Mobile Threat Landscape Report:
Q3 2024
Executive Summary
The mobile threat landscape continues to evolve and grow at an alarming rate as cybercrime groups shift their tactics and target mobile devices in the early stages of their attacks. Looking at the entire landscape, from the simplest phishing kits to the most advanced nation-state surveillanceware, this report breaks down the most critical vectors of mobile risk.
Researchers in the Lookout Threat Lab note some particularly concerning findings including a 17% increase in enterprise-focused credential theft and phishing attempts since last quarter, a 32% increase in the number of malicious app detections, and an interesting trend where iOS devices are more exposed to phishing and web content threats than Android.
In addition, researchers in the Lookout Threat Lab recently disclosed two critical mobile surveillanceware family discoveries that they have been tracking for some time now. The two families are operated by advanced persistent threat (APT) groups based out of China and Russia.
Thanks to our industry-leading AI-driven dataset of more than 220 million devices, 360 million apps, and billions of web items, we are able to identify global trends that help inform security teams across every industry and geography about how to protect the data from mobile threats, where mobile vulnerabilities present risk, and integrate mobile device telemetry into their enterprise endpoint security strategy through SIEM, SOAR, or XDR integration.
This report is a summary of our findings from the third quarter of 2024, and proves that mobile threats must be thought of as a significant part of the modern day enterprise security strategy. Nobody knows the mobile threat landscape like Lookout.
Lookout Discovery Highlight: PlainGnome, BoneSpy, and EagleMsgSpy
.avif)
In a series of multiple novel threat discoveries, researchers in the Lookout Threat Lab have disclosed a number of mobile surveillanceware tools developed by advanced persistent threat (APT) groups based in China and Russia including Gamaredon and more. Each report dives into the unique tactics that each group uses, who has been targeted, and indicators of compromise (IOCs) that can be used for proactive threat hunting.
Phishing and Malicious Web Content
Globally, mobile phishing and malicious web content have become synonymous with business email compromise (BEC), MFA bypass attacks, executive impersonation, and vulnerability exploitation. These attacks are typically low cost and high reward, and for that reason have become the preferred initial step in the modern kill chain.
The most recent evolution in this threat vector is the use of executive impersonation attacks, which leverage an individual’s seniority and a lower-level employee’s innate desire to be helpful together to drive higher success rates. By creating a highly urgent situation and relying on lack of familiarity between the executive and the employee, attackers convince employees to share sensitive data, visit phishing pages, or send them money.
While the overall combined number dropped globally from what we saw in Q2, there was a significant (17%) increase in enterprise-targeted phishing and web attacks. This is an important trend to keep an eye on, as it indicates that attackers are turning their sights more specifically on enterprise users rather than blasting general phishing messages out to a non-targeted audience.
iOS is at Greater Risk
Whether your IT and security teams have to oversee 100 mobile devices or 10,000, they want to minimize the amount of variations they have to deal with. This is part of why iOS is more popular in the enterprise than Android - your teams can rely on more consistency and less complexity. In fact, across the Lookout customer base, there are more than two times the number of iOS devices than Android devices.
PRO TIP
Interactive Demo: Smishing & Executive Impersonation Protection
Phishing and Malicious Content Attacks by Region
With employees traveling the globe, it’s important to understand whether they might be at higher risk of phishing attacks in certain regions. Lookout identifies trends in each continent so that organizations operating in multiple regions can prioritize timely remediation for regions with an increasing number of attempts. The data for this quarter tracks consistently with what we’ve seen over the last couple of years.
Mobile Vulnerabilities
Mobile operating systems (OSs) and apps have vulnerabilities in their code just like any other piece of software. Even as developers release patches, there’s a window of opportunity between when a vulnerability is discovered and when the patch is released that attackers can take advantage of at-risk devices. In addition, end users don’t always install updates immediately. Monitoring your risk exposure due to vulnerable app and OS versions across your mobile fleet is a critical part of the modern enterprise security strategy, especially as a successful exploit can grant the attacker root access to the devices, access to sensitive data stored by the app, and control over permissions that the user previously granted that app.
Lookout monitors a wide range of vulnerabilities and threats, their global presence, and their potential impacts to inform you at the earliest possible moment and keep you safe. Below are the top vulnerabilities encountered by Lookout users in the second quarter of 2024.
10 Most Common Mobile Browser Vulnerabilities
Every mobile device has a web browser, and the most common vulnerabilities that Lookout observes tend to be in the various engines and components of these browsers. Most commonly, a successful exploit of these vulnerabilities could grant the attacker the ability to remotely execute code on the device. They are also typically exploited via a maliciously crafted webpage, which could be delivered via one of the many messaging apps that mobile users have installed.
