Mobile Threat Landscape Report:
2023 in Review
Executive Summary
Whether you’re a small business, multinational enterprise organization, or government entity, 2023 proved to be an evolutionary year for mobile threats. There were a record number of zero-day vulnerabilities discovered in iOS, multiple discoveries of popular apps like TikTok and PinDuoDuo having risky data collection practices, and the cybercrime group Scattered Spider proved that mobile phishing is an extremely effective way to take down some of world’s largest organizations.
The way that threat actors are targeting and attacking organizations is shifting. The trends and data in this annual report indicate that actors are relying more heavily on social engineering - taking full advantage of new exposure points and vulnerabilities in both software and employees themselves. To that end, there was a record number of mobile phishing attempts targeting enterprise users this year. In addition, the most prominent mobile app vulnerabilities in 2023 could be exploited by sending the targeted individual to a maliciously crafted webpage through SMS, iMessage, or any other mobile app with messaging functionality.
Thanks to our industry-leading dataset and the wide breadth of businesses, governments, and individuals worldwide that trust Lookout to secure their devices and data, we are able to identify global trends in the mobile threat landscape informed by hundreds of millions of apps, devices, and web items.
Organizations of every size in every industry are at greater risk because their mobile devices are the last unprotected endpoints. This report proves that cybercriminals are evolving their tactics by using multiple attack vectors that target mobile devices, which means that checking the box is no longer enough. No one can identify threats and defend mobile devices like Lookout can. We’ve got you covered.
Lookout Threat Intelligence Research Highlights
Researchers in the Lookout Threat Lab leverage the world’s largest mobile telemetry dataset to track advanced persistent threat (APT) activity, discover new mobile malware, and provide actionable intelligence. Below are three of key discoveries by our team in 2023.
Phishing and Malicious Web Content
Mobile phishing is one of the biggest challenges facing IT and security teams today. In the modern killchain, this tactic has become arguably the most effective way for threat actors to steal employee credentials. And as MFA bypass becomes more prominent, threat actors can log into corporate infrastructure to conduct recon, create backdoors, and compromise data.
As one of the most widely-adopted mobile threat defense solutions, Lookout defends its customers with out-of-the-box protections against phishing and malicious content as well as the ability to create custom content rules and denylists.
.webp)
PRO TIP
Lookout recommends if you receive a text message from an unknown number that creates a sense of urgency, do not tap on it. If the message alleges to be from an organization such as your IT team or your bank, call them directly to confirm that they sent the message.
Mobile Vulnerabilities
Risky vulnerabilities can exist at both the operating system (OS) and application level on mobile devices. While OS vendors and developers of popular apps will usually push patches for these vulnerabilities in a timely fashion, there is usually a gap between when the vulnerability is disclosed and patched then installed by users. This can leave the device and its data at risk for long periods of time.
Lookout monitors a wide range of vulnerabilities and threats, their global presence, and their potential impacts to inform you at the earliest possible moment and keep you safe. Below are the top vulnerabilities encountered by Lookout users in 2023.
A vulnerability in Chrome for Android’s WebP image format. A similar image processing vulnerability was linked with the BlastPass exploitation for delivery of Pegasus.
A vulnerability in Chromium that could affect certain versions of Google Chrome and Microsoft Edge browsers on mobile.
A vulnerability in libvpx, which is a video codec library used by Chrome, Firefox, and Firefox Focus for Android.
A group of 9 vulnerabilities across various components of Chrome for Android that could enable an attacker to compromise the user's data on a vulnerable device.
A vulnerability in the V8 Javascript Engine component of Chromium that can be exploited with a malcrafted webpage. Successfully exploiting the vulnerability may allow the attacker to compromise the user's data on a vulnerable device.
MultiApp Vulnerabilities in Android
MultiApp vulnerabilities are named as such because they can affect multiple mobile apps that share components of how they are developed. For example, Chromium is the codebase for almost every mobile browser including Chrome, Safari, Edge, and Firefox.
Attackers could have a greater chance of success and kill multiple birds with one stone if they’re able to exploit these multiapp vulnerabilities. If they are successful, the type of data they can compromise varies based on the specific set of vulnerabile apps.
A group of vulnerabilities across all Android devices, as well as Samsung devices specifically.
A zero-day vulnerability in the V8 Javascript engine of Chromium that affects versions of Google Chrome and Microsoft edge mobile browsers.
A vulnerability in Skia, which is the 2D graphics engine for Google Chrome, ChromeOS, Android, and Microsoft Edge.
A zero-day vulnerability found in the GPU component of Chromium open-source web browser project, which provides the codebase for many popular browsers.
A vulnerability in libvpx, which is a video codec library used by Chrome, Firefox, and Firefox Focus for Android.
A zero-day vulnerability found in Chromium that exists due to “insufficient data validation” in the runtime libraries that Chromium is based on
iOS Vulnerabilities
Almost every iOS update we’re asked to install on our smartphones has to do with a security vulnerability. In fact, there were more than 260 iOS CVEs published in 2023. The fact that so many devices remain out of date means that there are lingering vulnerabilities that leave those devices, their users, and the data on them susceptible to exploits
Pro tip
Mobile App Threats
Mobile malware can be incredibly difficult to detect and ranges from riskware, which is low-risk but could create data privacy concerns, to advanced surveillanceware that tracks every action on the device, listens in on conversations through the microphone, and can turn on the device’s camera.
