Lookout Logo

Mobile Threat Landscape Report:
Q1 2024

Executive Summary

Continuing the trends we saw throughout 2023, as observed in our Annual Report, the first quarter of 2024 was defined by a massive jump in social engineering and phishing attacks, attacks targeting multi factor authentication (MFA) solutions, and one of the largest healthcare breaches ever. 

One of the most head-turning findings in this report is that there were almost three times as many phishing, malicious, denylisted, and offensive links delivered to mobile devices than there were a year ago. Vulnerabilities in mobile apps and operating systems also increase the risk a mobile device can pose to enterprise users and data. Finally, the most critical families of mobile malware in the first quarter of this year weighed heavily towards mobile surveillanceware. 

Thanks to our industry-leading dataset of more than 220 million devices, 325 million apps, and billions of web items, we are able to identify global trends that help inform security teams across every industry and geography about how to protect the data from mobile threats. This report is a summary of our findings from the first quarter of 2024, and proves that mobile threats are no longer on the periphery of modern day data protection strategies. Nobody knows the mobile threat landscape like Lookout.

Phishing and Malicious Web Content

Mobile phishing and malicious content have exploded in popularity as attackers evolve their tactics to target enterprise credentials. This has led to a fundamental shift in the traditional cyber killchain, and this modern killchain is dependent on using legitimate credentials as a way to quietly enter corporate infrastructure and compromise data. Attackers take on convincing personas as internal IT or security teams to trick employees into sharing or supposedly resetting their passwords.

As one of the most widely-adopted mobile threat defense solutions, Lookout defends its customers with out-of-the-box protections against phishing and malicious content as well as the ability to create custom content rules and denylists.

450,000,000
Phishing and malicious sites identified by Lookout Security Cloud globally since 2019.
17,750,000
Denylisted and offensive content sites blocked in Q1 of 2024. This is up from 4,545,000 in Q1 of 2023.
900,000
Phishing and malicious web attacks were prevented by Lookout in Q1 of 2024. This is up from 455,000 in Q1 of 2023.
18,650,000
Sites blocked by Lookout in Q1 of 2024

PRO TIP

Attackers have found that targeting employees with socially engineered phishing attacks through mobile form factors such as SMS phishing and voice phishing is highly effective. Lookout recommends enforcing a modern defense in depth strategy that protects against multiple points of compromise across mobile, cloud, and data protection.

Run an SMS phishing assessment now

Mobile Vulnerabilities

Vulnerabilities exist at both the operating system (OS) and app level on mobile devices. While OS and app developers will frequently push updates to patch these vulnerabilities, it’s the job of the end user to actually install them. The gap between when a developer releases a patch and when the new version is installed creates an opportunity for attackers to exploit the vulnerable device and compromise it.  

Lookout monitors a wide range of vulnerabilities and threats, their global presence, and their potential impacts to inform you at the earliest possible moment and keep you safe. Below are the top vulnerabilities encountered by Lookout users in the first quarter of 2024. 

325,000,000+ mobile apps and app versions have been ingested into the Lookout Security Cloud

The most common app vulnerabilities in Q1 were all in components of mobile browsers. Attackers most commonly exploit these vulnerabilities with maliciously crafted webpages, which can be delivered as a link to the target device. From the attacker’s perspective, knowing that almost every mobile device runs either Chrome, Firefox, Safari, or Edge as their default browser means they can target potentially vulnerable devices with these malicious links and hope that the user hasn’t updated their app to a patched version. 

CVE-2023-7024

A zero-day vulnerability in the WebRTC framework, which supports the mobile versions of Google Chrome, Firefox, Safari, and Edge. 

CVE-2024-0519

A zero-day vulnerability in the V8 engine, which is the open-source Javascript and Web assembly engine that supports Chromium and the mobile version of the Google Chrome browser. 

CVE-2023-6345

A vulnerability in Skia, which is the 2D graphics engine for Google Chrome, ChromeOS, Android, and Microsoft Edge. Successful exploitation could lead to an attacker stealing sensitive data.

CVE-2023-5217

A vulnerability in Chromium, which supports almost every mobile browser. Successful exploitation could enable an attacker to execute a heap corruption via a malicious webpage. 

CVE-2023-4863

A vulnerability in WebP, the image rendering engine for Chrome and other mobile browsers with known exploits in the wild. 

CVE-2023-3079

A zero-day vulnerability in the V8 engine, which is the open-source Javascript and Web assembly engine that supports Chromium and the mobile version of the Google Chrome browser. 

