Research shows more than 80% of the world owns a smartphone of which more than a third use these devices to access services such as online banking, shopping and email. Given the challenges posed by the hybrid working models, a major enterprise-level challenge has emerged where these hand-held devices aren’t always protected by their cybersecurity team.
A study by Microsoft in 2022 revealed that more than two-thirds (67%) of workers use their personal smartphone for work-related tasks. Our mobile devices represent a very real vulnerability, not just when it comes to our personal data, but when it comes to potentially sensitive work data too.
During 2023, vulnerability has increased as mobile threats continue to grow, both in terms of number and sophistication. Check Point Research revealed that organizations experienced a mobile malware attack in 2022, with phishing (52%), command and control (25%), and automatic browsing to infected websites (23%) among the most common. Banking trojans, designed to steal users’ online banking credentials, and premium dialers, which subscribe to premium rate services without the users’ knowledge, are also on the rise.
In Check Point’s 2023 Mid-Year Cyber Security Report, mobile devices continue to prove a common attack vector. The “FluHorse” malware, for instance, camouflages itself as popular Android applications, aiming to extract Two-Factor Authentication (2FA) codes and other sensitive user data. Another malware, known as “FakeCalls”, simulates over twenty distinctive financial applications and generates fraudulent voice calls, further highlighting the innovative tactics employed by cybercriminals.
Learn from the past, prepare for the future
While mobile devices offer convenience and efficiency, they also present a unique set of vulnerabilities. Their ubiquitous nature combined with often lax security measures makes them prime targets.
One of the most alarming revelations of 2023 is that despite the advancements in technology and the increasing reliance on mobile devices, they remain one of the most unsecured attack modes. This is partly because the onus of security has traditionally been placed on suppliers, like Apple or Android, rather than on additional, layered security measures. Time will tell if we see a course correction on this issue in the coming years.
There are some inherent risks
The risks associated with mobile threats are multifaceted. Beyond the immediate threat of data theft, mobile devices can serve as gateways for attackers to access corporate networks, potentially leading to larger-scale breaches or supply chain attacks. The lateral movement within networks, facilitated by compromised mobile devices, can have cascading effects, compromising multiple systems and data repositories.
Mobile devices are, of course, network endpoints, and that means they are often part of complex supply chains. Vulnerabilities can be introduced to these supply chains at any stage, from device manufacturing and software development, right through to the deployment of services to end users. Mobile phones, particularly those that are not business-owned or carefully monitored, are currently the weakest part of the chain.
Outside of business, mobile devices are also prime targets for phishing attacks and social engineering. The smaller screen sizes can make it harder to identify malicious URLs, and users are more likely to click on fraudulent links in text messages or social media apps when they are distracted or on the move. There are also concerns that mobiles are creating a culture of over-reliance on technologies like biometric authentication. While facial recognition and fingerprint scanning are convenient, they aren’t infallible and can be spoofed.
Who is responsible for mobile security?
While suppliers play a crucial role in patching known vulnerabilities, organizations and individuals must take proactive measures to secure their devices. Relying solely on the supplier is a reactive approach that leaves devices vulnerable to zero-day attacks. Instead, a multi-layered security approach, including regular software updates, robust authentication methods, and user education, can significantly reduce the risk posed by mobile threats.
As we look to the future, the mobile threat landscape is expected to become even more complex. With the increasing integration of IoT devices and the blurring lines between personal and professional device usage, the potential attack surface continues to grow. Organizations and individuals must remain vigilant, prioritizing mobile security not as an after-thought but as a fundamental aspect of their overall cybersecurity strategy.
While mobile devices have revolutionized the way we live and work, they have also introduced a new set of challenges in the realm of cybersecurity. By understanding the evolving threat landscape and taking proactive measures, we can enjoy the benefits of mobile technology without compromising security.
