As is the case every year, 2024 brought about countless new cybersecurity challenges including significant growth of the mobile threat landscape. Threat actors, ranging from nation-states to individuals, have increasingly begun to target mobile devices at the onset of their attacks.
Organizations of every size across every industry need to view mobile targeting as a canary in the coal mine - an early indication that they could be under attack elsewhere in their infrastructure.
Threat actors are aware that mobile devices are one of the most common blind spots in any organization, which is why they go there first. The complexity of mobile ecosystems and tricky balance between security and privacy leads many security teams to shy away from treating them like every other data-rich endpoint in their organization.
The purpose of this report is to help security teams understand where they need to look in order to secure their mobile fleet, which in turn leads to an airtight endpoint security posture. In addition, understanding where AI can be a defensive asset is just as critical as understanding how threat actors are using it on offense.
By breaking down mobile phishing attacks, malware discoveries, exploitable vulnerabilities, and device misconfiguration risks, Lookout gives direction to teams who know mobile is a risk but don’t have the visibility to know where to start.
Researchers in the Lookout Threat Lab note some particularly concerning findings that show the importance of getting ahead of the modern threat actor.
Lookout's extensive dataset, encompassing over a decade of data from more than 230 million devices, 375 million apps, and billions of web items, leverages AI to pinpoint global trends. These insights empower security teams across all industries and regions to safeguard data from mobile threats, identify vulnerabilities, and incorporate mobile device telemetry into their enterprise endpoint security strategy via SIEM, SOAR, or XDR integration.
This report is a summary of our findings from 2024, and proves that mobile threats must be thought of as a significant part of the modern day enterprise security strategy in 2025 and beyond.
Nobody knows the mobile threat landscape like Lookout.
Across the Lookout threat intelligence research team’s key discoveries, there is a consistent theme of known threat actors turning to mobile as their initial point of compromise. For example, Chinese APT groups are known to use phishing attacks to compromise foreign ministries for espionage purposes. However, its BadBazaar spyware is built specifically for monitoring individuals on their mobile devices and targets victims through the messaging app Telegram.
Outside of nation-state actors, Lookout also uncovered CryptoChameleon, a cybercrime group based in the United States that follows in the footsteps of Scattered Spider to compromise individuals and organizations. Their initial targets included employees of the FCC, Binance, and Coinbase. Since then, they’ve made a habit of targeting any organization that uses Okta as well as well known individuals and celebrities by posing as Apple support in order to steal from iCloud accounts. The group displayed some novel tactics, which are now widely in use.
Threat actors no longer rely on beating down the door to breach organizations. With the high efficacy of mobile-focused social engineering, executive impersonation, and credential theft attacks, malicious individuals can walk right through that door while pretending to be someone else.
Generative AI has made it easier for those actors to put on the mask and look like they belong - making it nearly impossible for employees to tell if the text they’re receiving is actually from their head of IT, CEO, or other influential member of the organization.
To take it a step further, the format of enterprise single sign-on portals and the authentication texts they send is widely known. This is what groups like CryptoChameleon rely on to successfully execute their attacks. Even as bad actors evolve their tactics, security teams can keep a step ahead with predictive AI that can observe new websites as they’re being built and proactively secure users against those attacks.
Thanks to Apple’s walled garden approach, iOS is the mobile operating system of choice for most enterprise organizations. It makes sense, as the complexity of an Android-heavy environment would mean managing dozens of device manufacturers and a generally more open ecosystem than that of iOS.
However, just because iOS can only run on Apple devices does not mean that those users are at less risk of interacting with mobile phishing attacks. Unlike mobile malware, which relies on the target device’s OS, mobile phishing attacks are web-based. This means that they can be delivered to any device through any app with a messaging function.
Over the course of the last five years, iOS users have been exposed to significantly more phishing attacks than Android users. The data represent the percentage of devices that were exposed to at least one mobile phishing attack in that particular year. 2024 was the first year where iOS devices were exposed more than twice as much as Android devices.
With employees traveling the globe, it’s important to understand whether they might be at higher risk of phishing attacks in certain regions. Lookout identifies trends in each continent so that organizations operating in multiple regions can prioritize timely remediation for regions with an increasing number of attempts. The data for this quarter tracks consistently with what we’ve seen over the last couple of years.
Vulnerabilities, regardless of where they exist, can be a highly effective point of initial access for a threat actor. Mobile operating systems and apps have vulnerabilities in their code just like any other piece of software, and more often than not those vulnerabilities can be exploited by simply sending a link to the target device.
Zero-click and one-click exploitation is a tactic used by threat actors in the mobile landscape, which means security teams have little to no time to act if an employee’s device is vulnerable. Known vulnerabilities often take a couple of weeks to patch, and even once those patches are available end users take time to update their devices and apps.
This creates a significant window of opportunity for threat actors to exploit vulnerable devices. In the mobile landscape, a successful exploit can also mean control over the vulnerable app’s permissions, which often leads to data leakage or credential theft.
Mobile devices are vulnerable to attacks due to the web browsers they use. The browser engines and components often contain vulnerabilities that, if exploited, could allow an attacker to remotely execute code on the device. These attacks typically occur through malicious webpages, which can be delivered via messaging apps. These CVEs are listed by the coverage name implemented by Lookout for Lookout MES customers.
A type confusion bug in the underlying V8 Javascript and WebAssembly engine in Chrome that can be manipulated and is exploitable by threat actors.
A heap-based buffer overflow vulnerability in the WebRTC framework that is used for video streaming, file sharing, and VoIP telephony.