CVE-2023-2033_2136

Two zero-day vulnerabilities in the V8 engine, which is the open-source Javascript and Web assembly engine that supports Chromium and the mobile version of the Google Chrome browser. 

CVE-2022-4135

A zero-day vulnerability in Chromium, which supports almost every mobile browser. Successful exploitation could enable an attacker to execute a heap corruption via a malicious webpage. 

CVE-2022-4262

A type confusion vulnerability in the V8 engine, which is the open-source Javascript and Web assembly engine that supports Chromium and the mobile version of the Google Chrome browser. 

CVE-2022-3723

A type confusion vulnerability in the V8 engine, which is the open-source Javascript and Web assembly engine that supports Chromium and the mobile version of the Google Chrome browser. 

iOS Vulnerabilities

Almost every iOS update we’re asked to install on our smartphones has to do with a security vulnerability. In fact, there have already been more than 120 iOS vulnerabilities published in 2024. Apple supports the latest version of the two most recent major iOS versions from a security standpoint. At the time of this report being written, iOS 16.7.8 and iOS 17.5 are the latest versions. In the graph below, anything other than those two versions is considered out of date, which means any device on those versions is likely to be vulnerable.

Pro tip

Lookout provides multilayered protection for devices that are exploitable through vulnerabilities at the OS level. Since it often takes time for users to update their devices once a patch is available, Lookout recommends setting an OS Out-of-Date policy to alert users that devices are out of compliance.

Mobile Malware

Mobile app threats and malware can range from invasive permissions and riskware that create a massive compliance risk to advanced spyware that can track devices, steal data off of the device, listen in on conversations, and use the device’s camera. Regardless of the severity of the malware, understanding where your users, devices, and data are at risk on mobile is a critical piece of the modern day security posture.

10 Most Encountered Malware Families in Q1 of 2024
Medium SEVERITY
IdShark
Classification: Spyware
Platform: Android
Capabilities: IdShark can forward text messages, contact lists, financial information, and other device information to a 3rd party. It can also be used to track device location without user knowledge.
MEDIUM SEVERITY
MoneytiseSDK
Classification: Trojan
Platform: Android
Capabilities: This monetization SDK is embedded into applications and offers to turn your phone into a proxy allowing the developers to make money by monetizing your network data. 
MEDIUM SEVERITY
Triada
Classification: Trojan
Platform: Android
Capabilities: Triada secretly controls the device and exfiltrates sensitive user data to a third party.
High SEVERITY
StatisticalSales
Classification: Surveillanceware
Platform: Android
Capabilities: This malware can forward user data including call logs, location and text messages to a 3rd party.
Medium SEVERITY
FakeCiti
Classification: Trojan
Platform: Android
Capabilities: FakeCiti appears in apps that pretend to be legitimate, but are malicious. It presents a phishing form for users to enter their bank credentials. This can result in a third party having access to the bank account.
High SEVERITY
GiantFish
Classification: Survillanceware
Platform: Android
Capabilities: GiantFish is tied to Bahamut APT, a suspected hack-for-hire group which typically operates in the Middle East and Central Asia. It reports the physical location of the device as well as SMS messages and information about phone calls to a third party.
HIGH SEVERITY
SpyNote
Classification: Surveillanceware
Platform: Android
Capabilities: SpyNote is integrated in apps that pretend to be useful, but are able to behave maliciously. Upon installation it will hide itself and allow a third party to remotely control the device. This can cause a loss of privacy and loss of control of the device. 
Medium SEVERITY
TalliumWallet
Classification: Trojan
Platform: Android
Capabilities: TalliumWallet is integrated into apps disguised as legitimate cryptocurrency wallet applications. However, it attempts to collect the user's passcode and steal cryptocurrencies from the user.
Medium SEVERITY
GgTrap
Classification: Spyware
Platform: Android
Capabilities: GgTrap can send a variety of sensitive data to remote servers. This includes text messages, contact lists, call logs, phone number, browser bookmarks, location, financial information, and other device data. 
Medium SEVERITY
BianLian
Classification: Trojan
Platform: Android
Capabilities: BianLian can steal text messages, lock the device's screen, steal banking credentials, and install other apps. 

Empower Your Security Team with Threat Intelligence

As an extended service, Lookout provides advanced Threat Intelligence to organizations that aim to enhance in-house detective or protective systems.

