Mobile Threat Landscape Report:
Q2 2024
Executive Summary
The second quarter of this year followed many trends observed in our first quarter report, but also introduced some interesting new perspectives on the mobile threat landscape. We continued to see a massive increase in mobile phishing and malicious web content being delivered to mobile users, disclosed Houthi-developed mobile spyware, and saw a higher number of iOS-targeted root enablers than we have in the past.
Lookout leverages AI to analyze data in the and identify malware, phishing attacks, and other sophisticated network-based threats. In this quarter’s report, we also aimed to dig in more deeply on some of our findings. For example, we answered the question of whether managed mobile devices have any more or less exposure to phishing and web-based attacks than unmanaged or BYOD devices. We also observed the percentage of reported iOS vulnerabilities that are of high or critical severity as teams aim to figure out what risks they actually need to spend time on.
Thanks to our industry-leading AI-driven dataset of more than 220 million devices, 325 million apps, and billions of web items, we are able to identify global trends that help inform security teams across every industry and geography about how to protect the data from mobile threats.
This report is a summary of our findings from the second quarter of 2024, and proves that mobile threats must be thought of as a significant part of the modern day enterprise security strategy. Nobody knows the mobile threat landscape like Lookout.
Lookout Discovery Highlight: Guardzoo
Researchers in the Lookout Threat Lab leverage the world’s largest mobile telemetry dataset to track advanced persistent threat (APT) activity, discover new mobile malware, and provide actionable intelligence. Originally discovered in October 2022 and publicly disclosed this year, Lookout researchers continue to see the GuardZoo surveillanceware being used to target military personnel from Middle Eastern countries.
The surveillanceware is based on a commodity spyware named Dendroid RAT. Lookout attributes this activity to a Yemeni Houthi-aligned group based on targeting aligned with Houthi interests. The campaign mostly uses military themes to lure victims, but Lookout researchers also observed that religion and other themes are being used.
Phishing and Malicious Web Content
Mobile phishing and malicious content have exploded in popularity as attackers evolve their tactics to target enterprise credentials. This has led to a fundamental shift in the traditional cyber killchain, and this modern killchain is dependent on using legitimate credentials as a way to quietly enter corporate infrastructure and compromise data.
Attackers take on convincing personas as internal IT or security teams to trick employees into sharing or supposedly resetting their passwords. More recently, actors have taken to impersonating executives and contacting new or existing employees to get them to share sensitive company data in a high pressure situation.
As one of the most widely-adopted mobile threat defense solutions, Lookout defends its customers with out-of-the-box protections against phishing and malicious content as well as the ability to create custom content rules and denylists.
Managed or BYOD? Doesn't Matter
Mobile phishing is a pervasive threat that attackers can use across any app that has messaging functionality. This doesn’t just mean email, SMS, iMessage, WhatsApp, Telegram and the like, but also social media apps like Instagram and TikTok, the LinkedIn mobile app, mobile games, and even dating apps.
Even if an organization manages the apps its employees can use, Lookout data shows that those employees are just as likely to encounter a phishing attack as organizations who don’t manage apps.
Phishing and Malicious Content Attacks by Region
With employees traveling the globe, it’s important to understand whether they might be at higher risk of phishing attacks in certain regions. Lookout identifies trends in each continent so that organizations operating in multiple regions can prioritize timely remediation for regions with an increasing number of attempts. The data for this quarter tracks consistently with what we’ve seen over the last couple of years.
PRO TIP
Mobile Vulnerabilities
Just like any other piece of hardware or software, mobile devices and the apps that run on them can have vulnerabilities in their code. These vulnerabilities can exist at the device, operating system, and app level. Even if the developer promptly releases a patch, there’s still an inevitable gap of time between when the vulnerability is discovered and end-users install the updated version. That is an attacker’s window of opportunity, and a successful exploit frequently grants them root access on the device, the same permissions that a vulnerable app has, and other highly invasive capabilities.
Lookout monitors a wide range of vulnerabilities and threats, their global presence, and their potential impacts to inform you at the earliest possible moment and keep you safe. Below are the top vulnerabilities encountered by Lookout users in the second quarter of 2024.
Just like any other piece of hardware or software, mobile devices and the apps that run on them can have vulnerabilities in their code. These vulnerabilities can exist at the device, operating system, and app level. Even if the developer promptly releases a patch, there’s still an inevitable gap of time between when the vulnerability is discovered and end-users install the updated version. That is an attacker’s window of opportunity, and a successful exploit frequently grants them root access on the device, the same permissions that a vulnerable app has, and other highly invasive capabilities.
