Mobile security risks have escalated in recent years. This isn’t totally new; we’ve talked about it multiple times across MSP Today. Yet still, malicious actors have definitely turned their attention to target mobile devices by using techniques to exploit vulnerabilities and infiltrate corporate networks.
A notable trend is the surge in "mishing," a form of mobile phishing that leverages various tactics to deceive users and compromise their devices. In fact, Zimperium’s 2024 Global Mobile Threat Report shows that 82% of phishing sites now target mobile devices, which indicates a shift in cybercriminal tactics toward a "mobile-first" approach. These attackers exploit the weaknesses in mobile devices to infiltrate corporate systems.
Mishing attacks often rely on tricking employees into trusting deceptive websites. The researchers found that 76% of phishing sites targeting enterprises use HTTPS, a secure communication protocol that can mislead victims into believing the website is legitimate. Smaller screen sizes and less visible security indicators on mobile devices make it easier for attackers to disguise phishing attempts.
The success of mishing sites (and the bad actors behind them) lies in their speed and stealth. Cybercriminals quickly create and launch deceptive domains, then dismantle them before they are detected, which makes it difficult for security teams to respond. The report found that one-quarter of mobile phishing sites become operational within 24 hours of their creation, immediately posing a threat.
Shridhar Mittal, CEO of Zimperium, stressed the importance of protecting mobile devices and applications in today's digital age.
“In today's digital age, where 71% of employees leverage smartphones for work tasks, enterprises must effectively protect their mobile endpoints by adopting a multi-layered security strategy including mobile threat defense and mobile app vetting” said Mittal. “Our zLabs researchers meticulously analyzed the nature of mobile attacks, uncovering an attack surface within enterprises that requires a strategic and mobile-centered response.”
In addition to mishing, the report also looked into the dangers of sideloading apps, or apps installed on devices outside of official app stores. Financial services organizations saw 68% of their mobile threats attributed to sideloaded apps. Users who sideload apps are twice as likely to have malware on their devices compared to those who don't.
Platform vulnerabilities also act as a big risk. The report found a surge in Common Vulnerabilities and Exposures, or CVEs, for Android and iOS devices in 2023. While both platforms received frequent updates, enterprises struggled to manage these updates across all devices, emphasizing the need for proactive mobile security strategies beyond platform updates.
"Mishing attacks and mobile malware are increasingly evading detection, often going unnoticed by businesses," said Chris Cinnamo, Senior Vice President of Product Management, Zimperium. "To effectively navigate this evolving mobile threat landscape, enterprise security teams must prioritize the attacks specifically targeting employee mobile devices. Without proactive measures, these attacks will continue to weave into enterprises, exploiting the sensitive data and disrupting organizational operations."
These findings all point to a single truth: Protecting mobile devices is not optional – it is the modern cornerstone of digital security. Enterprises must implement a security strategy that closes the gaps within their workforce, strengthens their mobile security posture and reduces the risk of a business-disrupting cyberattack.
Edited by
Alex Passett
