Lookout Logo

Mobile Threat Landscape Report:
2023 in Review

Executive Summary

Whether you’re a small business, multinational enterprise organization, or government entity, 2023 proved to be an evolutionary year for mobile threats. There were a record number of zero-day vulnerabilities discovered in iOS, multiple discoveries of popular apps like TikTok and PinDuoDuo having risky data collection practices, and the cybercrime group Scattered Spider proved that mobile phishing is an extremely effective way to take down some of world’s largest organizations. 

The way that threat actors are targeting and attacking organizations is shifting. The trends and data in this annual report indicate that actors are relying more heavily on social engineering - taking full advantage of new exposure points and vulnerabilities in both software and employees themselves. To that end, there was a record number of mobile phishing attempts targeting enterprise users this year. In addition, the most prominent mobile app vulnerabilities in 2023 could be exploited by sending the targeted individual to a maliciously crafted webpage through SMS, iMessage, or any other mobile app with messaging functionality. 

Thanks to our industry-leading dataset and the wide breadth of businesses, governments, and individuals worldwide that trust Lookout to secure their devices and data, we are able to identify global trends in the mobile threat landscape informed by hundreds of millions of apps, devices, and web items. 

Organizations of every size in every industry are at greater risk because their mobile devices are the last unprotected endpoints. This report proves that cybercriminals are evolving their tactics by using multiple attack vectors that target mobile devices, which means that checking the box is no longer enough. No one can identify threats and defend mobile devices like Lookout can. We’ve got you covered.

Lookout Threat Intelligence Research Highlights

Researchers in the Lookout Threat Lab leverage the world’s largest mobile telemetry dataset to track advanced persistent threat (APT) activity, discover new mobile malware, and provide actionable intelligence. Below are three of key discoveries by our team in 2023.

Lookout Identifies Android App Used by Russian Sandworm APT's Infamous Chisel Spyware Tooling
Lookout Attributes Advanced Android Surveillanceware to Chinese Espionage Group APT41
Lookout Discovers Robin Banks Phishing Kit Uses MFA Bypass to Target Financials and Crypto

Phishing and Malicious Web Content

Mobile phishing is one of the biggest challenges facing IT and security teams today. In the modern killchain, this tactic has become arguably the most effective way for threat actors to steal employee credentials. And as MFA bypass becomes more prominent, threat actors can log into corporate infrastructure to conduct recon, create backdoors, and compromise data.

As one of the most widely-adopted mobile threat defense solutions, Lookout defends its customers with out-of-the-box protections against phishing and malicious content as well as the ability to create custom content rules and denylists.

431,000,000
Phishing and malicious sites identified by Lookout Security Cloud globally since 2019.
54,000,000
Denylisted and offensive content sites blocked in 2023
4,000,000
Phishing and malicious web attacks were prevented by Lookout in 2023
58,000,000
Sites blocked by Lookout in 2023

PRO TIP

The features, functionality, and screen size of today’s mobile devices make it harder for a user to spot phishing attacks and determine what is real versus what is fake.

Lookout recommends if you receive a text message from an unknown number that creates a sense of urgency, do not tap on it. If the message alleges to be from an organization such as your IT team or your bank, call them directly to confirm that they sent the message.

Mobile Vulnerabilities

Risky vulnerabilities can exist at both the operating system (OS) and application level on mobile devices. While OS vendors and developers of popular apps will usually push patches for these vulnerabilities in a timely fashion, there is usually a gap between when the vulnerability is disclosed and patched then installed by users. This can leave the device and its data at risk for long periods of time.

Lookout monitors a wide range of vulnerabilities and threats, their global presence, and their potential impacts to inform you at the earliest possible moment and keep you safe. Below are the top vulnerabilities encountered by Lookout users in 2023.

300,000,000+ mobile apps and app versions have been ingested into the Lookout Security Cloud
CVE-2023-4863

A vulnerability in Chrome for Android’s WebP image format. A similar image processing vulnerability was linked with the BlastPass exploitation for delivery of Pegasus.

CVE-2022-4262

A vulnerability in Chromium that could affect certain versions of Google Chrome and Microsoft Edge browsers on mobile.

CVE-2022-3723

A vulnerability in libvpx, which is a video codec library used by Chrome, Firefox, and Firefox Focus for Android.

CVE-2022-1633-1641

A group of 9 vulnerabilities across various components of Chrome for Android that could enable an attacker to compromise the user's data on a vulnerable device.

