Q3 2024 mobile threat landscape proves worrisome

Alarming trends seen emerging

According to researchers at the Lookout Threat Lab, the mobile threat landscape has evolved significantly in recent years. Cybercriminal groups are increasingly targeting mobile devices early in their attacks.

Researchers at the Lookout Threat Lab have been tracking these changes and have observed alarming trends highlighting the growing risk posed by mobile-based threats. From simple phishing kits to sophisticated nation-state surveillance tools, the breadth of risks now spans a wide range of attack vectors.

The latest Lookout Threat Lab report, summarising findings from the third quarter of 2024, outlines the most pressing mobile security risks businesses face and emphasises why mobile devices must be integrated into modern enterprise security strategies.

One of the most concerning findings in the latest report is the 17% increase in enterprise-targeted phishing and credential theft attempts. This surge indicates that attackers increasingly focus on organisations and their employees rather than using random, broad-spectrum phishing tactics.

These targeted attacks are often combined with other malicious techniques, such as social engineering, making them more effective and challenging to detect. In addition, the number of malicious app detections has risen by 32%, reflecting the growing sophistication of malware and spyware designed to infiltrate mobile devices.

iOS and Android

The trend also reveals an interesting disparity between iOS and Android devices: iOS devices are more frequently exposed to phishing and web content attacks than their Android counterparts.

The Lookout Threat Lab has also been tracking several high-profile surveillance ware families linked to advanced persistent threat (APT) groups operating from China and Russia. These surveillance tools, which include PlainGnome, BoneSpy, and EagleMsgSpy, are designed to infiltrate mobile devices and track their users.

The primary victims of these attacks are high-value targets such as diplomats, journalists, and political figures, making this type of attack particularly alarming. These findings underscore the need for businesses and individuals to remain vigilant against mobile-based surveillance and espionage threats.

Phishing and malicious web content are among mobile devices’ most commonly exploited attack vectors. These attacks are hazardous due to their low cost and high potential reward.

Attack modes

Attackers use business email compromise (BEC), multi-factor authentication (MFA) bypass, executive impersonation, and vulnerability exploitation to gain access to sensitive data and financial resources. A key evolution in this threat landscape has been the rise of executive impersonation attacks, which exploit employees’ desire to be helpful.

In these attacks, cybercriminals impersonate high-level executives and create urgent situations to manipulate employees into sharing sensitive information, clicking on phishing links, or even transferring money. Since 2019, Lookout has identified over 473 million phishing and malicious sites globally, blocking 13.7 million sites in the third quarter of 2024 alone.

Although the number of phishing and malicious web attacks in Q3 decreased slightly compared to the previous quarter, there was a notable 17% increase in enterprise-targeted attacks. This shift indicates attackers focus on specific organisations rather than casting a wide net.

Phishing attacks have also become more prevalent on iOS devices. In the first three quarters of 2024, 19% of enterprise iOS devices were exposed to at least one phishing attempt. In comparison, only 10.9% of Android devices experienced similar exposure during the same period.

These findings suggest that businesses may need to reconsider their security strategies to address the vulnerabilities of iOS devices, which have become an increasingly attractive target for cybercriminals.

Employees’ geographic locations can also significantly influence their risk of being harmed by phishing attacks. With employees travelling around the globe, understanding regional trends can help organisations identify higher-risk areas and prioritise remediation efforts. Lookout has tracked consistent patterns across different regions, reflecting the global nature of mobile threats.

The organisation’s data offers crucial insights that allow businesses to focus their resources on regions with a rising number of phishing attempts, helping mitigate potential risks before they escalate into full-scale attacks.

Constantly evolving

Mobile operating systems (OS) and apps constantly evolve but are not immune to vulnerabilities. As new updates are released, attackers have a window of opportunity to exploit vulnerabilities before patches are applied.

Additionally, users do not always install updates immediately, exposing their devices to threats. Vulnerabilities in mobile OSs and apps can allow attackers to gain root access to a device, steal sensitive data, or take control of the device’s permissions. In Q3 2024, Lookout identified several common vulnerabilities across mobile browsers and apps.

Notably, most of these vulnerabilities affect Chromium-based browsers, which are used in browsers such as Google Chrome, Microsoft Edge, and Opera. These vulnerabilities include buffer overflow and type confusion bugs, which attackers could exploit to execute arbitrary code on a device.

Other critical vulnerabilities identified by Lookout include those affecting popular apps like Telegram, TikTok, and Samsung’s Galaxy Store. In the case of Telegram, a zero-day vulnerability allowed attackers to deliver the CypherRAT spyware tool to Android users. In contrast, a flaw in TikTok could enable attackers to hijack accounts by sending malicious URLs.

In addition, Samsung’s Galaxy Store had vulnerabilities that allowed attackers to install arbitrary apps on devices or execute JavaScript via web pages. These app vulnerabilities present a significant risk to individual users and enterprise environments, as employees often use a wide range of apps on their mobile devices, creating multiple potential entry points for cybercriminals.

Mobile malware

As mobile malware grows more sophisticated, security teams must be proactive in their approach to mobile threat intelligence. In Q3 2024, Lookout detected more than 106,000 malicious apps on enterprise devices, marking a 32.4% increase in malicious app detections compared to the previous quarter.

Spyware, trojans, and surveillance ware were among the most common types of malware encountered, with Android devices being the primary target. Malware such as IdShark, MoneytiseSDK, and EyeSea is designed to monitor users’ activity, steal sensitive data, or take control of the device. Surveillanceware, such as AhMyth and KrSpy, poses an even greater risk, enabling attackers to track users’ movements, intercept communications, and access private information.

The commoditisation of advanced mobile malware has made it easier for cybercriminals to access sophisticated tools once reserved for nation-state actors. As a result, businesses must remain vigilant and ensure that their mobile security strategies are comprehensive and up-to-date. I

In Q3 2024, Lookout’s Threat Intelligence team identified and protected against 48 new mobile malware families while enhancing protections for 85 known families. With mobile devices becoming an essential part of the modern enterprise, incorporating mobile threat intelligence into a company’s overall security strategy is no longer optional; it is a necessity.

A key aspect of securing mobile devices is understanding misconfiguration risks. Simple misconfigurations, such as outdated operating systems, disabled security patches, or the lack of a device lock, can make them vulnerable.

These misconfigurations can open devices to exploitation by attackers, who may gain control over sensitive data or take complete administrative control of the device. According to Lookout, 31.1% of devices in its customer base had outdated operating systems, while 12.3% lacked the latest Android security patches. Furthermore, 18.8% of devices had no device lock enabled, which increases the risk of unauthorised access.

Jailbreaking and rooting mobile devices also weaken their security by bypassing built-in protections, leaving them vulnerable to malware and exploits. In extreme cases, cybercriminals can remotely compromise a device, turning it into a surveillance tool without the user’s knowledge. This type of activity is particularly concerning in the context of APT groups, who use mobile devices as tools for cyberespionage and surveillance.

As mobile devices become increasingly integral to business operations, protecting them from cyber threats has never been more critical. The rise of sophisticated malware, the commoditisation of surveillance tools, and the growing risk of phishing attacks demand a comprehensive mobile security strategy.

Hero image: A key aspect of securing mobile devices is understanding misconfiguration risks. Credit: Sora Shimazaki