IdShark
Classification: Spyware
Platform: Android
This malware can forward text messages, contact lists, financial information, and other device information to a 3rd party. It can also be used to track device location without user knowledge.
RiskySigner
Classification: Riskware
Platform: Android
The author of this app has signed malicious or potentially unwanted applications in the past. Exercise extra scrutiny, as the app may exhibit unwanted or risky behavior.
SourMint
Classification: Riskware
Platform: iOS
A software development kit (SDK) that contains the capability to intercept all network requests made by the user through the app, collect device information, and send it all to a 3rd party server
StatisticalSales
Classification: Surveillanceware
Platform: Android
This malware can forward user data including call logs, location and text messages to a 3rd party.
Ggtrap
Classification: Spyware
Platform: Android
This malware can forward sensitive user data to a 3rd party including text messages, contact lists, call logs, phone number, browser bookmarks, location, financial information, and other device data.
Virtualization
Classification: Riskware
Platform: Android
This riskware poses the risk of circumventing certain security measures as it runs in a virtualized environment or provides an app the capability to do so.
UnsafeMarket
Classification: Riskware
Platform: Android
This riskware provides the ability to download and install apps from a 3rd party store. Be extra cautious as there is a higher risk of installing a malicious app.
BianLian
Classification: Trojan
Platform: Android
This malware may contain legitimate functionality however it can also steal text messages, lock the device's screen, steal banking credentials, and install other apps. This can lead to financial fraud, a loss of privacy, a disrupted user experience and the installation of unwanted apps.
MoneytiseSDK
Classification: Trojan
Platform: Android
This monetization SDK is embedded into applications and offers to turn your phone into a proxy allowing the developers to make money by monetizing your network data. This may allow others to access your network, and lower device and battery performance.
WonderRoot
Classification: Root Enabler
Platform: Android
This malware helps the user acquire root access on the device, providing elevated privileges. This can allow the user or apps to modify the Android system in ways that can potentially damage a device or cause a loss of private data.
Empower Your Security Team with Threat Intelligence
As an extended service, Lookout provides advanced Threat Intelligence to organizations that aim to enhance in-house detective or protective systems.
.webp)
.webp)
PRO TIP
Lookout collects and analyzes proprietary data points to provide your security teams with comprehensive protection capabilities against mobile cyber attacks. Our advanced threat intelligence and machine learning technology ensure that your mobile devices are safeguarded from the latest threats.
Watch this demo video to learn how Lookout Premium customers can conduct proactive research on mobile malware in the Lookout Console
Top 10 most critical threat families discovered in 2023
FreeCoin
Classification: Trojan
Platform: Android
Malware that can forward text messages and contacts to a 3rd party, incur charges on the device, and steal banking credentials.
SamsungBrowserSpy
Classification: Spyware
Platform: Android
A directory related to a Spyware infection for Samsung Browser.
TriangleDB
Classification: Surveillanceware
Platform: iOS
Malware that secretly allows a third party to track geolocation, harvest credentials and interact with other processes on the user's device.
DragonEgg
Classification: Surveillanceware
Platform: Android
Surveillanceware developed by APT-41 that can collect text messages, device location, and call logs, pictures or video, and record audio.
Read technical writeup here
AbyssalLocationTracker
Classification: Surveillanceware
Platform: Android
Malware that tracks device location and forwards it to a third party server.
GodFather
Classification: Trojan
Platform: Android
Trojan that can steal the device's contact lists, intercept received text messages, forward phone calls, and conduct phishing attacks.
S0ftPhoneMonitor
Classification: Surveillanceware
Platform: Android
Surveillanceware that monitors activities and sends information to a 3rd party.
BouldSpy
Classification: Surveillanceware
Platform: Android
Surveillanceware that monitors user activity, collects data such as text messages, contacts, call logs, browser history, and more, and uploads them to a remote server.
Read technical writeup here
LaSurv
Classification: Surveillanceware
Platform: Android
Surveillanceware that monitors a number of sensitive activities performed on a device.
InfamousChiselSurv
Classification: Surveillanceware
Platform: Android
Surveillanceware that collects sensitive information including location data, text messages, contacts, and call logs and exfiltrates them to a remote third party.
Read technical writeup here
Device Risks
In addition to phishing, apps, and malware, there are misconfigurations that can occur and open up the entire device to being taken over. This can range from simple device settings to advanced malware that gains root admin access to the device.
The risks posed by security misconfiguration vulnerabilities can have serious consequences for users. Security misconfigurations can leave a device and the data on it vulnerable to known and unknown exploits.
Out of Date OS
Out of date operating system (OS) versions, especially on iOS devices, can leave a device and the data on it vulnerable to known and unknown exploits.
No device lock
Locking a mobile device is a basic form of securing it. Some users might disable the device lock to make it easier to open their device, which is a security risk.
Out of date ASPL
Android Security Patch Levels (ASPLs) are released by Google to patch new and known vulnerabilities in Android apps, Android OS, and even hardware components.
Non App Store signer
As part of how Lookout detects an iOS app installed from a source other than the App Store, this alert indicates that the app may pose high risk coming from a less trusted source.
Jailbreaking & rooting a device can weaken a device's built-in security features and, if done incorrectly, can render the phone useless and leave it vulnerable to malware and exploits. Device threats, on the other hand, are when an attacker intentionally compromises the entire device and can access any data stored on it.
