More than 80% of the world’s population now owns a smartphone. As per reports, India has over 1.2 billion mobile phone users and 600 million smartphone users according to Deloitte’s 2022 Global TMT. They have become so ubiquitous and important to everyday life, that according to research by Google, around a third of smartphone owners use their devices exclusively to access services like online banking, shopping, and email. As much of the world’s workforce moves into hybrid working, mobile devices have also become increasingly common among staff – and not always under the protection of an organization’s cybersecurity team. A study by Microsoft in 2022 revealed that more than two-thirds (67%) of workers use their personal smartphone for work-related tasks.

Our mobile devices represent a very real vulnerability, not just when it comes to our personal data, but when it comes to potentially sensitive work data too. This year has seen that vulnerability increase as mobile threats continue to grow in number and sophistication. Check Point Research revealed that the majority of organizations experienced a mobile malware attack in 2022, with phishing (52%), command and control (25%), and automatic browsing to infected websites (23%) among the most common types of malicious traffic. Banking trojans, designed to steal users’ online banking credentials, and premium dialers, which subscribe to premium rate services without the users’ knowledge, are also on the rise. According to Check Point’s Threat Intelligence Report, over the past six months, the rate of mobile attacks on organizations in India has averaged 7.5% per week, while the global average for attacks per organization stands at 2.2%.

In Check Point’s 2023 Mid-Year Cyber Security Report, mobile devices continue to prove a common attack vector. The “FluHorse” malware, for instance, camouflages itself as popular Android applications, aiming to extract Two-Factor Authentication (2FA) codes and other sensitive user data. Another malware, known as “FakeCalls”, simulates over twenty distinctive financial applications and generates fraudulent voice calls, further highlighting the innovative tactics employed by cybercriminals.

Learn from the past, prepare for the future

While mobile devices offer convenience and efficiency, they also present a unique set of vulnerabilities. Their ubiquitous nature combined with often lax security measures makes them prime targets.

One of the most alarming revelations of 2023 is that despite the advancements in technology and the increasing reliance on mobile devices, they remain one of the most unsecured attack modes. This is partly because the onus of security has traditionally been placed on suppliers, like Apple or Android, rather than on additional, layered security measures. Time will tell if we see a course correction on this issue in the coming years.

The inherent risks

The risks associated with mobile threats are multifaceted. Beyond the immediate threat of data theft, mobile devices can serve as gateways for attackers to access corporate networks, potentially leading to larger-scale breaches or supply chain attacks. The lateral movement within networks, facilitated by compromised mobile devices, can have cascading effects, compromising multiple systems and data repositories.

Mobile devices are, of course, network endpoints, and that means they are often part of complex supply chains. Vulnerabilities can be introduced to these supply chains at any stage, from device manufacturing and software development, right through to the deployment of services to end users. Mobile phones, particularly those that are not business-owned or carefully monitored, are currently the weakest part of the chain.

Outside of business, mobile devices are also prime targets for phishing attacks and social engineering. The smaller screen sizes can make it harder to identify malicious URLs, and users are more likely to click on fraudulent links in text messages or social media apps when they are distracted or on the move. There are also concerns that mobiles are creating a culture of overreliance on technologies like biometric authentication. While facial recognition and fingerprint scanning are convenient, they are not infallible and can be spoofed by malicious actors.

Who is responsible for mobile security?

While suppliers play a crucial role in patching known vulnerabilities, organizations and individuals must take proactive measures to secure their devices. Relying solely on the supplier is a reactive approach that leaves devices vulnerable to zero-day attacks. Instead, a multi-layered security approach, including regular software updates, robust authentication methods, and user education, can significantly reduce the risk posed by mobile threats. According to the “Evidence-based Insights” report, security issues have been identified in nearly 75% of India’s top 100 Android apps. These apps have access to a significant amount of sensitive data, providing both organizations and users with insights into potential security risks.

As we look to the future, the mobile threat landscape is expected to become even more complex. With the increasing integration of IoT devices and the blurring lines between personal and professional device usage, the potential attack surface continues to grow. Organizations and individuals must remain vigilant, prioritizing mobile security not as an afterthought but as a fundamental aspect of their overall cybersecurity strategy.

In fact in response to this concern and to aid people in protecting their smartphones, the Department of Telecommunications (DoT) has introduced a range of complimentary tools for removing bots in India. Operating in collaboration with Internet Service Providers (ISPs) and antivirus companies, this portal, commonly referred to as the Botnet Cleaning and Malware Analysis Centre, is managed by the Indian Computer Emergency Response Team (CERT-In). The platform offers users access to resources and tools aimed at enhancing the security of their systems and devices.

While mobile devices have revolutionized the way we live and work, they have also introduced a new set of challenges in the realm of cybersecurity. By understanding the evolving threat landscape and taking proactive measures, we can enjoy the benefits of mobile technology without compromising security.