CVE-2022-1364

A vulnerability in the V8 Javascript Engine component of Chromium that can be exploited with a malcrafted webpage. Successfully exploiting the vulnerability may allow the attacker to compromise the user's data on a vulnerable device.

MultiApp Vulnerabilities in Android

MultiApp vulnerabilities are named as such because they can affect multiple mobile apps that share components of how they are developed. For example, Chromium is the codebase for almost every mobile browser including Chrome, Safari, Edge, and Firefox. 

Attackers could have a greater chance of success and kill multiple birds with one stone if they’re able to exploit these multiapp vulnerabilities. If they are successful, the type of data they can compromise varies based on the specific set of vulnerabile apps. 

CVE-2023-2033_2136

A group of vulnerabilities across all Android devices, as well as Samsung devices specifically.

CVE-2023-3079

A zero-day vulnerability in the V8 Javascript engine of Chromium that affects versions of Google Chrome and Microsoft edge mobile browsers.

CVE-2023-6345

A vulnerability in Skia, which is the 2D graphics engine for Google Chrome, ChromeOS, Android, and Microsoft Edge. 

CVE-2022-4135

A zero-day vulnerability found in the GPU component of Chromium open-source web browser project, which provides the codebase for many popular browsers.

CVE-2023-5217

A vulnerability in libvpx, which is a video codec library used by Chrome, Firefox, and Firefox Focus for Android. 

CVE-2022-3075

A zero-day vulnerability found in Chromium that exists due to “insufficient data validation” in the runtime libraries that Chromium is based on

iOS Vulnerabilities

Almost every iOS update we’re asked to install on our smartphones has to do with a security vulnerability. In fact, there were more than 260 iOS CVEs published in 2023. The fact that so many devices remain out of date means that there are lingering vulnerabilities that leave those devices, their users, and the data on them susceptible to exploits

Pro tip

Lookout provides multilayered protection for devices that are exploitable through vulnerabilities at the OS level. Since it often takes time for users to update their devices once a patch is available, Lookout recommends setting an OS Out-of-Date policy to alert users that devices are out of compliance.

Mobile App Threats

Mobile malware can be incredibly difficult to detect and ranges from riskware, which is low-risk but could create data privacy concerns, to advanced surveillanceware that tracks every action on the device, listens in on conversations through the microphone, and can turn on the device’s camera.

10 Most Encountered Malware Families in 2023
Medium SEVERITY
IdShark
Classification: Spyware
Platform: Android

This malware can forward text messages, contact lists, financial information, and other device information to a 3rd party. It can also be used to track device location without user knowledge.

LOW SEVERITY
RiskySigner
Classification: Riskware
Platform: Android

The author of this app has signed malicious or potentially unwanted applications in the past. Exercise extra scrutiny, as the app may exhibit unwanted or risky behavior.

LOW SEVERITY
SourMint
Classification: Riskware
Platform: iOS

A software development kit (SDK) that contains the capability to intercept all network requests made by the user through the app, collect device information, and send it all to a 3rd party server

High SEVERITY
StatisticalSales
Classification: Surveillanceware
Platform: Android

This malware can forward user data including call logs, location and text messages to a 3rd party.

Medium SEVERITY
Ggtrap
Classification: Spyware
Platform: Android

This malware can forward sensitive user data to a 3rd party including text messages, contact lists, call logs, phone number, browser bookmarks, location, financial information, and other device data.

LOW SEVERITY
Virtualization
Classification: Riskware
Platform: Android

This riskware poses the risk of circumventing certain security measures as it runs in a virtualized environment or provides an app the capability to do so.

LOW SEVERITY
UnsafeMarket
Classification: Riskware
Platform: Android

This riskware provides the ability to download and install apps from a 3rd party store. Be extra cautious as there is a higher risk of installing a malicious app.

Medium SEVERITY
BianLian
Classification: Trojan
Platform: Android

This malware may contain legitimate functionality however it can also steal text messages, lock the device's screen, steal banking credentials, and install other apps. This can lead to financial fraud, a loss of privacy, a disrupted user experience and the installation of unwanted apps.

Medium SEVERITY
MoneytiseSDK
Classification: Trojan
Platform: Android

This monetization SDK is embedded into applications and offers to turn your phone into a proxy allowing the developers to make money by monetizing your network data. This may allow others to access your network, and lower device and battery performance. 