An out of bounds memory access in the V8 Javascript engine. A remote attacker could exploit head corruption via a crafted webpage.
A use-after-free vulnerability in Visuals, which is a component of Chromium. There could be an outsized impact given the number of browser apps that use Chromium.
A type confusion bug in the underlying V8 Javascript and WebAssembly engine in Chrome that can be manipulated and is exploitable by threat actors.
A vulnerability in Skia, which is the 2D graphics engine used by a handful of mobile browsers. If successfully exploited, an attacker could infect the device with malicious code and steal sensitive data.
A handful of vulnerabilities in various components including the V8 JavaScript engine such as Visuals and Dawn. Successful exploitation could grant an attacker access to any data that Chrome has access to or allow them to remotely execute code
A type confusion bug in the underlying V8 Javascript engine in Chrome that could allow attackers to execute arbitrary code on the device via a crafted HTML page.
A heap-based buffer overflow vulnerability in vp8 encoding in libvpix, which is a video codec library. A successful exploit could allow an attacker to execute code with a crafted HTML page.
Two use-after-free vulnerabilities in Family Experiences and another in Serial, which are components of Chromium. There could be an outsized impact given the number of browser apps that use Chromium.
Spyware, surveillanceware, trojans, and root enablers are just a few of the many classifications of mobile malware that security teams should be concerned about. With wide-ranging abilities including tracking location, stealing data stored on the device, listening in on conversations, and accessing the device’s camera, these malware families can help a threat actor live in the pocket of your employee while putting the organization’s sensitive data and personnel at significant risk.
IdShark can forward text messages, contact lists, financial information, and other device information to a 3rd party. It can also be used to track device location without user knowledge.
Triada is known to have ties to the Russian APT named Gamaredon. It secretly controls the device and exfiltrates sensitive user data to a third party.
This monetization SDK is embedded into applications and offers to turn your phone into a proxy allowing the developers to make money by monetizing your network data.
EyeSea is delivered via phishing messages and uses false claims to try to acquire user banking information. It can also intercept two-factor authentication codes.
GgTrap is developed by Ajaya Solutions in India and can send a variety of sensitive data to remote servers to use for blackmail. This includes text messages, contact lists, call logs, phone number, browser bookmarks, location, financial information, and other device data.
Mobile threat intelligence enhances security operation centers (SOCs), threat research organizations, and incident response teams by providing visibility into the complex world of mobile malware, a capability many of these groups lack. Lookout's Threat Intelligence team leverages the world’s largest mobile security dataset to detect and protect against the most dangerous mobile malware families.
Mobile device security must now be a priority for security teams, given the increased availability of sophisticated malware, the development of state-sponsored mobile malware, an unprecedented number of iOS zero-day vulnerabilities, and a significant reliance on mobile social engineering.
A surveillanceware tied to a Russian threat actor (UAC-0210) that claims to be legitimate mapping application, but can steal user data including login credentials and device location.
A surveillance tool most likely tied to an Uzbekistan based Sandcat threat actor. It can forward sensitive user data to third parties. Data includes text messages, call logs, and contacts. It can also record phone calls.
A banking trojan that attempts to collect credentials for online banking services. BnkRat can also monitor user activity on the device and send personal information such as keystrokes, contact lists, e-mail and text logs to a third party seeking to gain access to a victim's financial accounts.
A Chinese-developed mobile surveillanceware that can collect the contact list, call logs, SMS messages, and GPS location. It can also use the camera and microphone to listen in on the victim.
A banking trojan that attempts to collect personal and financial information. It monitors users activity, intercepts text messages and sends messages to a third party seeking access to a victim’s account. It is also capable of collecting call logs and device information.
BingoMod is a trojan used for financial gain. It bypasses identity safeguards put in place by banking app developers and attempts to initiate money transfers out of the victim’s account through its screen overlay capabilities.
SpySolr is commercial surveillanceware and can collect sensitive user data including text messages, call logs, and contacts without the user's knowledge. It can also record the device audio and screen.
A banking trojan that attempts to collect credentials and monitor user activity. It is capable of logging keystrokes, text logs and screen captures. It is also capable of displaying false notifications and overlays.
A surveillance tool hidden in mobile gaming loaders that attempts to collect contact information, device location and SMS messages.
In addition to phishing, apps, and malware, there are misconfigurations that can occur and open up the entire device to being taken over. This can range from simple device settings to advanced malware that gains root admin access to the device.
The risks posed by security misconfiguration vulnerabilities can have serious consequences for users. Security misconfigurations can leave a device and the data on it vulnerable to known and unknown exploits.
Out of date operating system (OS) versions, especially on iOS devices, can leave a device and the data on it vulnerable to known and unknown exploits.
Android Security Patch Levels (ASPLs) are released by Google to patch new and known vulnerabilities in Android apps, Android OS, and even hardware components.
Locking a mobile device is a basic form of securing it. Some users might disable the device lock to make it easier to open their device, which is a security risk.
This implies that the device doesn’t have a password, pin, biometric recognition, or pattern authentication enabled.
Jailbreaking & rooting a device can weaken a device's built-in security features, leave it vulnerable to malware and exploits and, if done incorrectly, can render the phone useless. A user might intentionally jailbreak their device for a variety of reasons, but device compromises can also be initiated remotely by advanced threat actors who want to silently turn a mobile device into a surveillance tool. This type of behavior has been observed in APT activity tied to cyberespionage and nation-state backed attacks, and is most infamously tied to the way NSO Group’s Pegasus surveillanceware infects a targeted individual’s device.
Find out how Lookout can help you safeguard your business against mobile device cyber threats.