A new report from cloud security company ZScaler sheds light on the growing mobile threats on Android operating systems, as well as IoT and OT devices threats. The findings come as more than 60% of the global Internet traffic is now generated by mobile devices and financially-oriented mobile threats have grown by 111% over the last year.
A list of mobile malware threats
ZScaler’s ThreatLabz witnessed a 29% rise in banking mobile malware over the previous year, with banking malware representing 20% of the total Android threat landscape.
Most active banking malware families to date include:
- Vultur, which is primarily distributed through the Google Play Store.
- Hydra, distributed via phishing messages, websites, and malicious Google Play Store applications.
- Ermac, designed to steal financial data from banking and wallet apps.
- Anatsa, also known as TeaBot
- Coper, also known as Octo
- Nexus, primarily targets cryptocurrency accounts
Most of these banking malware record keystrokes, hijack credentials, and intercept SMS messages in order to bypass Multi-Factor Authentication.
SEE: How to Create an Effective Cybersecurity Awareness Program (TechRepublic Premium)
Spyware threats soar by more than 100%
In addition to banking malware, spyware threats have also grown, with researchers indicating that blocked transactions increased by 100% over the previous year.
The most prevalent spyware reported are SpyLoan, SpinOk, and SpyNote.
- SpyLoan has the ability to steal personal data from devices, such as accounts, device information, call logs, installed apps, calendar events, metadata, and more.
- SpinOk spyware collects sensitive data and files from various locations on the infected device and exfiltrates the data to an attacker-controlled server.
- SpyNote, also known as CypherRat, provides additional remote access capabilities so that the attacker can control execution of software on the mobile device.
According to ZScaler, most mobile malware targeted India (28%), the U.S. (27%), and Canada (15%), followed by South Africa (6%), The Netherlands (5%), Mexico (4%), Nigeria (3%), Brazil (3%), Singapore (3%) and the Philippines (2%).
Impacted sectors include technology (18%), education (18%), manufacturing (14%), retail and wholesale (12%), and services (7%).
Mobile malware are distributed via various methods. One method consists of using social engineering techniques. As an example, ZScaler reports that attackers deployed the Copybara mobile malware by using voice phishing (vishing) attacks, where the victim received voice instructions to install the malware on their Android phones.
QR code scam is also common, where victims are tricked into scanning malicious QR codes leading to malware infections or, in some cases, to phishing pages.
Some malware is also available on the Google Play Store. This includes Joker — which silently subscribes users to premium services without their consent to generate charges — followed by adware malware type and facestealer, a Facebook account stealer.
Overall, despite an overall decrease in Android attacks, financially-oriented mobile threats have grown by 111% over the last year.
IoT and OT threats
Internet of Things and Operational Technology environments keep expanding and are increasingly targeted by attackers, according to the report. The researchers indicate that the number of IoT devices interacting with them has grown by 37% year-over-year.
IoT malware attacks have grown by 45% over the past year, with routers being the most targeted type of device, with more than 66% of attacks aimed at these devices. The leading malware families hitting IoT devices are Mirai (36.3%) and Gafgyt (21.2%). Botnets built with these malware on IoT devices can be used to launch large Distributed Denial of Service attacks.
Regarding the geographical distribution, more than 81% of IoT malware attacks are aimed at the U.S., followed by Singapore (5.3%), the United Kingdom (2.8%), Germany (2.7%), Canada (2%), and Switzerland (1.6%).
Top sectors impacted by IoT malware attacks are manufacturing (36.9%), transportation (14.2%), food, beverage, and tobacco (11.1%).
On the OT side, 50% of the devices in many deployments use legacy, end-of-life operating systems. Protocols prone to different vulnerabilities are also often exposed in OT environments, such as SMB or WMI.
As an example, ThreatLabz analyzed the OT content of a large-scale manufacturing organization, comprising more than 17,000 connected OT devices across more than 40 different locations. Each site contained more than 500 OT devices with end-of-life Microsoft Windows operating systems, many of which had known vulnerabilities.
67% of the global traffic to the OT devices was unauthorized or blocked.
What will the future look like?
According to ZScaler, IoT and OT devices will remain primary threat vectors, while the manufacturing sector will remain a top target for IoT attacks, including ransomware.
ZScaler also suspects artificial intelligence will be increasingly used to deliver high-quality phishing campaigns targeting mobile users. However, AI will also help defenders automate critical functions and better prioritize their efforts.
How to protect IoT and OT devices from cyber attacks
To protect from threats on IoT and OT devices, it is necessary to:
- Gain visibility on IoT and OT devices is a priority. Organizations need to discover, classify, and maintain lists of all IoT and OT devices used in their full environment.
- Keep all systems and software up to date and patched to prevent being compromised by common vulnerabilities.
- Network logs must be collected and analyzed. Suspicious user account access and system events must be particularly monitored.
- Multi-factor authentication must be deployed when possible, and default passwords and accounts must be changed or disabled.
- Zero-Trust device segmentation should be enforced for IoT and OT assets to minimize data exposure.
How to protect mobile devices from cyber attacks
To protect from threats on mobile devices, it is important to:
- Install security applications on the devices, to protect them from malware and possible phishing attempts.
- Any link arriving on the mobile phone, no matter the application, should be cautiously examined. In case of suspicious link, it must not be clicked and reported to IT security staff.
- Unknown applications must be avoided. Also, applications should never be downloaded from third parties or untrusted sources.
Companies should also be cautious of applications requesting updates immediately after installation. An application downloaded from the Play Store should be the latest version. If an app requests permission to update immediately after installation, it should be treated as suspicious and could indicate malware attempting to download additional malicious components.
Disclosure: I work for Trend Micro, but the views expressed in this article are mine.