The data is in, and it doesn’t look good: mobile devices are a primary target for online criminals.
Checkpoint’s Mobile Security Report 2021 found that 97% of organizations are facing mobile threats that originated in multiple vectors including applications, networks, devices, and OS vulnerabilities. The question is, why are intruders so focused on what’s in your pocket?
Here are six reasons why mobile devices are such attractive targets.
1. App stores give you a false sense of security
Even today, many users assume that they’re safe from attack because mobile Google and Apple vet apps before they’re published. As long as you don’t jail break or root your phone, or download applications via unauthorised app stores, you should be safe. Right? Wrong.
App store gatekeepers might stop some malware but they don’t stop it all. In March 2021 Google had to remove apps from its Play store after third-party security researchers found them dropping financial trojans onto users’ phones. iOS users didn’t even need to install an app to lose control of their devices in a March 2020 attack – they just had to visit the wrong news site.
2. They’re rich sources of PII
Phones aren’t just tools. They’re our assistants and our portals for interacting with services in the online and the physical world. You book doctor’s appointments with your phone and then use it to pay for your medication afterwards. You also store all of your passwords on it. That makes your mobile device irresistible for attackers.
3. The pandemic expanded mobile device usage
It isn’t just personal information that intruders look for on your employees’ phones; it’s work-related data, too. The pandemic forced many of us to use our mobile devices for work, blurring the boundaries between personal and office life. People are using smartphones increasingly to communicate and collaborate at work, according to the US Department of Homeland Security. That increases the risk of sensitive company data including customer information making its way onto unprotected devices.
4. Smartphones are ideal surveillance devices
You have a device that seems almost purpose-built for finding out everything about you
That thing in your pocket isn’t just a phone; it’s a walking sensor package. Location trackers, accelerometers, cameras, and microphones make it an incredibly useful ingress point into your life – and potentially the workplace. Combine that with the smartphone’s primary purpose as a communication tool and you have a device that seems almost purpose-built for finding out everything about you.
In 2019, WhatsApp discovered a buffer overflow flaw that could infect a device without any interaction from the victim. It could also be used to install surveillance tools that allowed attackers to eavesdrop on conversations.
WhatsApp is not alone. Eavesdropping flaws have cropped up in Apple’s FaceTime, while Google’s Natalie Silvanovich has also discovered eavesdropping flaws in apps including Signal and Google’s own Duo. Don’t even get us started on stalkerware. Attacks like these are a huge security risk for vulnerable people, not to mention high-value corporate individuals.
5. One device can compromise the network
Because mobile devices travel so freely between different networks, they represent a great infection vector for attackers. Infecting a phone with malware can turn it into a foothold when it connects to the company network, or an egress point for stolen data.
Researchers have uncovered several examples of security vulnerabilities in this area including DressCode and TimpDoor, both of which infected corporate networks via mobile devices. In one case, an iOS vulnerability allowed attackers to compromise other phones within WiFi range.
6. Users don’t patch their phones or apps
We know that unpatched software and OS vulnerabilities are a huge opportunity for attackers, yet many mobile users don’t patch either.
One user in five still hadn’t patched WhatsApp’s software flaw six months later, according to Verizon. Sometimes, poor mobile patching is a vendor issue. Some Android OEMs take a long time to roll out Google’s upstream patches, leaving their phones vulnerable.
What can you do?
If you haven’t secured the mobile devices in your employees’ pockets, then those risks may well create problems for you later.
You might suffer a direct network breach or an information security leak targeting sensitive information on the phone when it isn’t anywhere near your network.
With that in mind, proper mobile threat defence tools like Traced Control are crucial to protect your mobile devices by monitoring their behaviour and the networks they connect to. Act now, and avoid disaster later.
Ben Jones is the CEO of Traced, a CommSec partner for mobile security in BYOD environments.
Traced Control is a groundbreaking MTD (Mobile Threat Defense) that works with the Traced app to give businesses visibility and analysis of mobile threats, and the tools they need for analysis, investigation and response.