All of the vulnerabilities in this list affect Chromium-based browsers. Chromium is an open-source project that Google maintains and develops, but is used broadly across browsers including Microsoft Edge, Opera, and more. These CVEs are listed by the coverage name implemented by Lookout for Lookout MES customers.
MultiApp-CVE-2024-7971
A type confusion bug in the underlying V8 Javascript and WebAssembly engine in Chrome that can be manipulated and is exploitable by threat actors.
MultiApp-CVE-2024-0519
An out of bounds memory access in the V8 Javascript engine. A remote attacker could exploit head corruption via a crafted webpage.
MultiApp-CVE-2023-7024
A heap-based buffer overflow vulnerability in the WebRTC framework that is used for video streaming, file sharing, and VoIP telephony.
MultiApp-CVE-2023-6345
A vulnerability in Skia, which is the 2D graphics engine used by a handful of mobile browsers. If successfully exploited, an attacker could infect the device with malicious code and steal sensitive data.
MultiApp-CVE-2024-5274
A type confusion bug in the underlying V8 Javascript engine in Chrome that could allow attackers to execute arbitrary code on the device via a crafted HTML page.
MultiApp-CVE-2024-4671
A use-after-free vulnerability in Visuals, which is a component of Chromium. There could be an outsized impact given the number of browser apps that use Chromium.
Chrome-CVE-2023-5217
A heap-based buffer overflow vulnerability in vp8 encoding in libvpix, which is a video codec library. A successful exploit could allow an attacker to execute code with a crafted HTML page.
MultiApp-MultiCVE-2024-4761-5160
A handful of vulnerabilities in various components including the V8 JavaScript engine such as Visuals and Dawn. Successful exploitation could grant an attacker access to any data that Chrome has access to or allow them to remotely execute code
Chrome-CVE-2023-4863
A heap-based buffer overflow vulnerability in libwebp, which is a library for WebP images. A successful exploit could allow an attacker to perform an out of bounds memory write.
MultiApp-CVE-2023-3079
A type confusion bug in the underlying V8 Javascript engine in Chrome that could allow attackers to execute arbitrary code on the device via a crafted HTML page.
5 Most Common Mobile App Vulnerabilities
Outside of browser vulnerabilities, Lookout also observed a number of critical vulnerabilities in other popular mobile apps.
EvilVideo (Telegram)
EvilVideo is associated with a zero-day vulnerability in the Telegram app for Android. Attackers exploit it to deliver CypherRAT, which is built on the commodity spyware tool SpyNote.
GalaxyStore-MultiCVE-2023-21433-21434 (Samsung Galaxy Store)
These two vulnerabilities exist in the Galaxy store app and allow attackers to arbitrarily install apps from the Galaxy Store as well as execute JavaScript by launching a web page.
Samsung-CVE-2021-25337 (Samsung TTS)
A vulnerability due to improper access control in clipboard service in Samsung mobile devices allows untrusted applications to read or write certain local files.
Authy-CVE-2024-39891 (Authy)
A vulnerability in the Twilio Authy API on both iOS and Android that allowed attackers to access phone number registration information for various online services.
TikTok-CVE-2022-28799 (TikTok)
A vulnerability in TikTok on Android that allows account takeover. An attacker could achieve this by sending a crafted URL that forces TikTok to load an attacker-controlled website.
Pro tip
Interactive Demo: Prevent Data Compromise from Invasive Mobile Apps
Mobile Malware
Spyware, surveillanceware, trojans, and root enablers are just a few of the many classifications of mobile malware that security teams should be concerned about. With wide-ranging abilities including tracking location, stealing data stored on the device, listening in on conversations, and accessing the device’s camera, these malware families can help a threat actor live in the pocket of your employee while putting the organization’s sensitive data and personnel at significant risk.
The number above represents a significant 32.4% increase in malicious app detections from the second quarter to the third quarter of this year.
10 Most Encountered Malware Families in Q3 2024
IdShark
Classification: Spyware
Platform: Android
IdShark can forward text messages, contact lists, financial information, and other device information to a 3rd party. It can also be used to track device location without user knowledge.
MoneytiseSDK
Classification: Trojan
Platform: Android
This monetization SDK is embedded into applications and offers to turn your phone into a proxy allowing the developers to make money by monetizing your network data.
Triada
Classification: Trojan
Platform: Android
Triada is known to have ties to the Russian APT named Gamaredon. It secretly controls the device and exfiltrates sensitive user data to a third party.
EyeSea
Classification: Trojan
Platform: Android
EyeSea is delivered via phishing messages and uses false claims to try to acquire user banking information. It can also intercept two-factor authentication codes.
Ggtrap
Classification: Spyware
Platform: Android
GgTrap is developed by Ajaya Solutions in India and can send a variety of sensitive data to remote servers to use for blackmail. This includes text messages, contact lists, call logs, phone number, browser bookmarks, location, financial information, and other device data.
