Life happens on our phones; there’s a solid chance you’re reading this on your mobile right now. Increasingly, work happens there too with 67% of employees regularly accessing sensitive corporate data on personal devices. While this presents a leap forward in productivity and convenience, it’s a challenge for security teams working with tools designed to monitor and protect company networks, computers and other fixed-purpose devices.  But even then, defenses can be circumvented with sophisticated phishing attacks, which thanks to Gen AI are able to convincingly clone voices, images and dialects leading to over $55 billion in losses through business email compromise over the last decade, according to the FBI. 

Threat actors, looking to replicate the success they’ve seen with email-based social engineering attacks, are increasingly targeting mobile devices, which now account for 80% of phishing attempts, according to the latest Verizon Mobile Security Index. And it’s working. The same report indicates,employees are 6-10 times more likely to fall victim to a smishing attack than an email attack, no doubt the impact of years of security awareness training. It’s no surprise then that iVerify’s own research has found that smishing attacks make up 39% of all mobile threats in 2024, a significant increase from previous years.

Despite these alarming stats, only 41% of organizations have implemented comprehensive mobile device management solutions.. Clearly there’s a security gap.

What makes this gap so dangerous is the rapid evolution of mobile threats. We're witnessing the same pattern that transformed ransomware from a novelty into a billion-dollar criminal industry—advanced mobile spyware, once the exclusive domain of nation-states, is increasingly appearing in commercial settings. Tools like Pegasus, which can silently compromise a device through a simple text message, have already been found targeting corporate executives. The more accessible Hermit and Predator variants are showing up in criminal marketplaces, offering capabilities that would have been considered science fiction just years ago.

As cyber threats targeting mobile platforms continue to evolve—ranging from malware and smishing to more complex attacks like spyware and zero-day vulnerabilities—it's critical to understand the risks and implement preventative measures in order to stay ahead of the curve in the ever-changing landscape of mobile security.

Mobile-Driven Lateral Movement

An entire segment of security solutions exist to detect lateral movement within a network as a way to uncover foreign intrusion. Known as network detection and response (NDR), these tools identify attack activity in progress and attempt to contain movement before significant harm can be caused. Exploiting the gaps in mobile security, cybercriminal groups such as Scattered Spider have successfully penetrated corporate networks using cellphones as their entry point.

Image: Diagram of how threat adversaries utilize Mobile for Lateral Movement in an organization

A typical attack begins with social engineering to obtain credentials. The attackers gain initial access by resetting an IT administrator's account password through unspecified social engineering tactics.

Once they intercept MFA requests, they initiate an MFA bombing attack. They overwhelm the user with multiple authentication prompts until one is approved, thereby gaining access. The attackers then enroll their own devices in the MFA system, ensuring continued access.

With valid credentials, a threat actor can quickly pivot from the cloud to on-premises environments and access sensitive information network architecture and privileged access. This enables them to move laterally within the network and quickly target on-premises assets.

Continuing to bypass detection using access via mobile-enrolled MFA ensures continued access to conduct operations undetected.

Mitigating the Risks of Mobile Threats

iVerify closes this gap in mobile devices to ensure that NDR services aren’t needed by stopping threat actors before they can move laterally from phones into the broader network. Our Mobile EDR provides a comprehensive solution through combining threat detection, mobile forensics, and automated response and remediation without requiring full mobile device management

This holistic strategy guarantees optimal privacy and security by defending against complex threats like mobile malware, unpatched vulnerabilities, smishing attempts and credential theft at an enterprise level. Click here to learn more about how we can protect your organization.