MOBILE SECURITY REPORT 2021 MOBILE SECURITYREPORT 2021INSIGHTS ON EMERGING MOBILE THREATS 2021 CHECK POINT SOFTWARE TECHNOLOGIES LTD. ALL RIGHTS RESERVED
02MOBILE SECURITY REPORT 2021CONTENTS03INTRODUCTION04KEY FINDINGS: AN EXECUTIVE SUMMARY05THE NETWORK: AT THE HEART OF MOBILE ATTACKS06THE MOBILE APP: EVERYONE IS AT RISK09THE DEVICE: VULNERABLE BY NATURE11MDM: A POWERFUL NEW ATTACK VECTOR12MAJOR ACTORS ON THE PROWL13THREATS ON THE HORIZON14HARMONY MOBILE: ADDRESSING MOBILE PROTECTION NEEDS15ABOUT CHECK POINT SOFTWARE 2021 CHECK POINT SOFTWARE TECHNOLOGIES LTD. ALL RIGHTS RESERVED
03MOBILE SECURITY REPORT 2021INTRODUCTIONThe sudden and swift transition of the global workforce to the home, as spurredon by the outbreak of the coronavirus pandemic, has forced organizationsworldwide to make significant changes to their infrastructures so theiremployees can be productive and comfortable as they work almost exclusivelyfrom home.In this new paradigm, the mobile device is used more than ever to accesscorporate systems, both for routine as well as for critical tasks. This hasgreatly extended the attack surface and made the mobile device moresusceptible than ever to cyber threats, such as phishing scams, maliciousapps, man-in-the-middle attacks, rootkit, and more.US MOBILE WORKERPOPULATION FORECASTIDCIndeed, Check Point researchers have been observing a continuous rise inthe number of attacks and data breaches that are coming in through themobile endpoint. As such, it has become all too clear that the new normalmeans more numerous and more sophisticated mobile security threats,making robust mobile security a key business imperative.60%BY 202493.5MERKOEWRSTo help organizations understand where the potential vulnerabilities are, howthey are being exploited by threat actors, and how to protect against attacks,Check Point presents this Mobile Security Report.BILMO78.5M20202021202220232024In this paper we provide insights into the mobile threat landscape thatdominated in 2020, including the attacks and campaigns, as well as whyenterprise-grade mobile security is the only way to reduce the attack surfaceand stay ahead of cybercriminals as we move ahead in the new normal.And this move to remote work will not go away any time soon, even after themass distribution of a vaccine. According to a new forecast by IDC, the USmobile worker population will continue grow at a steady rate over the next fouryears, increasing from 78.5 million mobile workers in 2020 to 93.5 million in2024. Furthermore, by the end of the forecast period, IDC projects that mobileworkers will account for nearly 60% of the total US workforce.Neatsun ZivVice President of Threat PreventionCheck Point Software TechnologiesMETHODOLOGYThe insights contained in this report are based on data that was collected from January 1st, 2020 through December 31st, 2020, from 1,800 organizations that havedeployed Harmony Mobile, Check Point’s mobile threat defense solution, formerly known as SandBlast Mobile. The information contained herein is also based oncomprehensive research that was performed by Check Point Research, the intelligence and research arm of Check Point, as well as that which has been madeavailable by various mobile security vendors and security focused publications. 2021 CHECK POINT SOFTWARE TECHNOLOGIES LTD. ALL RIGHTS RESERVED
04MOBILE SECURITY REPORT 2021KEY FINDINGS:AN EXECUTIVE SUMMARYIn 2020 we saw the attack surface continuouslyexpanding, with 97% of organizations facingmobile threats that originated in multiple vectorsincluding applications, networks, devices, and OSvulnerabilities.Over the past year, researchers at Check Point have been observing a rise in thenumber of attacks and data breaches that have come in through the mobileendpoint.With 97% of organizations having faced mobile threats and with 46% having hadat least one employee download a malicious mobile application that threatenednetworks and data, we can see that the threat to the mobile endpoint hasbecome greater than ever and must be well accounted for by every organization.(Check Point Research)AMONG THE KEY FINDINGS OF THE RESEARCH ARE:1COVID-19 is the new app attackpremise, with skilled threat actorsexploiting the public's concerns withthe pandemic via malicious apps thatare masquerading as providers oflegitimate help in times of crisis.2Ransomware has gone mobile asin the case of Lucy, aMalware-as-a-Service (MaaS)botnet and dropper for Androiddevices.4Mobile Device Management (MDM)is a powerful new attack vector aswas seen, for example, with a newCerberus malware variant thatinfected over 75% of one company’sdevices via corporate-owned MDM.5Major threat groups are focusing onmobile, conducting elaborate andsophisticated targeted attacks,improving their mobile arsenal withcapabilities that have yet to been seenon mobile.Mobile devices are inherentlyvulnerable as was uncovered inAchilles, a Check Point research,where it was noted that over 400vulnerable pieces of code were foundwithin a Qualcomm DSP chip. Thesignificance of this cannot beunderstated with Qualcomm providingchips for over 40% of the mobile phonemarket.3 2021 CHECK POINT SOFTWARE TECHNOLOGIES LTD. ALL RIGHTS RESERVED
