Mobile security provider Zimperium has released its highly anticipated Global Mobile Threat Report 2023, uncovering a staggering increase in mobile threats between 2021 and 2022.
According to the Global Mobile Threat Report 2023, 43% of all compromised devices in 2022 were fully exploited, marking a 187% year-over-year increase.
“This year’s report reveals a continued growth toward mobile-powered business along with the increasingly sophisticated security risks facing it, including spyware, phishing, and ransomware,” the report stated.
Attributing the expanding attack surface to the “growth in mobile device and app usage,” Shridhar Mittal, CEO of Zimperium, encouraged mobile-powered businesses to implement more mobile security measures to protect sensitive information.
Mobile-based phishing attacks are increasing
The Global Mobile Threat Report 2023 found that phishing-based mobile threats increased from 75% to 80% in 2022, with 80% of phishing sites designed to function on both desktop and mobile.
Similarly, mobile-based phishing attacks were astoundingly successful, making them an indispensable tool in the threat actor’s arsenal.
According to the report, users were six to ten times more likely to fall for SMS phishing attacks than email-based phishing, with an average of four malicious/phishing links clicked on every device analyzed.
“One of the most effective strategies for preventing mobile phishing attacks is to make phishing behavior change the strategic center of the security stack,” suggested Mika Aalto, Co-Founder and CEO at Hoxhunt. “This means integrating human threat intelligence with your protect-detect-respond capabilities.”
Apple zero-days most exploited, while critical Android vulnerabilities doubled
Zimperium’s report found that the Android operating system had the most recorded instances of detected vulnerabilities.
In 2022, Android reported 897 common vulnerabilities and exposures (CVEs), up from 571 in 2021, while reported Apple iOS CVEs reduced from 380 in 2021 to 242 in 2022.
Similarly, Android critical vulnerabilities (CVSS 7.2 and above) increased by 139% from 18 in 2021 to 43 in 2022, while Apple iOS critical CVEs dropped by 40% from 45 in 2021 to 27 in 2022.
However, Apple iOS accounted for 80% of all zero-day vulnerabilities actively exploited in the wild, despite recording fewer CVEs than Android.
Malware-based mobile threats increased significantly in 2022
Malware-based mobile threats increased during the study, with Zimperium blocking 2,000 zero-day malware samples weekly.
“Between 2021 and 2022, the total number of unique mobile malware samples rose 51%, with more than 920,000 samples detected, including Dirty RatMilad, MoneyMonger, and Dark Herring,” the researchers wrote.
Alone, Dark Herring infected over 100 million users globally, while Schoolyard Bully credential stealer victimized over 300,000 smartphone users.
The infection rate on Android devices increased from 1 out of 50 devices in 2021 to 1 out of 20 devices in 2022.
According to Zimperium, spyware was most prevalent in EMEA and North America, at 35% and 25%, respectively, with nation-state threat actors leveraging spyware to achieve their objectives.
Similarly, smaller organizations started using spyware more often, mostly preferring Dirty RatMilad Android spyware, while NSO Group’s Pegasus still made headlines in 2022.
When polled, 85% of respondents identified spyware as a threat to personal information and organizational cybersecurity.
Mobile-based threats exploit cloud misconfigurations
The Global Mobile Threat Report 2023 found that “improper cloud storage configurations in mobile apps are a leading attack surface.”
Roughly 14% of all mobile apps, 2%, and 10% of iOS and Android mobile apps accessed insecure cloud instances, exposing them to various mobile threats. Interestingly, just 1% of cloud misconfigurations posed 60% of all risks associated with mobile apps accessing misconfigured cloud resources.
“This underscores how even a small number of unprotected instances or improperly configured apps can introduce a lot of exposure,” the researchers warned.
The report stressed the need to address mobile-based threats as a critical component of any organization’s cybersecurity program since most clients accessing enterprise resources were mobile devices.
“Mobile devices are now also integral to the way we work. Last year’s report revealed that 60% of the endpoints accessing enterprise assets were mobile devices.”- Zimperium.
According to John Gallagher, Vice President of Viakoo Labs at Viakoo, Zimperium’s “data-driven assessment of mobile threats” would help organizations plan their budgets and resources and extend cybersecurity beyond IT and datacenter.
“Whether it is mobile, IoT/OT, ICS, or cloud, new threats are expanding outside of IT, and organizations need to plan accordingly.”
Describing mobile devices as intermediaries to other systems, Gallagher also recommended security awareness training to prevent hackers from pivoting from mobile to other devices.
“There needs to be more training aimed at mobile threats; for example, downloading apps from non-approved sources (this was noted as how the vast majority of Android malware is planted) should be something organizations can train their employees on to reduce the number of incidents.”
