Mobile phishing attacks on companies are increasing by leaps and bounds

Zimperium has published the “Global Mobile Threat Report 2024“. The security report identifies a significant increase in “mishing” threats (mobile targeted phishing), which use various tactics to exploit user errors and vulnerabilities in mobile devices.

Zimperium analyzed a total of more than 859,000 malware programs, discovering an annual average of 16,500 new malware samples every week.

Attackers pursue a “mobile-first” strategy in which various techniques are used to infiltrate malware into corporate environments. In particular, they use weakly secured and unmonitored mobile devices to gain access to company networks and sensitive data. Today, 82 percent of phishing sites target mobile devices.

Mishing is one of the biggest threats to companies

Cybercriminals rely on the fact that employees generally have a high level of trust in their mobile devices as a business tool and use this to launch attacks. Zimperium’s zLabs researchers found that 76 percent of phishing websites targeting business users use the secure HTTPS communication protocol to disguise malicious actions on mobile devices. In addition, phishing attempts via fake websites are more difficult to detect on compact smartphones with small screens because, for example, URL bars are hidden.

Successful mishing sites rely on hit-and-run strategies that pose considerable challenges for CISOs and their teams. Cybercriminals put fraudulent domains online in a short space of time and take them down again before they are discovered. According to research by Zimperium security experts, around a quarter of mobile phishing websites are operational and launch malicious activity less than 24 hours after being created.

Business risks due to app sideloading

In addition to the increase in mishing attacks, Zimperium researchers warn of the growing dangers of app sideloading. More and more programs are being used on smartphones that are not downloaded from the official app stores. According to figures from the financial services industry, two thirds of mobile threats can be traced back to unverified apps. The Zimperium study confirms that mobile users have a 200 percent higher risk of installing malware on their devices due to app sideloading.

“There is no doubt that mobile devices and applications are among the most important digital communication tools that need to be secured in enterprise environments,” emphasized Shridhar Mittal, Zimperium’s CEO. “In the digital age, 71 percent of employees currently use their smartphones for work-related tasks. Companies must therefore effectively protect their mobile endpoints and implement a multi-layered security strategy including app scanning to defend against mobile threats.”

Increase in platform vulnerabilities

The total number of common vulnerabilities and exposures (CVEs) increased significantly for both Android and iOS in 2023. The zLabs research team detected 1,421 CVEs on the Android devices analyzed, an increase of 58 percent over the previous year. Sixteen of these vulnerabilities were exploited in the wild, i.e. in real business scenarios and not just in test environments. On the iOS devices tested, 269 CVEs were registered, an increase of ten percent, and of these, 20 vulnerabilities were exploited in real-world attack scenarios.

The data highlights that iOS and Android devices are not inherently secure, with both platforms experiencing a significant increase in vulnerabilities. Despite frequent updates – 24 for Android and 35 for iOS in 2023 – organizations are finding it difficult to manage the required updates on all devices. This in turn underlines the need for proactive mobile security strategies that go beyond platform updates.

Overview of the mobile hazard situation

The report provides a comprehensive snapshot of mobile threats worldwide and documents differences between the individual regions. Zimperium’s global security study includes data from corporate customers and partners as well as assessments and recommendations from security researchers and industry experts.

Important findings on the mobile security situation at a glance:

• In the EMEA region, malware samples account for 57 percent of all malware detected on mobile devices, followed by riskware with ten percent and Trojans with eight percent.
• Zimperium experts have determined that 82 percent of phishing websites are specifically targeted at mobile devices.
• The number of malware samples detected is 13% higher year-on-year.
• A total of 76 percent of phishing websites use HTTPS to give potential victims a false sense of security.
• Riskware and Trojans account for 80 percent of the malware threats observed.
• The number of company devices connected to unsecured networks has risen by 45 percent.
• On average, a mobile device is connected to a risky network 17 times a year.
• Microsoft as a brand is one of the most frequently used phishing websites with 23 percent.
  

“Mishing attacks and mobile malware are increasingly evading detection and often go undetected on corporate networks,” said Chris Cinnamo, Senior Vice President of Product Management at Zimperium. “To effectively defend against mobile threats, enterprise IT security teams must be able to prioritize rapidly evolving and targeted attacks against employee mobile devices. Without proactive measures, mobile-based attacks will continue to infiltrate corporate networks, compromise sensitive data and disrupt overall business operations.”

The data in Zimperium’s “Global Mobile Threat Report 2024” documents that protecting mobile devices is an absolute prerequisite for digital security. By introducing a robust mobile security strategy, companies can close dangerous points of attack on the employee side to strengthen the mobile security situation and reduce the risk of disruptive cyber attacks.

(pd/Zimperium)