Moving Targets – the Growing Threat to Enterprise Mobiles

Wherever legitimate business goes, criminals invariably follow to try and exploit those new opportunities.  And that was certainly true in 2020.  The COVID-enforced shift to remote working meant huge numbers of corporate employees were suddenly doing far more work via their mobile devices – which meant hackers and criminals dramatically increased their efforts to target those endpoints, gambling that the rapid transition to working from home had opened new security gaps.

During the past 12 months, Check Point Research (CPR) has seen a spike in the number of attacks targeting mobile devices, and data breaches from mobile endpoints. Attack vectors include COVID-19-related malicious campaigns, sophisticated mobile ransomware attacks, and even enterprise Mobile Device Management (MDM) software being weaponized to attack the organizations that are using it.  Let’s take a closer look at the attacks CPR observed during this time, and at how organizations and individuals can protect themselves and keep their mobile devices secure.

Fake COVID apps spreading infections

Of course, COVID-19 dominated the mobile cyber-threat landscape as it did every other aspect of life in 2020.  As countries launched official COVID tracking apps, there were concerns over data privacy issues that could expose personal data.  And the release of official apps meant criminals were quick to develop several malicious applications masquerading as legitimate COVID-related apps. These apps contained a wide range of malware intended to steal credentials or money from victims, such as Mobile Remote Access Trojans (MRATs), banking trojans, and premium dialling malware.

Banking trojans blitz

The increased use of mobile devices during lockdown and social distancing was also responsible for the substantial growth in banking Trojan malware families. The Guildma threat actor introduced Ghimob, which is capable of performing transactions on accounts with financial institutions in Brazil, Paraguay, Peru, Portugal, Germany, Angola and Mozambique. Eventbot, newly discovered in 2020, focused on targets in the U.S. and Europe while Thiefbot targeted Turkish users. The list continued with BlackrockWroba, TrickMO and others.

Ransomware goes mobile

While ransomware has only started taking its first steps in the mobile world, it evolved fast in 2020 as malicious actors applied their experience of network ransomware to create mobile variants. An example is the ‘Black Rose Lucy’ malware family, originally discovered in September 2018 by Check Point. And now, nearly two years later, it is back with new capabilities that allow it to take control of victims’ devices to make various changes and install new malicious applications.

Undermining MDM

Enterprises use Mobile Device Management (MDM) to help manage and secure their mobile fleets.  But what happens if hackers breach the MDM software?  Check Point researchers recently discovered a new Cerberus variant targeting a multinational conglomerate. Worryingly, the malware was distributed via the company’s MDM server, and it infected over 75% of the company’s devices. In this case, MDM’s most prominent feature, and arguably the reason for its existence, was also its core weakness: a single, central control for the entire mobile network. If that platform is breached, so is the entire corporate mobile fleet.

APT action

Advanced Persistent Threat (APT) activity targeting mobile devices continued, spreading MRATs (Mobile Remote Access Tools) and continually refining their capabilities. In some cases, like that of the Iranian Rampant Kitten APT campaign, the threat actor used a combination of fake mobile applications, Windows infostealers, and Telegram phishing pages to utilize stolen Two-Factor Authentication (2FA) codes to spy on Iranian citizens. Both espionage and financially-motivated groups targeted MFA mechanisms as a prime objective in their surveillance activity.

Vulnerabilities matter

Major vulnerabilities reported this year in mobile hardware and popular applications may mark a shift in attack strategies, which are currently based on disguised malicious applications or OS vulnerabilities. Previously, in most cases the attackers gained an initial foothold through malicious applications or OS flaws, but in 2020 we saw an increase in reports of vulnerabilities in mobile hardware and popular applications.  The Achilles family of vulnerabilities revealed more than 400 weaknesses in a Qualcomm chip that affects a large portion of the entire mobile market. The most popular apps were found to expose their users to potential exploitation: Instagram was reported to have an RCE zero-click vulnerability in its JPEG decoder. Apple’s ‘sign in’ system vulnerability can allow remote attackers to bypass authentication and take over targeted accounts. Additional vulnerabilities were detected in WhatsApp, Facebook, and more.

As we rely more on our mobile devices to stay connected and manage our lives, attackers are increasingly targeting them via sophisticated malware, malicious apps and trying to exploit vulnerabilities. Enterprises need to adopt mobile security that can seamlessly protect all devices – both corporate-issued and users’ personal devices – from these advanced cyber threats, securing devices’ operating systems, apps, and the networks they connect to.  In addition, the security must maintain a good user experience and not affect usability, data consumption, and battery life.

Find out more about the latest threats targeting mobile devices and how they can be mitigated in Check Point’s new 2021 Security Report.