Greetings everyone! I am truly excited to be writing my first blog for iVerify on the day I joined one of the most exciting cybersecurity startups in the world. I’ve been in cybersecurity for almost 28 years now (yes, I’m old enough to remember Dr. Soloman’s Antivirus, which came on a single floppy disk and detected 8 viruses!) with my last major gig at the rocket ship that is CrowdStrike, where I was Senior Director of Product Management for six years. One of my many responsibilities was to bring Falcon for Mobile to market just before their IPO in 2019. Mobile security has been a passion of mine for the last 20 years, and I’ve been responsible for mobile products and features to make mobile devices more secure at almost every company I’ve worked for in my career.
As a cybersecurity professional, how to secure mobile devices has kept me up at night for most of that time, though. Android and Apple iOS have not made it easy for third-party vendors to create solutions in this space; many would argue that they have gone out of their way to make third-party security products almost impossible to produce, but the fact remains that there is malicious software for both platforms albeit a lot less for iOS. Many enterprises across North America and Europe standardized on the iOS platform for their mobile fleet because they believed the reduced risk meant they did not have to worry about the endpoint. Sadly, this isn’t the case.
The two main threats to iOS are smishing and commercial spyware like Pegasus from the Israeli firm NSO Group. However, Pegasus is not the only spyware to be used by nation-states. It is commonly believed that a number of the major cyber powers, such as Russia and China, also have their own home-grown capabilities too. An increase in aggression from these state adversaries over the last few years has targeted most of the major Fortune 1000 companies, so thinking Pegasus infections and their like are confined to Government, NGOs, and the press is simply not true anymore.
In a recent study, iVerfiy found 2.5 Pegasus infections per 1000 devices in their customer base. Now, of course, this is a biased sample as most of these customers are the types of organizations that are regularly attacked with this type of spyware. Still, this number is increasing, and there is a belief that there could be several million iOS devices infected with commercial/nation-state spyware. We so far have been fortunate that these technologies have not regularly fallen into the eCriminal world where they could be used for mass infections and sold as part of the malware-as-a-service solutions you can purchase on the dark web and criminal forums. Apple, even as recently as 10th July 2024, warned users in 98 countries of potential “mercenary spyware” had attacked their phones. These quarterly emails are not good enough, and should not be relied upon as Apple does not share when they detected this and how long the phone has been infected. Would you let spyware run amok in your Enterprise systems and wait for the operating system or hardware manufacturer to notify you of a problem? Speed is paramount when dealing with these issues.
Imagine the scenario that an adversary breaches the NSO Group, gets the source code to Pegasus, and leaks it online. Within a few days, most of the major malware-as-a-service vendors will be offering this as a service. Pegasus does not have executables that can be block-listed and can have a different C&C for every infection, so DNS and hash blocking won’t work. Only iVerify can detect this out of all the MTD vendors in the market today.
Another potential issue is that Apple is being forced to allow third-party app stores onto iOS devices. Over the years, Apple has had an excellent track record of severely reducing the number of malicious apps that get published on the App Store. Now, it is going to have to let third-party app stores be present on devices within the EU, which may not have the same rigorous processes that Apple currently employs within its app store.
Because of this I really hope we see Apple extend the security vendor access to iOS, in the same way as they did with macOS over the next couple of years. With access to technologies like eBPF, security vendors like iVerify would have a much easier task on their hands to help protect users from all kinds of malicious spyware.
So why iVerify?
It became very apparent to me that iVerify was unique in the mobile threat defense market. In a market where, on iOS, no one else can detect local infections, iVerify was the only player that had done the really hard work creating an EDR-like solution that actually works on both iOS and Android. That coupled with the privacy-first approach, no MDM is required to deploy the software, and iOS devices do not need to be in supervised mode, means their solution could actually bring sound protection and benefits to the enterprises deploying the software. Having a solution that barely detected more than a jailbreak did not fool the CISO’s who were looking for a solution in this space and almost all of them still rely on their MDM solution to provide a cursory stab at mobile protection.
iVerify changes the game, and will set a high bar for any other company in this space to beat. All it will take is one major malware incident worldwide in this space for CISOs to be forced to buy mobile EDR and iVerify will be standing by, ready to help.