LOW SEVERITY
WonderRoot
Classification: Root Enabler
Platform: Android

This malware helps the user acquire root access on the device, providing elevated privileges. This can allow the user or apps to modify the Android system in ways that can potentially damage a device or cause a loss of private data.

Empower Your Security Team with Threat Intelligence

As an extended service, Lookout provides advanced Threat Intelligence to organizations that aim to enhance in-house detective or protective systems.

New mobile malware families protected against: 181
Known mobile malware families given enhanced protection: 307

PRO TIP

Security teams need all the intelligence they can get in order to combat sophisticated, evasive cyber attacks. By leveraging advanced mobile threat intelligence, users can stay ahead of attackers with visibility into global threat trends that help users build a stronger security strategy.

Lookout collects and analyzes proprietary data points to provide your security teams with comprehensive protection capabilities against mobile cyber attacks. Our advanced threat intelligence and machine learning technology ensure that your mobile devices are safeguarded from the latest threats.

Watch this demo video to learn how Lookout Premium customers can conduct proactive research on mobile malware in the Lookout Console
Watch Demo Video

Top 10 most critical threat families discovered in 2023

Critical SEVERITY
FreeCoin
Classification: Trojan
Platform: Android

Malware that can forward text messages and contacts to a 3rd party, incur charges on the device, and steal banking credentials.

Critical SEVERITY
SamsungBrowserSpy
Classification: Spyware
Platform: Android

A directory related to a Spyware infection for Samsung Browser.

High SEVERITY
TriangleDB
Classification: Surveillanceware
Platform: iOS

Malware that secretly allows a third party to track geolocation, harvest credentials and interact with other processes on the user's device.

High SEVERITY
DragonEgg
Classification: Surveillanceware
Platform: Android

Surveillanceware developed by APT-41 that can collect text messages, device location, and call logs, pictures or video, and record audio.

Read technical writeup here

High SEVERITY
AbyssalLocationTracker
Classification: Surveillanceware
Platform: Android

Malware that tracks device location and forwards it to a third party server.  

High SEVERITY
GodFather
Classification: Trojan
Platform: Android

Trojan that can steal the device's contact lists, intercept received text messages, forward phone calls, and conduct phishing attacks.

high SEVERITY
S0ftPhoneMonitor
Classification: Surveillanceware
Platform: Android

Surveillanceware that monitors activities and sends information to a 3rd party.

high SEVERITY
BouldSpy
Classification: Surveillanceware
Platform: Android

Surveillanceware that monitors user activity, collects data such as text messages, contacts, call logs, browser history, and more, and uploads them to a remote server.

Read technical writeup here

High SEVERITY
LaSurv
Classification: Surveillanceware
Platform: Android

Surveillanceware that monitors a number of sensitive activities performed on a device.

HIGh SEVERITY
InfamousChiselSurv
Classification: Surveillanceware
Platform: Android

Surveillanceware that collects sensitive information including location data, text messages, contacts, and call logs and exfiltrates them to a remote third party.

Read technical writeup here

Device Risks

In addition to phishing, apps, and malware, there are misconfigurations that can occur and open up the entire device to being taken over. This can range from simple device settings to advanced malware that gains root admin access to the device. 

Top device misconfigurations

The risks posed by security misconfiguration vulnerabilities can have serious consequences for users. Security misconfigurations can leave a device and the data on it vulnerable to known and unknown exploits.

52.8%
Out of Date OS

Out of date operating system (OS) versions, especially on iOS devices, can leave a device and the data on it vulnerable to known and unknown exploits.

8.4%
No device lock

Locking a mobile device is a basic form of securing it. Some users might disable the device lock to make it easier to open their device, which is a security risk.

4.9%
Out of date ASPL

Android Security Patch Levels (ASPLs) are released by Google to patch new and known vulnerabilities in Android apps, Android OS, and even hardware components.

4.4%
Non App Store signer

As part of how Lookout detects an iOS app installed from a source other than the App Store, this alert indicates that the app may pose high risk coming from a less trusted source.

Device Operating System (OS) Threats

Jailbreaking & rooting a device can weaken a device's built-in security features and, if done incorrectly, can render the phone useless and leave it vulnerable to malware and exploits. Device threats, on the other hand, are when an attacker intentionally compromises the entire device and can access any data stored on it.

Protect Your Company from Cyberattacks

Find out how Lookout can help you safeguard your business against mobile device cyber threats.

Learn More