Our mobiles have become one of the main targets for hackers in the first half of 2022. S21sec is now reporting findings reporting a significant increase in mobile malware activity with different threats.
Specifically, emphasis is placed on campaigns in which cyberespionage has become one of the main objectives of cybercriminals, as is the case with Pegasus. This and other attack vectors are demystified here in their Threat Landscape Report.
Smartphones, tablets and even smartwatches, our devices under attack
First of all, one of the main conclusions of the biannual report prepared by S21sec is that mobile devices have become one of the main targets of cybercriminals. The data now refers to the first six months of the year, with a significant increase in mobile malware activity.
More specifically, according to the Digital Global Statshot Report published in April 2022, of the 7.93 billion people on Earth, 67% of the world’s population currently uses a mobile device.
This means that more than 5.32 billion people worldwide have a mobile device. Thus, storing more and more sensitive information both in the device memory and in the cloud.
From personal photos to bank details, passwords and information about the company where they work. Therefore, cybercriminals have found a new target for their attacks. Here with the ability to access content stored on smartphones and compromise any information related to the user.
Increase in the distribution of malware to smartphones and tablets
“As has been the case for the past few years and the first six months of 2022, there has been an increase in mobile malware activity. Cybercriminals have added smartphones and tablets to the list of priority targets. This has led to an increase in cyber threats, specifically targeting these devices”, says Hugo Nunes, head of the S21sec Intelligence team in Portugal.
According to the semi-annual report of the largest cybersecurity services company on the Iberian Peninsula, there are four routes for the distribution of malware aimed at mobile devices:
- smish attacks: Attackers substitute the identity of applications, banks, stores or transport companies. They send messages that usually include a fraudulent page that asks the user for personal information to steal credentials or a URL that leads to a page where the malware will be downloaded.
- Use of pop-ups: Ads on web pages that encourage users to download an application. There have been many cases where cybercriminals encourage their victims to install fake updates to common software.
- Unofficial app markets: This is one of the main places where malware is distributed. They make apps available on unofficial marketplaces that appear to be legitimate but are actually malware or copy the trusted app. All to prevent the user from realizing that it is fake, adding malicious code later.
- Malware applications in official markets such as Google Play or Apple Store– While they have built-in security measures to prevent malicious apps from being available for download, there have been numerous cases where an app that appears legitimate is actually an app that contains some form of malware.
Most relevant mobile malware attacks
spyware Pegasus, developed by the Israeli security company NSO Group, whose objective is espionage, has become very relevant in the last three years and especially this semester. This is due to its use against members of the State and regional governments, as well as journalists and important people.
One of the most notorious cases took place in Spain in May. It was then that it was discovered that this malware was infecting the mobile phones of the Prime Minister, Pedro Sánchez, and the Defense Minister, Margarita Robles, among other authorities.
Besides Pegasus, other relevant attacks include xenomorph Y flubot. For example, him xenomorph is an Android banking Trojan that was first discovered in February 2022. It was then disguised as a legitimate app.
As with other Android mobile banking Trojans, when the user opens your banking app, this malware performs an overlay attack. That is, overlaying a fake page that mimics the bank’s login page. All with the aim that victims enter their passwords and steal their data and money.
From Pegasus spyware to Flubot and Xenomorph
EITHER flubot it was discovered in December 2020 and has spread rapidly in the last two years. It is distributed through SMS, missed calls or alerts, posing as different entities. Always with the aim of spreading malicious links where malware such as fake package tracking software or other services are downloaded.
Since these messages, calls, or alerts come from a known source, the recipient or victim is more likely to fall for it and infect their mobile device.
Finally, note the fact that in May, the Dutch police deactivated the structure behind Flubot. Furthermore, in early June Europol announced the complete removal of the Flubot Android malware.
The European authorities have detailed how the international police operation will have involved eleven countries with the aim of dismantling the malware.
