Researchers on Thursday reported that despite a 50% increase in mobile device management (MDM) adoption during the past year, average quarterly exposure to phishing attacks on mobile devices in the financial sector rose by 125% – and malware and app risk exposure increased by more than five times.
In a blog post, Lookout researchers said as more users access cloud services and infrastructure from mobile devices, attackers deliberately target phones, tablets and Chromebooks to increase their odds of finding a vulnerable entry point. The researchers said a single successful phishing or mobile ransomware attack can give attackers access to data across a company’s entire back-end infrastructure.
“Compromise can take place in a number of ways, but with each one an attacker can find their way into your cloud infrastructure,” said Hank Schless, senior manager, security solutions at Lookout. “An attacker can recreate the corporate log-in page and deliver a phishing message to the individual that prompts them to log into their account. The attacker can use malware-as-a-service to deliver a trojanized application that can lurk in the background of the device and wait for the user to access sensitive corporate data stored in cloud apps and infrastructure before executing any actions.”
As part of the blog, Lookout also linked to its Financial Services Threat Report, which was authored by Schless. Some of the report’s highlights include the following:
- The motive of almost 50% of phishing attacks was to steal corporate login credentials.
- Nearly 20% of mobile banking customers had a trojanized app on their device when trying to sign into their personal mobile banking account.
- Seven months after the release of iOS 14 and Android 11, 21% of iOS devices were still on iOS 13 or earlier, and 32% of Android devices were still on Android 9 or earlier.
The report also points out that organizations have to do more than manage mobile devices with MDM. Schless said while MDM lets organizations push basic application and access management policies to employee devices, as the phishing and app risk numbers indicate, MDM has not protected the devices from these risks and can’t replace security.
“When building consumer applications, security must be integrated from the ground up,” Schless said. “By integrating security into the mobile app development process, mobile security capabilities are natively delivered to your customers without asking them to install any additional software. Every organization should also subscribe to a zero trust approach, and should consider mobile apps, devices, and users as part of that strategy.”
As the bulk of the workforce still operates remotely, Krishnan Subramanian, security research engineer at Menlo Security, agreed that it’s imperative to include mobile devices in the zero trust strategy.
“Based on data from our platform, we are seeing mobile device users accessing cloud services like Office 365, DocuSign, or Adobe, which are commonly impersonated in phishing campaigns,” Subramanian said. “Attackers have come to the realization that mobile devices are as valuable as desktops with regards to data and access to critical apps.”