Pandora
Classification: Spyware
Platform: Android
Pandora masquerades as a legitimate application that attempts to gain privileged access on the device once it’s installed. If successful, it will allow the attacker to control the device and use it for malicious purposes.
Coper
Classification: Trojan
Platform: Android
Coper is a trojan focused on the banking industry. It has a modular architecture and multi-stage infection process that can steal sensitive information from the user and their device.
AhMyth
Classification: Surveillanceware
Platform: Android
AhMyth masquerades as legitimate apps and can exfiltrate SMS messages, access the camera and geolocation of the device, and steal information via keylogging.
Empower Your Security Team with Threat Intelligence
Mobile threat intelligence fills a common gap in many existing security operation centers (SOCs), threat research organizations, and incident response teams that lack visibility into the complex and nuanced world of mobile malware. With the world’s largest mobile security dataset at its core, the Lookout Threat Intelligence team is able to detect and protect against the most nefarious mobile malware families.
Commoditization of advanced malware, evolution of nation-state mobile malware capabilities, record numbers of iOS zero-day vulnerabilities, and a heavy reliance on mobile-focused social engineering are four signs that we’ve entered an era where mobile devices must be included in the scope of what these teams do.
PRO TIP
Lookout collects and analyzes proprietary data points to provide your security teams with comprehensive protection capabilities against mobile cyber attacks. Our advanced AI-driven threat intelligence and machine learning technology ensure that your mobile devices are safeguarded from the latest threats.
Interactive demo: How to conduct proactive research on mobile malware
Most critical threat families of Q3 2024
BnkRat
Classification: Surveillanceware
Platform: Android
A banking trojan that attempts to collect credentials for online banking services. BnkRat can also monitor user activity on the device and send personal information such as keystrokes, contact lists, e-mail and text logs to a third party seeking to gain access to a victim's financial accounts.
KrSpy
Classification: Surveillanceware
Platform: iOS & Android
A Chinese-developed mobile surveillanceware that can collect the contact list, call logs, SMS messages, and GPS location. It can also use the camera and microphone to listen in on the victim.
SpySolr
Classification: Surveillanceware
Platform: Android
SpySolr is commercial surveillanceware and can collect sensitive user data including text messages, call logs, and contacts without the user's knowledge. It can also record the device audio and screen.
ValadSpy
Classification: Surveillanceware
Platform: Android
Commercial surveillanceware app that can collect sensitive user data including location data, text messages, and contacts without the user’s knowledge.
RealTimeSpy
Classification: Surveillanceware
Platform: Android
A mobile surveillanceware app that runs in the background and monitors user activity on the device, sending data including text messages, call logs, browser history, location, and emails to a remote third-party. Data collected by RealTimeSpy is known to be exposed in one or more data breach(es) which further compromises the privacy of affected users.
BingoMod
Classification: Trojan
Platform: Android
BingoMod is a trojan used for financial gain. It bypasses identity safeguards put in place by banking app developers and attempts to initiate money transfers out of the victim’s account through its screen overlay capabilities.
SpyAgent
Classification: Surveillanceware
Platform: Android
SpyAgent masquerades as a number of trustworthy apps, but has extensive spying and data theft capabilities. Most critically, it can gather and exfiltrate the infected device’s contacts, text messages, and stored images to a remote server.
Device Risks
In addition to phishing, apps, and malware, there are misconfigurations that can occur and open up the entire device to being taken over. This can range from simple device settings to advanced malware that gains root admin access to the device.
Top device misconfigurations
The risks posed by security misconfiguration vulnerabilities can have serious consequences for users. Security misconfigurations can leave a device and the data on it vulnerable to known and unknown exploits.
Out of Date OS
Out of date operating system (OS) versions, especially on iOS devices, can leave a device and the data on it vulnerable to known and unknown exploits.
Out of date ASPL
Android Security Patch Levels (ASPLs) are released by Google to patch new and known vulnerabilities in Android apps, Android OS, and even hardware components.
No device lock
Locking a mobile device is a basic form of securing it. Some users might disable the device lock to make it easier to open their device, which is a security risk.
Unencrypted
This implies that the device doesn’t have a password, pin, biometric recognition, or pattern authentication enabled.
Device Operating System (OS) Threats
Jailbreaking & rooting a device can weaken a device's built-in security features, leave it vulnerable to malware and exploits and, if done incorrectly, can render the phone useless. A user might intentionally jailbreak their device for a variety of reasons, but device compromises can also be initiated remotely by advanced threat actors who want to silently turn a mobile device into a surveillance tool. This type of behavior has been observed in APT activity tied to cyberespionage and nation-state backed attacks, and is most infamously tied to the way NSO Group’s Pegasus surveillanceware infects a targeted individual’s device.
