Over the course of 2022, a lot happened in the mobile security arena. While there was some good news, much was of the not-so-good variety, including increasingly sophisticated attacks, large-scale campaigns that afflict millions, high-profile hacks that cost businesses dearly, you get the idea.
During the year, a number of significant stories emerged. These events had a big impact last year, and they will certainly shape the security landscape that we must navigate as we enter 2023.
Here is our take on the top mobile security stories that emerged in 2022.
#1. Too Much Dark Herring: 100 Million Users Targeted
Cybercriminals continue to invest in tools and approaches that can help scale their reach and, ultimately, profits. Red Herring is an example of the frightening scale they’ve been able to attain. Back in January 2022, Zimperium warned that more than 100 million Android users had been targeted by the Dark Herring subscription fraud campaign.
The criminals behind Dark Herring published about 470 malicious applications to the Google Play Store. Once users downloaded one of these applications, they were directed to a web page asking them to submit their phone numbers for verification. In reality, phone numbers entered were submitted to a Direct Carrier Billing service that began charging them an average of 15 dollars per month. Often, it takes months for victims to identify these charges, and they often have little recourse to get their money back. While the exact totals are unknown, the financial damages to consumers are estimated to be in the hundreds of millions of dollars.
#2. Pegasus: Notorious Spyware Keeps Making Headlines
There’s a big difference between detecting malware and eliminating the threats it poses. Pegasus is a prime example of this reality. First detected in 2016, this malware remains very much in play. Pegasus made big news in 2021 when tens of thousands of activists, journalists, and public officials were targeted by the spyware.
In 2022, the spyware continued to make headlines. For example, in February, law enforcement agencies in Israel came under fire due to suspicions that they used Pegasus to spy on public figures, including heads of government ministries and one of the prime minister’s family members. In April, it was reported that the spyware hit a handful of top officials in the European Commission. Then in May, news broke that Spain’s prime minister had been targeted.
#3. More than a Tempest in a TeaBot: Banking Trojan Infects 10,000
In March, Cleafy reported that TeaBot, the Android banking trojan, was downloaded by unsuspecting victims more than 10,000 times before it was removed from the official Google Play Store.
The malware was delivered via an app that appeared to be legitimate, which was called “QR Code & Barcode – Scanner.” In fact, the app did deliver the promised functionality. However, immediately after installation, the app requests permission to install an add-on application, which features multiple samples of the TeaBot malware. Once installed, the app may be granted access to view and control the device’s screen and record keyboard entries. Through these tactics, malicious actors sought to gain access to such sensitive information as login credentials and SMS-based authentication codes. This malware targeted users in Hong Kong, Russia, and the United States.
#4. Cash App Investing Breach: Eight Million Users Exposed
In April, it was reported that more than eight million users of a stock trading app had their data exposed. These individuals were users of Cash App Investing, a mobile app run by Block, the owner of the Square payments system.
A disgruntled former employee was able to gain access to company reports that included users’ names, account numbers, holdings, and more. Soon after the breach was announced, a class action filing was issued against the app provider and its parent company.
#5. Down with the FluBot: Android Malware Taken Out
In May, it was reported that an international law enforcement operation took down the Android malware known as FluBot. Europol, the law enforcement agency of the EU, led the extensive international operation, which included agencies from across the EU and from the US. Police disconnected thousands of compromised devices from the FluBot network and prevented more than 6.5 million spam messages from making it to potential victims.
First detected back in 2020, FluBot has infected tens of thousands of devices globally, including more than 70,000 in Spain and Finland. Over time, the threat actors behind FluBot have continued to adapt their approaches. For example, they initially sent text messages that purported to notify users that they needed to click a link to reschedule a package delivery. Subsequent iterations asked users to click a link in order to view a photo shared by a friend. They even started notifying potential targets that their devices were infected by the FluBot virus and that they needed to take immediate action by clicking on a malicious link.
