The Achilles heel of business? Attacks originating from mobile devices

Nowadays, smartphone users are faced with various threats, such as fake websites offering malicious mobile apps, software development tools that turn legitimate apps into spyware, or even chat apps with malware. And to think that these are just some of the threats that researchers at global digital security firm ESET have identified and analyzed in recent months.

And while these threats may seem like problems for individuals using their personal devices, various surveys show that employees equipped with smart company phones are also targets.

Prioritizing protection against these threats is vital, but it's not an easy task. Why? Because even after cybersecurity training, employees remain vulnerable, potentially making them the weakest link in an otherwise strong defense system. This underscores how important it is now for businesses to protect their employees' mobile devices in a complex, layered way as part of a unified cybersecurity platform.

The numbers are growing says ESET

But let's see what ESET's telemetry showed. From the beginning of 2020 to the end of 2023, Android malware detections increased by 222%. ESET's threat reports offer more insight into why that number more than tripled in just four years.

In 2021, ESET's telemetry detected a 428% annual increase in Android banking malware. In 2022, the overall increase was due to adware software. And in 2023, there was a significant increase in Android spyware cases.

If you're wondering what this means for your business, check out the survey results listed below.

A 2022 survey of employees and IT security professionals from around the world revealed that half of the respondents were using their employer-issued devices to check their personal emails and messages. In addition, 45% used company devices to read the news, while 32% made purchases online.

Ironically, emails, online stores, and even news websites were the main attack vectors described in various sections of ESET's 2023 survey.

When it comes to employees using their own devices, 48% of companies with a Bring Your Own Device (BYOD) policy saw malware invade company systems via an employee's personal phone, according to a Samsung survey in 2023.

If you're wondering what's behind these breaches, another 2022 survey found that the most common mistake contributing to cybersecurity incidents is mismanagement of employee passwords and misuse of personal email.

Examples taken from everyday life

Let's look at a few examples of how a malicious app installed on an employee's smartphone can put the company at risk.

Last year, ESET researchers published an article about two campaigns targeting Android users that were active in July 2020 and July 2022, respectively, and distributed through app stores and dedicated websites.

The threat actors modified the open source Signal and Telegram apps for the Android operating system with malicious code that ESET researchers later identified as BadBazaar. These malicious apps went by the names Signal Plus Messenger and FlyGram and were intended to leak user data such as contacts, call logs and Google account list.

The Signal Plus Messenger app proved more dangerous than FlyGram with its unique ability to spy on the victim's communications on the legitimate Signal app, an app often praised for its reliability and trusted by high-value targets such as journalists.

After installing Signal Plus Messenger, cybercriminals were able to connect the victim's compromised device to the attacker's device (on which the Signal app was installed) and read the victim's messages. Such sensitive information could be used in spear phishing attacks against business executives.

A similar case was reported in June 2023, when ESET researchers published an investigation into the Android spyware GravityRAT. This malware was distributed alongside the malicious messaging apps BingeChat and Chatico - both based on the OMEMO Instant Messenger app. The spyware can extract call logs, contacts, SMS messages, device location, basic device information and files with specific extensions such as jpg, PNG, txt, pdf, etc.

If your company has a BYOD policy, it's essential to be concerned about Android malware, the threat behind ESET's 89% increase in telemetry detections in the second half of 2023. This increase is mainly due to a Software Development Kit (SDK), which ESET identifies as SpinOk Spyware.

This set of tools was offered as a gaming platform and was integrated into numerous legitimate Android apps, including many apps available on official app stores. Once an app with the aforementioned SpinOK SDK is installed, it acts like spyware, connecting to a command and control server and extracting a range of data from the device, including potentially sensitive content.

Again, this attack can affect company employees who may be "playing" games on their smartphones, collecting sensitive data that can later be used against the company.

Other attacks

So far, we've outlined the spyware detected by ESET researchers over the past year, but there are other threats to businesses that come from mobile devices.

• Other malicious applications - Not all malicious spyware applications are looking for messages and files on a mobile device. Some of them, for example, trick victims into giving out their bank account details or encrypt files on the victim's device to demand a ransom.
  Phishing - Some of the largest data breaches in history began with an employee who fell victim to a phishing email, gave up his passwords and allowed cybercriminals to enter the company's network.
• Physical theft - The physical theft or loss of a corporate mobile device could be a serious cybersecurity incident, especially if the smartphone or tablet contains sensitive information and is locked with a weak password. In London alone, 90,864 phones were stolen in 2022.
• Vulnerabilities - If you think you're safe using only standard cloud-based team communication platforms like Microsoft Teams or Slack, think twice. Vulnerabilities and bugs that can lead to a data breach are not lacking in even the most popular apps on the market.
• "Worms - Because laptops and smartphones use different operating systems, it is rare to see malware spreading and running in different environments. However, there have been cases such as the Hamweq.A worm, which used smart phones as vectors to infect Windows PCs with malware via USB cable.

Valuable Targets

Most employees probably don't use their mobile devices for programming, accounting or administrative tasks, but the cases mentioned above clearly show that they are valuable targets for cybercriminals. This makes them a potential weak link for a company's cybersecurity.

This is why it is so important for businesses to prioritise implementing a comprehensive and layered protection system for their mobile devices as part of a unified cybersecurity platform.