After years of headline-grabbing spyware and mobile zero-day attacks on journalists, activists, and politicians, there is established sensitivity among civil society to the risks associated with having your mobile phone (or someone close to you) hacked.
However, acceptance of mobile threats is still mostly absent in the commercial realm, where the mindset among CISOs is often, “Mobile security is not my responsibility because we use Mobile Device Management (MDM) for corporate fleets or wash our hands of BYOD.”
Wrong.
This is a pervasive myth, one that commercial spyware vendors (CSVs) and other hackers-for-hire are happy to exploit. And while CISOs are aware of the general vulnerability of mobile devices, with 55% saying employee phones are the most vulnerable node in the stack, the risk of attack from a competitor or adversary can still feel like a remote possibility within the enterprise. When, in fact, mobile threats are a real, and growing problem: Between 2021 and 2022, 920,000 unique mobile malware samples were collected, representing a 51% growth over the last few years.
The National Counterintelligence and Security Center put it this way:
“Today, foreign intelligence services, criminals, and private sector spies are focused on American industry and the private sector. These adversaries use traditional intelligence tradecraft against vulnerable American companies, and they increasingly view the cyber environment — where nearly all important business and technology information now resides — as a fast, efficient, and safe way to penetrate the foundations of our economy. Their efforts compromise intellectual property, trade secrets, and technological developments that are critical to national security.”
In today’s climate of economic espionage, mobile devices have become the front line of cybercrime and conflict. Here, we reveal five of the biggest myths about the risks of mercenary spyware and mobile malware to the enterprise, including examples of these threats doing real economic harm.
Myth #1: Mobile threats are niche and my organization is not a target.
Reality: Government and commercial adversaries increasingly set their sights on private sector targets.
For commercial spyware vendors (CSVs), cyber espionage is not a binary activity. While much of mercenary spyware - (which is frequently deployed as a zero-day attack) is sold to foreign governments that want to quash dissent or undermine political leaders, they also sell to customers who target corporations that hold valuable data, documents, and IP - much of it accessible through a mobile phone.
Some of this work is sanctioned and funded by the same governments that may commission the surveillance of a journalist’s phone. In many countries, government and business are much more intertwined than they are in the United States and other Western democracies. China, Russia, Saudi Arabia, Israel, India, and others often work hand-in-hand with CSVs to infiltrate the mobile devices of individuals and organizations to give their state-run enterprises a leg-up in today’s hyper-competitive global marketplace.
Who are the prime targets of mobile device attacks? Commercial organizations have valuable information that can give a foreign government an economic, political, military, and psychological advantage over its rivals. Based on our research and customer investigations, business sectors at high risk include:
Defense
Critical Infrastructure
High-stakes litigation
Technology and social media
Firms dealing with cryptocurrencies
What do these adversaries want? It can vary, depending on who is hiring them, but generally they want to:
Steal valuable data including enterprise credentials
Gain trade secrets and intellectual property through corporate espionage
Conduct pattern of life targeting
Subsequent stages of an attack can also be used to facilitate ransomware, data extortion, fraud operations, and litigation.
An in-depth report by Reuters details how diet shake distributor ViSalus hired an Indian hacker for hire, Sumit Gupta, to obtain confidential information that would help its lawsuit against a competitor, Ocean Avenue. The report details many other high-stakes legal battles that were targeted by the firm Gupta would go on to found, BellTroX, which became known for its specialization in hacking lawyers, plaintiffs, and others involved in litigation. Most of the documents and information were obtained through social media and email phishing messages.
Additionally reporting by Reuters detailed how Indian firm Appin created a spyware as a service type of business that unethical corporations, law firms or individuals could use, essentially on-demand: “Customers would log in to a discreet site – once dubbed “My Commando” – and ask Appin to break into emails, computers or phones. Users could follow the spies’ progress as if they were tracking a delivery, eventually receiving instructions to download their victim’s data from digital dead drops, according to logs of the system reviewed by Reuters.” One such exploit succeeded in derailing a potentially lucrative casino development for the Shinnecock Nation on Long Island.
Myth #2: Mobile device management (MDM) hardens devices against threats.
Reality: MDMs can’t defend against zero-day attacks.
Mobile Device Management (MDM) systems play an important role in IT management. They save users time by pushing applications to the device and helping IT managers inventory their assets. MDM can also help with remediations in the event a device is compromised; for example, you can remote wipe a device that may have been stolen.
However, far too many companies assume that because they are managing their IT assets, those assets must be secure from compromise. This is far from the truth, and the false sense of security MDM can provide can even be a liability in today’s evolving threat landscape.
MDM platforms offer no protection at all against the sorts of zero-click, zero-day compromises associated with nation-state level spyware. And MDMs do virtually nothing to protect against smishing attacks that lead to credential theft.
