Mobile security threats are on the rise. Mobile devices now account for more than 70% of digital fraud, ranging from phishing attacks to stolen passwords. In the last quarter of 2021, security researchers have discovered that over 300,000 Android smartphone users have downloaded what turned out to be banking trojans after falling victim to malware that has bypassed detection by the Google Play app store.
In 2021, 46% of organisations had at least one employee download a malicious mobile application. The move to remote work for almost entire populations across the world during the COVID-19 pandemic saw the mobile attack surface expand dramatically, resulting in 97% of organisations facing mobile threats from several attack vectors.
These apps hide their malicious intent, as the process of delivering the malware only begins once the app has been installed (thus enabling them to bypass Play Store detections).
After the initial download, users are forced to update the app to continue using it. This update facilitates the connection to a command-and-control server. Once connected, the app downloads the payload onto the device, providing attackers with the means to steal banking details or other sensitive personally identifiable information such as addresses, full names and social security numbers.
USAGE OF FORCED ENTRY
While Android users have been targeted through malicious third-party applications, Google researchers have stated threat actors have been actively exploiting FORCED ENTRY, an exploit that targets Apple’s image rendering library.
The exploit allows actors to remotely break into iOS devices without user interaction. This is also referred to as a ‘zero click’ hack. The exploit is usually sent via an unsolicited SMS or email.
Once received, the message downloads several files with the “.gif” extension.
The files were:
27 copies of an identical file with the “.gif” extension. Despite the extension, the file was a 748-byte Adobe PSD file. Each copy of this file caused an IMTranscoderAgent crash on the device. These files each had random-looking ten-character filenames.
Four different files with the “.gif” extension that were actually Adobe PDF files containing a JBIG2-encoded stream. Two of these files had 34-character names, and two had 97-character names.
The output of the pdfid tool on these four “.gif” files was (NB: the stream had varying length):
If the exploit succeeds, it will then allow the actors access to their target’s microphones, calls, cameras, photos, messages – even from end-to-end encrypted services like WhatsApp, Telegram, and Signal.
Other methods used to exploit iOS devices include exploiting the Safari web browser. A vulnerability in Apple Safari 15’s implementation of the IndexedDB API could be abused by a malicious website to track users’ online activity.
The IndexedDB API implementation violates the same-origin policy. This would allow websites to learn what other websites a user is visiting in different tabs or windows, as well as precisely identify users on Google services like YouTube and Google Calendar.
An untrusted or malicious website can learn a user's identity and the linking together of multiple separate accounts used by the same user.
As the evolution of mobile devices into an irreplaceable remote work tool continues – it comes as no surprise that mobile device security is one of the fastest-growing cyber security categories.
Spyware is commonly installed on mobile devices through malicious sites and advertisements or with scams that lead to an unintentional download of the spyware. Often spyware is used to collect data, and company devices that have spyware may also compromise company data.
“People want to believe they’re secure, and phone companies want you to believe they’re secure. What we’ve learned is, they’re not.”
- Dave Aitel, Cordyceps Systems
The article was written by Kendrick Lam