Armor your Achilles’ heel. Reduce your business' attack surface vectoring from employee mobile devices

Next story
Roman Cuprik

The number of Android threats detected by ESET telemetry in the past four years has tripled. 

Trojanized chat apps, software development kits turning legitimate apps into spyware, or fake websites offering malicious mobile applications — these are just a handful of the growing number of threats targeting smartphone users in the past few months discovered and analyzed by ESET researchers.

While these threats may sound like the personal problems of private individuals using their own devices, various surveys show that smartphone equipped rank-and-file employees are in fact yet another attack surface for businesses, one that should be prioritized. 

And that’s not easy. Even with thorough cyber-awareness training, there is still a good chance that an employee will fall victim to a sophisticated attack and become the Achilles’ heel in an otherwise first-rate defense of their respective business.

Being aware of this, ESET has introduced a new Mobile Threat Defense module to its comprehensive business solution ESET PROTECT, with sweet pricing available for the Advanced tier and higher. Users of ESET PROTECT Advanced and higher can enjoy one free mobile device seat per one paid seat for other devices. 

Growing numbers

To understand the scope of the problem, let’s review some key data from ESET telemetry. From the beginning of 2020 until the end of 2023, detections of Android malware rose by 222%. ESET Threat Reports provide further insight as to why this number has more than tripled in just four years.

In 2021, ESET telemetry detected a 428% annual increase in Android banking malware. The following year, the overall increase was driven by adware. And 2023 saw a significant increase in Android spyware cases.

If you are asking what it means for your business, check out the results of the surveys discussed below. 

A 2022 survey of working adults and IT security professionals from across the world revealed that half of the respondents used their employer-issued devices to check personal emails and messages. A further 45% used their work devices for reading news stories, while 32% shopped online.

Ironically, emails, online shops, and even news portals were the precise attack vectors described in several pieces of ESET research in 2023.

When it comes to employees using their own devices, 48% of organizations deploying a Bring Your Own Device (BYOD) policy witnessed malware being introduced through an employee’s personal phone, according to a Samsung 2023 survey.

If you wonder what’s behind these compromises, another 2022 survey found that the most common mistake contributing to cyber incidents is employees’ poor password hygiene and misuse of personal email.

Real-life examples

Maybe those numbers are too general, so let’s see some real examples of how a malicious app installed on an employee’s smartphone can endanger the whole company.

Last year, ESET researchers published a blog about two campaigns targeting Android users that had been active since July 2020 and July 2022, respectively, and were distributed across several app stores and dedicated websites. 

The threat actors in question patched open-source Signal and Telegram apps for Android OS with malicious code that ESET researchers later identified as BadBazaar. These malicious apps went by the name Signal Plus Messenger and FlyGram, and their purpose was to exfiltrate user data, such as contacts, call logs, and the users’ list of Google accounts.

The Signal Plus Messenger app proved even more dangerous than FlyGram with its unique capability to spy on the victim’s communications in the legitimate Signal app, an app that is often praised for its reliability and that is trusted by high-value targets, such as journalists.

However, after installing Signal Plus Messenger, threat actors were able to connect the compromised device to the attacker’s (Signal equipped) device and read its messages. Such sensitive information could be used in further spear phishing attacks against business officials.

A similar case was covered in June 2023, when ESET researchers published research on Android GravityRAT spyware. This malware was distributed within the malicious but functional messaging apps BingeChat and Chatico — both based on the OMEMO Instant Messenger app. The spyware can exfiltrate call logs, contacts, SMS messages, the device location, basic device information, and files with specific extensions, such as jpg, PNG, txt, pdf, etc.

If your company has a BYOD policy, taking an interest in Android malware, the threat behind the 89% increase in ESET telemetry detections in the second half of 2023 is a must. This increase was primarily due to a mobile marketing software development kit (SDK) that ESET identifies as SpinOk Spyware.

This SDK was offered as a gaming platform and was incorporated into numerous legitimate Android applications, including many available on official app marketplaces. Once an app with the aforementioned SpinOK SDK is installed, it operates like spyware, connecting to a command-and-control server and extracting a range of data from the device, including potentially sensitive clipboard (short-term storage) contents.

Again, this attack can impact employees who might "Game” on their smartphones, gathering sensitive data that can later be used against their company.

Other attacks

So far, we have been describing spyware detected by ESET researchers during past year, but there are also other threats to business coming from mobile devices. 

  • Other malicious apps – Not all malicious apps are spyware going after messages and files in a mobile device. Some of them, for example, try to lure victims into giving their bank account credentials or encrypt files in the victim’s device and ask for a ransom.
  • Phishing – Some of the biggest data breaches in history started with one employee falling for a phishing message, giving credentials, and letting cybercriminals enter the company’s network. 
  • Physical theft – Physical theft or loss of a corporate mobile device could be a serious cyber incident, especially if the smartphone or tablet contains sensitive information and is locked by a weak password. And such things happen often. In London alone, 90,864 phones were stolen in 2022. 
  • Vulnerabilities – If you think that you are safe with using only standard cloud-based team communications platforms such as Microsoft Teams or Slack, think twice. Vulnerabilities and bugs that can lead to a data breach don’t spare even the biggest names on the market.
  • Worms – Because laptops and smartphones use different operating systems, it is rare to see one malware that spreads and executes in different environments. However, there have been cases such as the Hamweq.A worm, which used smartphones as carriers to spread malware into Windows PCs via the USB cable.

Valuable targets

Most employees probably don’t use their mobile devices for accounting, coding, or administrative duties, but previously mentioned real-life cases clearly show that they are valuable targets for cybercriminals nonetheless. This makes them a potential liability to a business’s cyberdefenses.

This is why having complex, multilayered protection of your mobile devices within a unified cybersecurity platform is so important. If you want to protect that Achilles’ heel and are interested in ESET solutions for companies and their mobile devices, click here