A new report from cloud security company ZScaler sheds light on the growing mobile threats on Android operating systems, as well as IoT and OT devices. The findings come as more than 60% of global internet traffic is now generated by mobile devices and financially targeted mobile threats have increased by 111% in the past year.
A list of mobile malware threats
ZScaler’s ThreatLabz witnessed a 29% increase in banking mobile malware year-over-year, with banking malware representing 20% of the total Android threat landscape.
The most active banking malware families to date include:
- Vulturwhich is mainly distributed through the Google Play Store.
- Hydradistributed via phishing messages, websites and malicious Google Play Store applications.
- Ermacdesigned to steal financial data from banking and wallet apps.
- Anatsaalso known as TeaBot
- Horse buyeralso known as Squidward
- Nexusfocuses mainly on cryptocurrency accounts
Most of these banking malware record keystrokes, hijack login credentials, and intercept text messages to bypass Multi-Factor Authentication.
SEE: How to create an effective cybersecurity awareness program (TechRepublic Premium)
Spyware threats increase by more than 100%
In addition to banking malware, spyware threats have also increased, with researchers reporting that the number of blocked transactions has increased by 100% in the past year.
The most common spyware reported are SpyLoan, SpinOk and SpyNote.
- Spy loan has the ability to steal personal data from devices such as accounts, device information, call logs, installed apps, calendar events, metadata and more.
- SpinOk Spyware collects sensitive data and files from various locations on the infected device and exfiltrates the data to a server controlled by the attacker.
- SpyNotealso known as CypherRat, provides additional remote access capabilities, allowing the attacker to control the execution of software on the mobile device.
According to ZScaler, the most mobile malware targeted India (28%), the US (27%) and Canada (15%), followed by South Africa (6%), the Netherlands (5%), Mexico (4%), Nigeria (3%), Brazil (3%), Singapore (3%) and the Philippines (2%).
Sectors affected include technology (18%), education (18%), manufacturing (14%), retail and wholesale (12%) and services (7%).
Mobile malware is spread via various methods. One method involves the use of social engineering techniques. For example, ZScaler reports that attackers deployed the mobile malware Copybara using voice phishing attacks (vishing), where the victim received voice instructions to install the malware on their Android phones.
QR code scams are also common, where victims are tricked into scanning malicious QR codes, leading to malware infections or, in some cases, phishing pages.
Some malware is also available on the Google Play Store. This includes Joker – which quietly subscribes users to premium services without their consent to generate fees – followed by adware malware and facesstealer, a Facebook account thief.
Despite an overall decline in Android attacks, financially targeted mobile threats have increased 111% in the past year.
IoT and OT threats
Internet of Things and operational technology environments continue to expand and are increasingly being targeted by attackers, according to the report. The researchers indicate that the number of IoT devices communicating with it has grown by 37% year-on-year.
IoT malware attacks have increased by 45% in the past year, with routers being the most targeted device type, with more than 66% of attacks targeting these devices. The top malware families affecting IoT devices are Mirai (36.3%) and Gafgyt (21.2%). Botnets built on IoT devices with this malware can be used to conduct large Distributed Denial of Service attacks.
In terms of geographic distribution, over 81% of IoT malware attacks target the US, followed by Singapore (5.3%), the United Kingdom (2.8%), Germany (2.7%), Canada ( 2%) and Switzerland (1.6%).
Top sectors affected by IoT malware attacks are manufacturing (36.9%), transportation (14.2%), food, beverage and tobacco (11.1%).
On the OT side, 50% of devices in many deployments are using older, end-of-life operating systems. Protocols susceptible to various vulnerabilities are also often exposed in OT environments, such as SMB or WMI.
For example, ThreatLabz analyzed the OT content of a large-scale manufacturing organization consisting of more than 17,000 connected OT devices in more than 40 different locations. Each site contained more than 500 OT devices running end-of-life Microsoft Windows operating systems, many of which had known vulnerabilities.
67% of global traffic to OT devices was unauthorized or blocked.
What will the future look like?
According to ZScaler, IoT and OT devices will remain the top threat vectors, while the manufacturing sector remains a top target for IoT attacks, including ransomware.
ZScaler also suspects that artificial intelligence will increasingly be used to deliver high-value phishing campaigns that target mobile users. However, AI will also help defenders automate critical functions and better prioritize their efforts.
How to protect IoT and OT devices from cyber attacks
To protect against threats on IoT and OT devices it is necessary to:
- Gaining visibility into IoT and OT devices is a priority. Organizations must discover, classify, and maintain lists of all IoT and OT devices used across their entire environment.
- Keep all systems and software up to date and patched to avoid being compromised by common vulnerabilities.
- Network logs should be collected and analyzed. Suspicious access to user accounts and system events should be particularly monitored.
- Where possible, multi-factor authentication should be usedand default passwords and accounts should be changed or disabled.
- Zero-Trust device segmentation should be enforced for IoT and OT assets to minimize data exposure.
How to protect mobile devices from cyber attacks
To protect against threats on mobile devices, it is important to:
- Install security applications on the devices to protect them from malware and possible phishing attempts.
- Every link that arrives on the mobile phone, regardless of the application, must be carefully examined. In the case of a suspicious link, it should not be clicked and reported to IT security staff.
- Unknown applications should be avoided. Applications should also never be downloaded from third parties or unreliable sources.
Businesses should also be careful with applications that request updates immediately after installation. An application downloaded from the Play Store must have the latest version. If an app asks for permission to update immediately after installation, it should be treated as suspicious and may indicate that malware is trying to download additional malicious components.
Revelation: I work for Trend Micro, but the views expressed in this article are my own.