Lookout monitors a wide range of vulnerabilities and threats, their global presence, and their potential impacts to inform you at the earliest possible moment and keep you safe. Below are the top vulnerabilities encountered by Lookout users in the second quarter of 2024.
A zero-day vulnerability in Google Chrome that could be exploited by delivering a maliciously crafted webpage to the end user running a vulnerable version of Chrome.
A collection of eight vulnerabilities in various components of Chromium, four of which were zero-days. Successful exploitation could grant an attacker access to any data that Chrome has access to or allow them to remotely execute code.
A zero-day vulnerability in Google Chrome’s ability to handle specific web requests. Successful exploitation could allow attackers to execute arbitrary code on the device.
A zero-day vulnerability in the V8 engine, which is the open-source Javascript and Web assembly engine that supports Chromium and the mobile version of the Google Chrome browser.
A zero-day vulnerability in the WebRTC framework, which supports the mobile versions of Google Chrome and Microsoft Edge.
A vulnerability in Skia, which is the 2D graphics engine for Google Chrome, ChromeOS, Android, and Microsoft Edge. Successful exploitation could lead to an attacker stealing sensitive data.
A vulnerability in Chromium, which supports almost every mobile browser. Successful exploitation could enable an attacker to execute a heap corruption via a malicious webpage.
A vulnerability in WebP, the image rendering engine for Chrome and other mobile browsers with known exploits in the wild.
A zero-day vulnerability in the V8 engine, which is the open-source Javascript and Web assembly engine that supports Chromium and the mobile version of the Google Chrome browser.
Two zero-day vulnerabilities in the V8 engine, which is the open-source Javascript and Web assembly engine that supports Chromium and the mobile version of the Google Chrome browser.
iOS Vulnerabilities
Almost every iOS update we’re asked to install on our smartphones has to do with a security vulnerability. In fact, there have already been more than 160 iOS vulnerabilities published in 2024. And keep in mind that this is only operating system vulnerabilities, not vulnerabilities found in apps that can run on iOS, which is a whole different challenge for IT and security teams to manage.
In fact, as shown in the graph below, more than 40% of iOS vulnerabilities disclosed in the last 18 months have had a Common Vulnerability Scoring System (CVSS) score of 7 out of 10 or greater. According to the National Vulnerability Database (NVD), a 7-8.9 rating is high while a 9.0-10.0 is considered critical.
High and critical vulnerabilities are frequently disclosed and rated as such because they have known exploits in the wild that attackers could take advantage of. The first half of 2024 has been tracking with that trend - showing 35% of iOS vulnerabilities that fall in those high or critical categories.
Pro tip
Mobile Malware
Mobile malware and app threats can range from invasive permissions and riskware that create a massive compliance risk to advanced spyware that can track devices, steal data off of the device, listen in on conversations, and use the device’s camera and microphone.
Regardless of the severity of the malware, understanding where your users, devices, and data are at risk on mobile is a critical piece of the modern day security posture.
10 Most Encountered Malware Families in Q2 2024
IdShark
Classification: Spyware
Platform: Android
IdShark can forward text messages, contact lists, financial information, and other device information to a 3rd party. It can also be used to track device location without user knowledge.
Triada
Classification: Trojan
Platform: Android
Triada is known to have ties to the Russian APT named Gamaredon. It secretly controls the device and exfiltrates sensitive user data to a third party.
MoneytiseSDK
Classification: Trojan
Platform: Android
This monetization SDK is embedded into applications and offers to turn your phone into a proxy allowing the developers to make money by monetizing your network data.
EyeSea
Classification: Trojan
Platform: Android
EyeSea is delivered via phishing messages and uses false claims to try to acquire user banking information. It can also intercept two-factor authentication codes.
Ggtrap
Classification: Spyware
Platform: Android
GgTrap is developed by Ajaya Solutions in India and can send a variety of sensitive data to remote servers to use for blackmail. This includes text messages, contact lists, call logs, phone number, browser bookmarks, location, financial information, and other device data.
BianLian
Classification: Trojan
Platform: Android
BianLian is developed by the Russian-speaking group Hydra. It uses screen overlays to steal text messages, lock the device's screen, steal banking credentials, and install other apps.
BancaMarStealer
Classification: Trojan
Platform: Android
BancaMarStealer is a mobile trojan malware family designed to phish the victim’s login credentials for banking and other services.
Updtbot
Classification: Trojan
Platform: Android
Updtbot is distributed through SMS claiming to be a security update. Once installed, it grants the attacker control of the device and acts as a conduit to download additional malware to the device.