The complexity and diversity of the mobile device ecosystem poses additional challenges for MDM solutions. With a wide range of device types, operating systems, and applications in use (particularly in a world of widespread BYOD), it is challenging for MDM solutions to keep up with the constantly evolving vulnerability landscape.
Finally, the limited control that MDM systems have over device configurations and software updates can also contribute to their inability to harden devices against unknown threats. Without the ability to immediately push out patches and updates to all devices – and without a mobile threat defense capability to signal that a device requires immediate remediation – MDM solutions often struggle to address vulnerabilities quickly enough to prevent exploitation.
Myth #3: Mobile devices are secure out of the box.
Reality: Most people don’t use the security features on their phones.
Default settings on mobile devices are often geared more towards user experience and convenience rather than security. Features such as automatic Wi-Fi connections, location tracking, and app permissions leave devices vulnerable to various security threats. Without the user's awareness or intervention, these features can be exploited by malicious actors to gain unauthorized access to our devices and data.
As we’ve written before, OEMs face the challenge of balancing security with users’ favorite product features. Lockdown Mode was introduced by Apple to address the growing use of mercenary spyware to hack iPhones, and it does exactly what its name implies - it locks the user out of most of the features and tools that are frequently exploited, including some messages and attachments, web browsing, Siri, airdrop, Bluetooth, and more, and it can limit the functionality of some apps.
Apple is very transparent about this and who the intended user is, stating: “Lockdown Mode is optional and should be used only if you believe you might be targeted by a highly sophisticated cyberattack, such as by a private company developing state-sponsored mercenary spyware.” However, even security professionals report turning off Lockdown Mode the moment it impedes their favorite device features and new research suggests that even Lockdown Mode can be spoofed on a compromised device.
The larger issue here is that Lockdown Mode represents the uber challenge with a lot of mobile security solutions today: they are either only relevant to a small audience and can render your device to the point of uselessness, or they are too complex to use in any real-world business setting.
The constant influx of new vulnerabilities and security flaws in mobile operating systems and apps adds another layer of risk. While manufacturers and developers work diligently to release updates and patches to address these vulnerabilities, there are often gaps, and responsibility is put on the user to ensure that their devices are up-to-date and secure.
During these gap periods, attackers have access to a list of security vulnerabilities affecting prior versions along with the fixes available in the updated software. They can devise attacks specifically targeted to users who haven't yet installed the update.
Myth #4: Multi-Factor Authentication (MFA) Makes Mobile Endpoint Security Unnecessary.
Reality: A compromised mobile device can bypass MFA to access corporate assets.
MFA is a crucial tool for safeguarding sensitive information and preventing unauthorized access to corporate assets. However, with the increasing reliance on mobile devices for work-related tasks, the risk of a compromised mobile device posing a threat to MFA security has also escalated.
When a mobile device is compromised, whether through malware, phishing attacks, or other malicious tactics, the attacker gains unauthorized access to sensitive information stored or transmitted by the device. This can include login credentials, MFA codes, and other authentication data necessary to access corporate assets securely.
One way a compromised mobile device can bypass MFA is through intercepting or manipulating the authentication process. For example, if malware is installed on the device, it can capture MFA codes in real-time as they are generated, allowing the attacker to use them to log in without the owner’s knowledge.
Another method is through social engineering tactics, where the attacker tricks the user into providing MFA codes or other authentication information under false pretenses. This manipulation can be especially effective on mobile devices, where users are often more susceptible to clicking on malicious links or providing sensitive information.
Realistically, security teams should expect this to happen and ask themselves, “What will we do next?” to prevent a single social engineering attack from cascading through their systems.
Myth #5: Mobile threat detection is impossible on iPhone.
Reality: Savvy malware developers and defenders can get into a walled garden.
Historically, Apple's closed ecosystem and stringent security protocols have made it difficult for cybersecurity researchers to identify zero-day vulnerabilities; difficult, but not impossible.
Another common hurdle is that malware developers take great pains to avoid detection. For example, unlike traditional malware that persistently resides on disk, sophisticated mobile malware can operate solely in memory, leaving minimal forensic traces. Malware developers often employ anti-forensics techniques, actively obstructing detection efforts – such as tampering with system logs – making it virtually impossible to find definitive evidence of an attack.
It’s hard to get over the garden’s tall walls, but when malicious actors get through the primary defenses, there’s no one to catch them, until iVerify.
We combine deep access to mobile devices with automated detection and expert analysis to scale and expedite the process of mobile forensics end-to-end from flagging suspicious artifacts via device heuristics to immediately alerting organizations about unknown malware. Our rapid data collection gathers digital artifacts in seconds rather than the 40 minutes or more required by legacy solutions.