New mobile malware families protected against in Q1: 39
Known mobile malware families given enhanced protection in Q1: 85

PRO TIP

Security teams need all the intelligence they can get in order to combat sophisticated, evasive cyber attacks. By leveraging advanced mobile threat intelligence, users can stay ahead of attackers with visibility into global threat trends that help users build a stronger security strategy.

Lookout collects and analyzes proprietary data points to provide your security teams with comprehensive protection capabilities against mobile cyber attacks. Our advanced threat intelligence and machine learning technology ensure that your mobile devices are safeguarded from the latest threats.

View this interactive demo to see how Lookout MES Premium customers conduct proactive research on mobile malware in the Lookout console.

Hunt for threats here

Most critical threat families of Q1 2024

Critical SEVERITY
PlainGnome
Classification: Surveillanceware
Platform: Android
Capabilities: PlainGnome is related to Russian APT Gamaredon/Primitive Bear. It is capable of stealing extensive amounts of data on the infected device, using the camera and microphone, and recording activity.
HIGH SEVERITY
OrderlySpy
Classification: Surveillanceware
Platform: Android
Capabilities: OrderlySpy is capable of extensive surveillance on the infected device including, but not limited to, exfiltrating contacts, SMS messages, call logs, recordings, and more to a third party.
High SEVERITY
SpyX
Classification: Surveillanceware
Platform: Android
Capabilities: SpyX is commercial surveillanceware and can forward sensitive data to a third party, including call logs, contacts, and text messages. This can lead to a loss of privacy.
High SEVERITY
HandelSms
Classification: Surveillanceware
Platform: Android
Capabilities: HandelSms runs secretly in the background and collects data such as text messages, call logs, device data, and network information and uploads them to a third party server.
High SEVERITY
RareDior
Classification: Surveillanceware
Platform: Android
Capabilities: RareDior is capable of extensive surveillance on the infected device including, but not limited to, exfiltrating contacts, SMS messages, call logs, recordings, and more to a third party. 
High SEVERITY
CySpy
Classification: Surveillanceware
Platform: Android
Capabilities: CySpy is capable of extensive surveillance on the infected device including, but not limited to, exfiltrating contacts, SMS messages, call logs, recordings, and more to a third party. 
high SEVERITY
KoSpy
Classification: Surveillanceware
Platform: Android
Capabilities: KoSpy is related to the well-known North Korean APT Kimusky, which is known to develop mobile-focused spyware with the intention of stealing lock screen patterns, SMS messages, screen captures, and video from the device’s camera.
high SEVERITY
Panther
Classification: Surveillanceware
Platform: Android
Capabilities: Panther has been reported to be related to Pakistani APT Sidecopy. It is capable of stealing extensive amounts of data on the infected device, using the camera and microphone, and recording activity.

Device Risks

In addition to phishing, apps, and malware, there are misconfigurations that can occur and open up the entire device to being taken over. This can range from simple device settings to advanced malware that gains root admin access to the device. 

Top device misconfigurations

The risks posed by security misconfiguration vulnerabilities can have serious consequences for users. Security misconfigurations can leave a device and the data on it vulnerable to known and unknown exploits.

37.7%
Out of Date OS

Out of date operating system (OS) versions, especially on iOS devices, can leave a device and the data on it vulnerable to known and unknown exploits.

14.2%
No device lock

Locking a mobile device is a basic form of securing it. Some users might disable the device lock to make it easier to open their device, which is a security risk.

13.6%
Out of date ASPL

Android Security Patch Levels (ASPLs) are released by Google to patch new and known vulnerabilities in Android apps, Android OS, and even hardware components.

2.2%
Non App Store signer

The device allows apps that have not been reviewed and signed by the iOS App Store. These apps could have a higher risk of introducing malware to the device if they haven’t been vetted. 

Device Operating System (OS) Threats

Jailbreaking & rooting a device can weaken a device's built-in security features, leave it vulnerable to malware and exploits and, if done incorrectly, can render the phone useless. A user might intentionally jailbreak their device for a variety of reasons, but device compromises can also be initiated remotely by advanced threat actors who want to silently turn a mobile device into a surveillance tool. This type of behavior has been observed in APT activity tied to cyberespionage and nation-state backed attacks, and is most infamously tied to the way NSO Group’s Pegasus surveillanceware infects a targeted individual’s device.

Protect Your Company from Cyberattacks

Find out how Lookout can help you safeguard your business against mobile device cyber threats.

Learn More