Pandora
Classification: Spyware
Platform: Android
Pandora masquerades as a legitimate application that attempts to gain privileged access on the device once it’s installed. If successful, it will allow the attacker to control the device and use it for malicious purposes.
Igexin
Classification: Spyware
Platform: Android
Igexin is a well-known Chinese advertising SDK that acts as a conduit for attackers to spy on victims through malicious plugins on the device. Information such as location and call logs could be sent to a third party.
Empower Your Security Team with Threat Intelligence
Mobile threat intelligence fills a common gap in many existing security operation centers (SOCs), threat research organizations, and incident response teams that lack visibility into the complex and nuanced world of mobile malware.
With the world’s largest, AI-driven mobile security dataset at its core, the Lookout Threat Intelligence team is able to detect and protect against the most mobile malware families.
Commoditization of advanced malware, evolution of nation-state mobile malware capabilities, record numbers of iOS zero-day vulnerabilities, and a heavy reliance on mobile-focused social engineering are three signs that we’ve entered an era where mobile devices must be included in the scope of what these teams do.
PRO TIP
Lookout collects and analyzes proprietary data points to provide your security teams with comprehensive protection capabilities against mobile cyber attacks. Our advanced threat intelligence and machine learning technology ensure that your mobile devices are safeguarded from the latest threats.
View this interactive demo to see how Lookout MES Premium customers conduct proactive research on mobile malware in the Lookout console.
Hunt for threats here
Top 10 most critical threat families of Q2 2024
Solodroid
Classification: Surveillanceware
Platform: Android
Solodroid is related to Iranian APT MysticDome. It is a spyware family that is distributed by mass phishing campaigns related to the Israel-Hamas conflict.
iTracker
Classification: Surveillanceware
Platform: Android
iTracker is a commercial surveillanceware solution that can aggressively spy on users through their mobile devices and feed that data back to the attacker.
SpyC
Classification: Surveillanceware
Platform: Android
SpyC is a commercial surveillanceware solution that can aggressively spy on users through their mobile devices and feed that data back to the attacker.
Shixian
Classification: Surveillanceware
Platform: Android
A new family of Chines surveillanceware currently under further investigation.
MobileMasterSpy
Classification: Surveillanceware
Platform: Android
MobileMasterSpy is a set of mobile forensics applications that prompt the user to approve a series of permission requests for access to device GPS location data, SMS messages, images, audio, contacts and phone services.
CheatTrack
Classification: Surveillanceware
Platform: Android
CheatTrack appears in a number of apps that claim to provide cheats for video games. It can exfiltrate a plethora of sensitive data and send it to a third party.
DCHSpy
Classification: Surveillanceware
Platform: Android
DCHSpy is a spyware family that primarily targets users in Iran and Turkey. While rare, it has highly invasive capabilities that enable the attacker to spy on the victim through their mobile device.
AbyssalContactStealer
Classification: Surveillanceware
Platform: Android
AbyssalContactStealer is part of the “AbyssalArmy” toolset and can steal contacts from the victim device. The full suite enables the attacker to steal SMS messages, location, and other types of data.
Device Risks
In addition to phishing, apps, and malware, there are misconfigurations that can occur and open up the entire device to being taken over. This can range from simple device settings to advanced malware that gains root admin access to the device.
Top device misconfigurations
The risks posed by security misconfiguration vulnerabilities can have serious consequences for users. Security misconfigurations can leave a device and the data on it vulnerable to known and unknown exploits.
Out of Date OS
Out of date operating system (OS) versions, especially on iOS devices, can leave a device and the data on it vulnerable to known and unknown exploits.
Out of date ASPL
Android Security Patch Levels (ASPLs) are released by Google to patch new and known vulnerabilities in Android apps, Android OS, and even hardware components.
No device lock
Locking a mobile device is a basic form of securing it. Some users might disable the device lock to make it easier to open their device, which is a security risk.
Non App Store signer
As part of how Lookout detects an iOS app installed from a source other than the App Store, this alert indicates that the app may pose high risk coming from a less trusted source.
Device Operating System (OS) Threats
Jailbreaking & rooting a device can weaken a device's built-in security features, leave it vulnerable to malware and exploits and, if done incorrectly, can render the phone useless. A user might intentionally jailbreak their device for a variety of reasons, but device compromises can also be initiated remotely by advanced threat actors who want to silently turn a mobile device into a surveillance tool. This type of behavior has been observed in APT activity tied to cyberespionage and nation-state backed attacks, and is most infamously tied to the way NSO Group’s Pegasus surveillanceware infects a targeted individual’s device.
