A previously unknown baseband vulnerability impacting Huawei cellphones, laptop WWAN modules, and IoT components was revealed at the recent Infiltrate Conference, raising questions about the security of millions of mobile devices. This information was discovered at the same time as mobile security vendor Zimperium said that over two million mobile malware samples were found in the field last year, negatively affecting over 10 million devices globally. The results also show that security incidents have been caused by mobile and web application vulnerabilities in 42% of the firms questioned, with malicious apps being responsible for 23% of the risks that have been encountered.
According to the study, 30% of zero-day vulnerabilities would specifically target mobile devices in 2021, posing a serious threat to their security. Unexpectedly, 64% of mobile-specific zero-day assaults used iOS vulnerabilities, debunking the myth that the ecosystem is safer. Since 75% of examined phishing websites particularly try to exploit mobile consumers, phishing attacks targeting mobile devices are widespread. Substantial risk is posed by cloud misconfigurations, with 14% of Android and iOS apps using public cloud backends having misconfigurations that expose user data.
With a 466% increase in exploited zero-day vulnerabilities exploited in active attacks against mobile endpoints in 2021, the surge in zero-day vulnerabilities is concerning. Pegasus, a notorious piece of malware that targeted over 50,000 people, including journalists, activists, and political figures, reappeared. The new price list from Zerodium, which offers up to $2.5 million for zero-click flaws that silently infiltrate Android devices and surpass the $2 million price for comparable attacks on iPhones, demonstrates the seriousness of these threats.
The critical necessity for fixing has been highlighted by Google’s flagging of CVE-2023-20963 as a high-severity privilege escalation vulnerability impacting an Android framework component. This vulnerability has been added to the list of security holes that enterprises absolutely must repair, according to the Cybersecurity and Infrastructure Security Agency (CISA).
A worrying development is the €8 million price tag placed on a zero-day iOS hack that allows for remote code execution. The seriousness of the situation is illustrated by the high demand for zero-click attacks that can run without the user’s knowledge. 23 of the 58 zero-day vulnerabilities found by Google’s Project Zero last year have already been patched.
Zero-day threats can’t be completely mitigated, but taking the right precautions can limit vulnerabilities throughout your business ecosystem and threat landscape.