most notable discoveries:

1.     GriftHorse: Forensic evidence of this active Android Trojan attack, which we named GriftHorse, suggests the threat group has been running this campaign since November 2020. These malicious applications were initially distributed through both Google Play and third-party application stores. The campaign targeted mobile users from more than 70 countries. GriftHorse is exceptionally versatile. The campaign could change the language and content displayed based on the user’s IP address. Between November 2020 and September 2021 (when it was publicly disclosed), GriftHorse infected over 10 million devices.

2.     PhoneSpy: This spyware campaign infected thousands of victims’ devices. These malicious Android apps are designed to spy on their victims constantly. They run silently in the background without raising any suspicion. We believe the malicious actors responsible for PhoneSpy have gathered significant amounts of personal and corporate information on their victims, including private communications and photos. After public disclosure, the specific campaign was deactivated, and the command-and-control server was taken down. Infected devices are no longer under the control of the attackers.

3.     FlyTrap: Forensic evidence of this active Android Trojan attack, which we dubbed FlyTrap, points to malicious parties operating in Vietnam. This hijacking campaign has been running since March 2021. These malicious applications were initially distributed through both Google Play and third-party application stores. The threat actors take advantage of the fact that users commonly have the misconception that logging into the right domain is always secure, irrespective of the application used. The targeted domains are popular social media platforms, and this campaign has been exceptionally effective in harvesting social media session data of users from 144 countries. These compromised accounts can be used as a botnet for different purposes. For example, actors can boost the popularity of specific pages, sites, and products. In addition, these accounts can be utilized to spread misinformation or political propaganda.

4.     System Update: After an investigation, researchers determined it to be a sophisticated spyware campaign with complex capabilities. The mobile application poses a threat to Android devices by functioning as a remote access trojan (RAT). The application receives and executes commands to collect and exfiltrate a wide range of data and perform a diverse set of malicious actions. Once in control, hackers can record audio and phone calls, take photos, review browser history, access WhatsApp messages, and more

5.     Unsecured & Misconfigured Cloud Storage: Researchers found that 14% of iOS and Android apps distributed globally revealed several significant configuration issues. These apps used cloud storage with unsecured configurations. These misconfiguration issues exposed personally identifiable information (PII), enabled fraud, and exposed IP addresses or internal systems and configurations. Misconfigured applications were found in almost every category.

State of Mobile Endpoint Security in 2022

Mobile Device Market Our smartphones continue to enable us to innovate, be entertained, and enjoy an improved quality of life. Consequently, mobile device purchases continue to grow. In 2020, 10 nearly 1.38 billion smartphones were sold worldwide. In the United States, there are more than 290 million smartphone users. The penetration rate has risen consistently year over year, reaching 85% in 2021.

As the mobile device market continues to grow, so will mobile threats. For security teams, the harsh reality is that it only takes one—one shared password, one deceived employee, one compromised device— to expose the business to a devastating breach. Amid the pandemic and the corresponding explosive growth in remote and hybrid work, the threats associated with mobile devices have expanded rapidly. While battling consistent, constantly evolving attacks, security teams need to safeguard more endpoints and ever-expanding attack vectors.

Mobile Endpoints: A Critical Part of The Cybersecurity Landscape

Nearly half of survey respondents (44%) have added security policies or requirements due to cyber security incidents occurring within the distributed workforce. Of that population, 40% have changed authentication procedures for employees, while 34% have switched security vendors or service providers.

Mobile Devices within the Corporate Ecosystem

IT and security teams will continue to be under increasing pressure as the threat of cyber attacks grows, as CISOs implement more stringent cybersecurity policies, and as employees express rising concerns about privacy. Over half (61%) agree that trying to set and enforce corporate policies around cybersecurity is nearly impossible as lines blur between personal and professional lives. While 46% say mobile devices in the corporate ecosystem are acceptable, 34% are concerned about privacy.

The breakdown of mobile devices in enterprises

66% of smartphones within the enterprise are employee-owned.

29% of smartphones within the enterprise are purchased by the company.

55% of tablets within the enterprise are employee-owned.

39% of tablets within the enterprise are purchased by the company.

Mobile Threat Landscape in Enterprises

In 2021, VC funding of cybersecurity surged to a record $11.5 billion. Survey respondents estimate that 43% of their funding will be spent on securing the cloud, 14% on security consulting, and 14% on risk and compliance. During the COVID-19 pandemic, organizations realized the greatest return on their investment from endpoint security spending, with investments in business continuity and disaster recovery planning following right behind. 27 Meanwhile, 45% of technology leaders are reporting that mobile devices represent the weakest security.

Threats Affecting the Enterprise in the Past 12 Months

54% Malware (Virus, Phishing, Ransomware).

46% Identity or Account Theft.

42% Mobile or Web Application Security Exposure.

42% Unauthorized App or Resources Access.