| Executives December 18, 2020
December 18, 2020
Over the past decade, technology enthusiasts have dreamed about smartphones and tablets taking over various aspects of our lives. They have in many ways, but the shift has always been gradual. This all changed in 2020 when most of us were forced to stay home. From the way we work, go to school, interact with our healthcare providers, manage our finances, shop, and connect with friends and families – mobile is now at the center of our lives.
As we look ahead towards 2021, this shift will continue. Here are five predictions about how we anticipate individuals and organizations will be forced to confront the threats targeting their information, privacy and devices.
Most of us tend to liberally hand over data to social media and other mobile apps without fully understanding the consequences of doing so. Even when data breaches occur or malware intentionally steals data, we often don’t know what it concretely means for us.
The discussion around banning TikTok ignited a global discussion about the types of data mobile apps collect and how they are used. Some organisations even went as far as banning TikTok from their employees’ mobile devices. Individuals and organizations are becoming more conscious of how data collected by mobile apps could be used with malicious intent. Apple has begun asking developers to clarify what types of data their apps collect and how they will be used. I expect more corporate actions as well as individual consumers becoming more prudent about sharing their personal data.
Contact tracing and data privacy became a hot button topic in 2020 as jurisdictions around the world tested different technologies to contain the spread of COVID-19. Some feared that the data collected could invade privacy or be used for malicious purposes. In light of these concerns, most European and North American jurisdictions appear to have opted for privacy-preserving methods leveraging Bluetooth technology. However, this win for privacy by no means spelled the end of threats to our privacy and security abetted by the pandemic.
I predict that we’ll also see the pandemic leveraged in future cyberattacks as governments, pharmaceutical and healthcare organizations will continue to be targeted. Especially as vaccines roll out, there will likely be broad-based phishing attacks using the pandemic and the vaccine as hooks to steal individuals’ credentials and personally identifiable information (PII). So please do not “log in here to skip to the front of the vaccination queue”.
The type of malware deployed by state actors, such as the surveillance tools used to spy on the Uyghur ethnic minority uncovered by Lookout in mid-2020, tend to take the limelight in public reporting. Meanwhile, financially motivated cybercrime is quietly becoming more sophisticated and insidious, and mobile malware is now used by a variety of actors – including organized crime.
We’ve already seen the gradual commercialization of threats such as adware, toll fraud apps, banking trojans and spyware. If you dig into the Dark Web, you’ll find kits for sale that enable you to easily deploy any of these malware.
But we’re seeing an evolution. In late 2020, we uncovered a mobile spyware campaign we believe is operated by organized criminals. The objective of the threat, which we named Goontact, is to steal data from the target’s device and use it for extortion or blackmail. Victims are convinced to download an application associated with the illicit websites the attackers have set up. But the apps have no real functionality other than to exfiltrate information. I believe this is evidence that mobile malware-as-a-business is turning from relatively low-stakes schemes into mafia-style crime.
Ransomware dominated the news headlines throughout 2020. Various hospitals, government organizations and school districts were brought to a halt as malicious actors held their IT infrastructure hostage. While ransomware has only played a minor role on mobile devices thus far – mostly thanks to widespread use of cloud backup as well as app sandboxing – I foresee that mobile devices will have a role to play in future ransomware and other attacks on corporate and public sector networks.
As many of us continue to stay at home, we are using our phones, tablets and Chromebooks more – both for personal and work purposes. With their small screens and multitude of messaging channels, they are a perfect vector for phishing messages aimed at stealing credentials for corporate access. We will likely see confirmed cases of mobile phishing as the entry point for cyberattackers to deploy ransomware or other malware into an enterprise’s infrastructure.
The way we traditionally secured endpoints such as desktops was invasive and required privilege access to the operating systems (OS) and apps. But desktop OSs are becoming more like their mobile counterparts, limiting what applications, including security solutions, can do.
Apple began this transition in earnest in 2019 with Catalina, when it removed applications’ ability to use kernel extensions – severely limiting what security software can do on the system. More recently, with the release of laptops and desktops running its own M1 chip, Apple is bringing even more features from iOS and iPad OS to the desktop. Similarly, Windows 10 now offers S mode, which only allows apps installed from the Microsoft store running in their own sandboxes.
Mobile OSs, alongside other modern OSs such as Chrome OS, have set the standard of a more compartmentalized OS. In some ways, this makes it harder for an attacker to compromise these devices. But this also means we need to rethink the way we deploy endpoint security on desktop systems. While it may take a bit longer than just the next year to get there, the process has begun. Chances are that desktop security software will look a lot more like its mobile counterparts.
To learn more about the latest development in mobile malware becoming a business, check out our Goontact threat discovery blog.
Christoph Hebeisen Director, Security Intelligence Research