Whilst statistics might vary slightly from source to source, in the UK alone, well over 80% of the population owns a smartphone, and the mobile internet penetration rate could be as high as 75%. So, there’s an awfully high number of people that own a smartphone and use said devices to access the internet. Many reports point to further increases in smart device usage over the course of the pandemic due to the restructured working conditions many of us have endured — working from home (WFH), remote working, working on the move, etc.
What people often forget is that the shiny all-singing, all-dancing device in their pocket is also a highly capable surveillance device, boasting advanced sensory equipment (camera and microphone), and a wealth of tracking information. People just assume that their mobile device is secure and often use it with less care (from a security point of view) for things that they wouldn’t do on a laptop. To this end, we now have a vast industry that sets out to secure and empower productivity on the basis that people can work anywhere and often use their devices for both work and personal use. Mobility and cloud technology have become essential with most people now working and managing their personal lives in a digital fashion.
To coin a saying from the world of Spiderman (slightly out of context) — with great power comes great responsibility. We now live in a world where the once humble communication device is now a very powerful tool that needs to be used responsibly in the face of those wishing to act in a nefarious way. Tablets and smartphones aren’t immune to cyber attacks, and spyware doesn’t just target people in government organisations or large enterprises. With both Android and iOS devices so embedded in our daily lives, hackers can steal all kinds of sensitive data from these devices, ranging from sensitive personal information through to proprietary company data — remember those blurring lines between work and personal?
All of this leads nicely into a very clear example of how all of this can play out: Pegasus.
The security implications of Apple’s latest iOS update
In 2016, a joint investigation by Lookout and Citizen Lab revealed that the highly advanced mobile spyware Pegasus had been used on business executives, human rights activists, journalists, academics and government officials. In a joint investigation into a leaked list of more than 50,000 phone numbers, 17 media organisations found a high concentration of individuals from countries known to engage in surveillance. These regions are also known to have been clients of the NSO Group, an Israeli-based company behind the development of Pegasus and a known leader in the unregulated spyware industry.
Pegasus was once considered the most advanced mobile spyware in the world, and is equally at home on both iOS and Android devices. It is highly sophisticated spyware which gives cyber criminals a high degree of control over the victim’s device and access to all kinds of data. Remember our thoughts on how much information our smart devices held on us? Well, Pegasus has the ability to extract highly accurate GPS coordinates, photos, email files and encrypted messages from apps such as WhatsApp and Signal. It is also able to turn on the devices’ microphone in order to listen-in on private conversations, and can even activate the camera to record video. All along, the NSO Group has denied that Pegasus is used by malicious actors, and claims that it only sells Pegasus to the intelligence and enforcement community and that all prospects’ human rights histories are thoroughly vetted. However, with the assassination in 2018 of journalist Jamal Khashoggi, significant doubts were raised here about this because the Saudi government allegedly tracked Khashoggi by compromising his mobile phone with Pegasus.
Phishing for more than just your thoughts
The Pegasus spyware debacle should concern all of us — not just government entities. The mass commercialisation of spyware (just like phishing tools) is a risk to everyone. We have touched on the ubiquity and power of mobile devices — they can access the same data as a PC from anywhere, which massively increases the attack surface and risk for organisations. Why? Mobile devices are typically used outside of an organisation’s security perimeter. So, where you have employees who are able to access sensitive company data or infrastructure for example, you will have cyber criminals waiting to pounce. Mobile phishing like this is a very effective first step for cyber attackers – mobile malware is usually delivered to its victims via a phishing link.
The most effective delivery of phishing links is with social engineering. In the Pegasus example, it was discovered that a journalist had been sent a link from an anonymous mobile number promising tips about a human rights story they were working on. With zero-touch delivery models, whilst the victim doesn’t need to interact with the spyware for their device to be compromised, the link hosting the spyware still has to reach the device. Don’t forget, there are myriad iOS and Android apps that have messaging functionality which means that SMS, email, social media, third-party messaging apps and others can all offer the necessary gateway for attack.
So where does this put us all? Recent findings by cyber security provider Lookout make for sobering reading:
- In 1H2021, mobile users experienced over 200% more malicious mobile apps than 1H2020.
- In 1H2021, more than 1 in 5 enterprise mobile users encountered at least one phishing attack.
- In 1H2021, there was a 30% increase in phishing encounters for enterprise users versus 1H2020.
- Over 50% of consumer users encountered at least one phishing attack 1H2021.
Your smartphone isn’t immune to cyber attacks, and spyware doesn’t just target people in government organisations or large enterprises. With so many users actively using their devices for both work and personal, it has never been more important for organisations to ensure strong mobile security. Hackers can, and will, steal all kinds of sensitive personal information (and company data) from these devices. Stop making it easy for them.