Once installed, the malware requested accessibility permissions, which, when granted, enabled threat actors to steal banking app credentials and details about cryptocurrency wallets. Further, FluBot also stole contact details from infected devices and then sent text messages to those contacts in order to proliferate further.
#6. 0ktapus Phishing: More than 130 Companies Compromised in Breach
In August, the cybersecurity company Group-IB published a report detailing a phishing campaign that specifically targeted employees of a number of businesses. Most of the companies targeted provide IT, development, and cloud services to organizations. In addition, companies from financial services, retail, telecommunications, and other industries were also affected. Ultimately, attackers successfully victimized more than 130 companies, including Cloudflare, Doordash, Mailchimp, and Twilio.
The operation, which was given the name “0ktapus,” involved a sophisticated and sustained set of attacks. Attackers targeted employees of companies that are using Okta, which is one of the leading identity and access management offerings. Attackers sent text messages that directed targets to a fake authentication page. If victims submitted their login credentials, attackers could then leverage those details to gain access to accounts.
These attackers also pursued various multi-phase attack strategies. Once they were able to compromise one service, they attempted to exploit that compromise to breach another. For example, once they breached Twilio’s phone number verification services, they sought to target 1,900 users of the Signal instant messaging app.
#7. Uber Exposed: Lapsus$-Affiliated Hacker’s Extensive Attack
In September, Uber suffered an extensive breach. A hacker used social engineering techniques to access an Uber employee’s account. The hacker repeatedly sent notifications to the employee, claiming to be an IT administrator requesting access to their account. The employee ultimately provided the requested details.
By hacking one authorized user’s account, the attacker was subsequently able to bypass multi-factor authentication defenses and gain access to a number of internal systems. Ultimately, source code, internal databases, communication channels, and more were all compromised. The hacker even used a compromised Slack account to issue a company-wide message notifying employees of the breach.
Reports have tied this breach to the Lapsus$ group, which is a hacker collective that’s been responsible for attacks on a number of other high-profile companies that occurred earlier in the year. Victimized companies include Microsoft, Nvidia, Rockstar Games, and Samsung. These attacks have resulted in businesses being exposed to ransom demands, not to mention other excessive damages associated with forensics and remediation, negative publicity, and lost productivity.
#8. Dirty RatMilad: New Spyware Campaign
While spyware has long been a tool of nation-states, ongoing technology advances have continued to increase accessibility to these tools and to make these tools easier to create and modify.
Throughout 2022, new versions of spyware were uncovered. In October, Zimperium issued a warning about RatMilad. RatMilad is a previously unknown spyware campaign distributed by an Iranian hacking group known as AppMilad.
The Android malware is being distributed by enticing users to access a phone number spoofing app. The attackers used Telegram to distribute messages encouraging the sideloading of the app. Once the app is downloaded, and requested permissions are given on the device, the malicious actor is able to control many aspects of the mobile endpoint. Using the spyware, attackers can access the camera to take pictures and record video, get precise GPS locations, view pictures, and more.
#9. Qatar World Cup: Visitors Warned of Spyware
Speaking of nation-state-sponsored spyware, if you attended the World Cup in Qatar this past November, it was very likely that your mobile device was infected by some type of snooping app.
Foreigners visiting Qatar for the World Cup were required to download two mobile applications: An official World Cup app called “Hayya” and a Covid-tracking app known as “Ehteraz.” Experts warned that these apps were a form of spyware, which would enable Qatari authorities to access individuals’ data, and even gain the power to view, delete, or modify content on their phones.
Governments worldwide warned their citizens about the risks of the spyware and offered suggested precautions, including bringing a burner phone or resetting an old phone to its factory settings before entering the country.
The headlines from 2022 continue to remind us of the criticality of safeguarding the smartphones used by employees. While some of the attacks described above expressly targeted enterprise employees, the reality is that even those attacks targeting consumers can still ultimately expose corporate assets, including intellectual property and credentials. To learn more about how Zimperium solutions safeguard mobile devices and businesses, visit our Zimperium zIPS Mobile Intrusion Prevention System page.