Android more vulnerabilities, iOS more zero-days

smartphone

Mobile security company Zimperium has released its annual mobile threat report, in which security trends and discoveries over the past year have laid the foundation for predicting what will happen in 2022.

In general, the focus of malicious actors on mobile platforms has increased compared to previous years, mainly due to the pressure of the global workforce towards remote work.

This focus was reflected in increased malware distribution volumes, phishing and smishing attacks, and increased efforts to discover and exploit zero-day exploits.

Volume of phishing sites targeting mobile usersNumber of phishing sites targeting mobile users (Zimperium)

Zero-day vulnerabilities are disclosed or actively exploited bugs with no vendor or developer fixes. Since it is essential to fix zero-day bugs, vendors generally rush to release security updates as soon as they are announced.

However, according to Zimperium’s customer stats and a survey conducted for the report, only about 42% of people working in bring your own device (BYOD) environments deployed high-priority solutions within two days of release.

About a third took up to a week, while a significant 20% failed to patch their mobile devices before hitting the two-week mark.

Threats by Region

In 2021, actors focused more on remote workers or on-premises mobile devices, leading to more malicious network scans and man-in-the-middle (MiTM) attacks. These attacks aim to steal sensitive information that plays a critical role in larger attacks on corporate networks.

The most common threats to any region of the world in 2021 were the following:

Asia/Pacific – malicious websites, malware, MiTM Africa – malware Europe – malware, malicious local scans, MiTM North America – malware, MiTM South America – malware, malicious local scans

Globally, mobile malware was an issue found in 23% of all endpoints protected by Zimperium in 2021, followed by MiTM (13%), malicious websites (12%) and scans (12%).

Mobile Threat Types Recorded Globally in 2021Types of mobile threats registered worldwide in 2021 (Zimperium)

Android vs iOS

The mobile operating system market is dominated by a duopoly of Android and iOS, so it’s inevitable that all comparisons under any spectrum revolve around the two.

In terms of security in 2021, Android generally appears to be more vulnerable than iOS, but the latter tends to have more severe vulnerabilities.

By volume, 574 vulnerabilities were discovered in Android in 2021, a remarkable reduction from 859 in 2020, while 79% of them were characterized by low attack complexity. This categorization identifies flaws that are easy to exploit.

Of the 574 Android errors, 135 (23%) had a CVSS score above 7.2, while 18 were rated critical.

On iOS, security researchers found 357 new vulnerabilities in the last year, but only 24% of them are considered low-complexity bugs.

In addition, only 63 (17%) have a CVSS severity rating higher than 7.2, but 45 of the errors are critical, meaning their use could lead to a significant breach of a device.

This makes iOS a more challenging but lucrative target because the flaws are hard to put into action, but the payoff is greater.

This hypothesis is confirmed by the 2021 zero-day stats, with iOS vulnerabilities responsible for 64% of all 17 exploited zero-day attacks on mobile devices in 2021.

Mobile OS Zero Days Abused in the WildMobile OS Zero Days Abused in the Wild (Zimperium)

“In 2021, 11 separate zero-day exploited in-the-wild vulnerabilities were revealed targeting Apple iOS and Apple WebKit, accounting for 19% of all zero-day exploits for the year,” Zimperium’s report reads.

Zimperium also analyzed the most popular apps in the financial, healthcare, retail and lifestyle categories on the Google Play Store and the Apple App Store. The bottom line is that apps are important security liabilities for mobile devices.

Zimperium's bulk app security reviewZimperium’s bulk app security review

Most notably, 80% of financial apps for Android use vulnerable encryption, while 82% of retail apps on iOS offer no code protection.

Outlook for 2022

As the importance of mobile devices in life and work continues to grow and the number of smartphone users reaches new heights, threat actors are expected to continue their efforts to attack users on the go.

Even with semiconductor shortages causing delivery problems before 2022, smartphone shipments are predicted to reach $1.43 billion. Unfortunately, many of these devices will be the weakest link in the security chain of large organizations, which is why they will be the target of experienced hackers.

Zimperium’s research found that 84% of today’s security professionals had enabled Microsoft Office 365 on mobile, and 38% of them were in the process of securing these second-stage deployments.

This metric perfectly reflects how many organizations have sacrificed strict security controls to support productivity and business continuity in times of dramatic change.

Compared to previous years, both Google (Android) and Apple (iOS) have come a long way in terms of security, and their mobile systems are robust enough to preclude easy abuse.

Today, threat actors are forced to discover multiple vulnerabilities and link them together to achieve meaningful goals, so it is becoming increasingly difficult to execute these attacks.

Some of the most notable mobile security discoveries and solutions in the past year include:

While it’s too early to know exactly what will happen in 2022, we can expect more of the same.

As such, the key to keeping your devices safe is to reduce the number of apps installed to the bare minimum. Unfortunately, the more apps you use, the greater the risk to your data.

Finally, keep your mobile OS up to date by applying the available security updates, and for Android, use an AV tool, activate Play Protect and check the app permissions regularly.

This post Android more vulnerabilities, iOS more zero-days

was original published at “https://www.bleepingcomputer.com/news/security/2021-mobile-security-android-more-vulnerabilities-ios-more-zero-days/”