The COVID-19 outbreak has led to an unanticipated and quick transition of the global workforce. Organizations have been forced to make radical changes in their infrastructure so that their employees could work comfortably and be productive at the same time. According to new research by IDC, the US remote working population would grow continuously at a steady pace over the upcoming 4 years, surging from 78.5 million employees in 2020 to 93.5 million in 2024.
This has also led to a massive increase in the adoption of smartphones and mobile apps as the new tools for work. As more and more devices and apps are being used to access corporate networks, the attack surface for the threat actors is continuously on a rise. Mobile devices are now more vulnerable than ever to cybersecurity threats like man-in-the-middle attacks, phishing scams, malware attacks and so on.
So, let’s take a look at how mobile app threats have evolved over the years and what is their impact on the privacy of users and businesses.
Impacts and Evolution of Mobile App Threats
Unlike the desktop computer world, attacks on mobile devices are increasing at a fast rate. Every now and then we would hear about some newly discovered threat and this trend is likely to continue. Here we have outlined some of the most critical reasons as to why mobile app threats are continuously on a rise:
1. Increase in the Attack Surface
With an explosive rise in the market for smartphones, there are now billions of mobile devices in the hands of users. This has proved out to be the largest attack surface footprint for hackers for stealing major corporate as well as personal information.
2. Unprotected Mobile Devices
The major truth about modern age smartphones is that they are mostly unprotected. Since there is virtually nothing protecting mobile devices, there is no barrier that can protect them from becoming vulnerable to attackers. With minimum chances of getting caught, there is nothing protecting the users from potential cybercriminals.
3. Vulnerable Corporate Networks
Insecure and unprotected mobile devices are potentially prone to attacks and hackers are using them to gain access into corporate networks. Since mobile devices contain a hybrid of both corporate as well as personal information, they are increasingly put on target by cybercriminals.
4. Financial Motives
This may be the most important reason for the increase in mobile-related cyberattacks as compromising mobile devices enables a series of lucrative rewards for cybercriminals. They generally use these opportunities to extort money from the concerned parties in case of ransomware attacks.
5. Irresponsible User Behaviour
End users always have a false sense of security when it comes to their mobile devices. And most of the time, they don’t even take security seriously. Without realizing how many sensitive tasks they perform on their phones, like online banking, they grant apps widespread permissions and even give root-level access by jailbreaking their phone
Employers need to play the major role of educating their employees about these threats and provide the best practices necessary for preventing mobile attacks. A recent poll conducted by Wandera, that consisted of over 2,000 end users revealed that only 7% of employees have been provided with any form of security guidance on using apps and smartphones in general, which is quite alarming.
6. Hybrid Devices for Both Personal and Business Use
According to Wandera, over 70% of corporate employees access their data from tablets or smartphones. The security challenge that comes with protecting corporate data is not limited to BYOD devices. Employees are now looking forward to accessing corporate-owned devices for personal use and want control over the device.
Check Point’s 2021 Mobile Security Report
Researchers at Check Point have been observing an unprecedented rise in the number of attacks and data breaches that have come in through the mobile endpoint over the past year. The threat to mobile devices and apps has become greater than ever and must be well accounted for by every organization.
According to their research, about 97% of organizations have recently faced mobile application security threats and around 46% have at least one employee download a malicious mobile application which is an alarming fact when it comes to network and data security.
Let us take a look at the key findings of the research:
1. The global pandemic has emerged to become the latest mobile app hacking premise. Skilled threat actors are exploiting the concerns of the general public with the pandemic by launching complex malware attacks that are pretending to provide legitimate help.
2. Ransomware is the hottest trend in the mobile cybersecurity world. Researchers at Kaspersky discovered more than 20,000 ransomware trojans in mobile devices this year.
3. In one of the research studies conducted by CheckPoint, it was observed that around 400 code-level flaws were found within a Qualcomm DSP chip. The criticality of this fact cannot be ignored as Qualcomm provides chips for over 40% of the mobile phone market.
4. Mobile Device Management (MDM) is also emerging as a new attack vector in many cases. A new Cerberus malware variant has infected over 75% of one company’s devices with the help of corporate-owned MDM.5. There are a number of threat groups that are focusing on mobile, conducting elaborate and sophisticated targeted attacks and improving their mobile arsenal with the competence that is yet to be seen on mobile.
Recent Mobile App Hacks
In recent years, the mobile device and app world has seen some of the most devastating hacks and data breaches. Let’s take a look at some of the most prominent ones:
1. Walgreens Mobile App Leak (Jan 2020)
A major security flaw was detected within the Walgreens mobile app’s personal messaging feature. Upon conducting an investigation, it was discovered that an internal application error admitted certain malware into the app and the personal information of thousands of users was compromised as a result of this.
2. Upstox (April 2021)
One of India’s largest discount broking firms, Upstox, encountered a breach event in the month of April 2021. The firm witnessed a massive security breach which further resulted in the exposure of its customer’s KYC information. Although the firm could not stipulate how much of its user data was exposed, media reports indicate that a breach of the size of around 25 lakh customers would have happened.
3. ParkMobile Breach (April 2021)
ParkMobile, a mobile parking app that’s popular in North America was exposed to a cyberattack in April when it was found that the account information of its 21 million consumers was being sold by someone illegally. The stolen data included customer email addresses, phone numbers, dates of birth, hashed passwords, license plate numbers, and mailing addresses.
4. Npower Data Breach (Feb 2021)
British energy services provider Npower has recently suffered a massive data breach that exposed its customers’ financial and personal data. This resulted in forcing the company to shut down its mobile app also. Data that was compromised included customers’ date of birth, contact details, address, bank sort codes and last four digits of bank account numbers.
5. Juspay Data Leak (August 2020)
A compromised server of Bengaluru-headquartered payments processor Juspay resulted in the data leakage of its 100 million users on the dark web. Juspay operates and processes payments for tech companies like Uber, Amazon, Swiggy and Flipkart among others. Revealing that the cyberattack had occurred on August 18, 2020, Juspay added that 35 million records of its users with masked card data (which is non-sensitive information) and card fingerprint were breached.
6. Nissan North America Data Breach (Jan 2021)
Nissan North America suffered a data leak in January this year when the source code for its mobile applications and internal tools emerged online after the company apparently misconfigured one of its Git servers.
7. Mobikwik Data Breach (March 2021)
Leading Indian payments app Mobikwik suffered a data breach in the month of March. Researchers claimed that the sensitive information of about 3.5 million users was put on the dark web for sale. The sensitive data included addresses, KYC details, phone numbers, Aadhar card data and other details of the users.
The extraordinary situation of mobile devices is that they serve both as a business and a personal tool. Either corporate or personally owned, companies having employees who use mobile devices have the responsibility to understand that the security threat these devices pose to corporate information requires competent insights for handling them. In order to become successful at building a voraciously secure mobile ecosystem, the industry needs to take a closer look at the sincere problems posed by mobile computing.