05MOBILE SECURITY REPORT 2021THE NETWORK:AT THE HEART OF MOBILE ATTACKSAlmost every organization in our research sample experienced at least one mobile malwareattack in 2020. And 93% of these attacks originated in a device network.DEVICE NETWORKATTACKSMost of these attack campaigns aim to gain a better foothold in the device by attempting todupe the targeted user into installing a malicious payload through infected websites or URLs.PER TYPECheck Point Research, 2020In addition, almost all of the network-based attacks either constitute a phishing attack that isattempting to steal the victim’s credentials and impersonate the victim in a later attack, or acommand-and-control communication of a malware that is already on the device.52%PhishingBEWARE OF THE MAN IN THE MIDDLENetworks that are not well protected pose a serious threat to mobile devices. Forexample, when the network is not sufficiently secured, attackers can intercept trafficthrough man-in-the-middle (MitM) attacks, or lure employees into using rogue Wi-Fihotspots or access points.One of the most dangerous threats in this context is traffic interception, otherwiseknown as MitM. This is often executed through rogue access points, which takeadvantage of familiar and trusted public Wi-Fi names (SSIDs).Users may see the name of a legitimate company or brand and connect to it withouta second thought. While some of these hotspot names are obviously misspelled(e.g., Starbuckz), many do look perfectly legitimate, and users might even have theaccess point already stored in their device, causing it to connect automatically.23%InfectedWebsite/URL 2021 CHECK POINT SOFTWARE TECHNOLOGIES LTD. ALL RIGHTS RESERVED25%CNCServer
06MOBILE SECURITY REPORT 2021THE MOBILE APP:EVERYONE IS AT RISKAccording to research published in the 2021 Check Point Cyber Security Report, 46% oforganizations have had at least one employee download a malicious mobile application thatthreatened networks and data, making this a prominent threat that must be on everyorganization’s radar.Below are provided some of the most damaging threats associated with app downloads in 2020.BANKERS, MRATS, AND DROPPERSBanking Trojan malware families are used to steal personal or corporate data by obtainingfraudulent access to funds and installing additional malware on the device after gaining aninitial foothold.The increased use of mobile devices during lockdown and social distancing may also beresponsible for the substantial growth in bankers.TOP-52020 MOBILEMALWAREThe Guildma threat actor introduced Ghimob, which is capable of performing transactions onaccounts with financial institutions in Brazil, Paraguay, Peru, Portugal, Germany, Angola andMozambique.1. HiddadThe newly discovered Eventbot focuses on targets in the U.S. and Europe while Thiefbot aims atTurkish users. The list continues with Blackrock, Wroba, TrickMO and others, all of which showthe increase in baking Trojans’ activity.2. xHelper3. Necro4. PreAMoCORONAVIRUS-RELATED5. GuerrillaPandemic-driven attacks contain a range of malware that is focused on stealing a user’ssensitive information or generating fraudulent revenues from premium-rate services, andinclude Mobile Remote Access Trojans (MRATs), banker Trojans, and premium dialers.To learn more from the Check Point research, click here. 2021 CHECK POINT SOFTWARE TECHNOLOGIES LTD. ALL RIGHTS RESERVED
07MOBILE SECURITY REPORT 2021THE MOBILE APP:EVERYONE IS AT RISKPOPULAR APP VULNERABILITIESAmong the applications that had major vulnerabilities in 2020 are the world’s most popular socialapps, including Facebook, Instagram, WhatsApp:FACEBOOKINSTAGRAMWHATSAPPIn November 2020, a FacebookMessenger vulnerability wasdiscovered through thecompany’s bug bountyprogram. Had it not beenpatched it could have allowed ahacker to call the user andlisten to them on their deviceend even if the call wasn’tanswered.In September 2020, CheckPoint announced that it haddiscovered a criticalvulnerability in Instagramthat could have been used toperform remote codeexecution on a victim’sphone.Check Point also uncovereda vulnerability in WhatsApp,which if exploited wouldcause the app to crash andlose data. In addition, in alate 2020 update, WhatsApppublished 15 new CVEs.GOOGLE PLAY COREBut it’s not just the social networks that were rife with vulnerabilities. The Google Play Core Library,an app’s runtime interface with the Google Play Store also suffered from a persistent code executionvulnerability. If a malicious application exploits this vulnerability, it can gain code execution insidepopular applications and have the same access as the vulnerable application.It is estimated that 8% of all Google Play Applications had been compromised by this vulnerabilitysince September 2019. 2021 CHECK POINT SOFTWARE TECHNOLOGIES LTD. ALL RIGHTS RESERVED
08MOBILE SECURITY REPORT 2021THE MOBILE APP:EVERYONE IS AT RISKNEW AND EMERGING THREATSMALICIOUS APPSThe new and emerging threats that have come to the fore in 2020 and which are expected to continueto wreak havoc in 2021 include the malicious COVID-19 related apps, as mentioned earlier.TOP-5MITRE ATT&CK TECHNIQUESIn addition, there is the Tekya Clicker which was found hidden in 24 children’s games and 32 utilityapps on Google Play, highlighting once again that the Google Play Store can still host malicious apps.Premium dialers are another threat to be aware of. These include, WAPDropper, an Android malwarethat subscribes victims to telco-provided premium services, and the Joker malware, whoseproliferationCheck Point has found to have experienced a 100% increase in its infiltration of Google Play, includingthree new variants in 2020.Among the top techniquesidentified by Check Point tohave been used by mobilethreat actors in 2020, arethose that are related to datagathering and locationtracking:CLICKERS1. File and directory discoveryDIALERSIn this group, an impactful threat in 2020 was the campaign of the clicker family Haken, which CheckPoint researchers discovered during the early part of the year.(MITRE T1420, DISCOVERY)2. Data from local systemThis campaign was launched on Google Play with eight malicious applications that garnered over50,000 downloads. The capabilities of this clicker include getting a hold of as many devices as possibleto generate illegitimate profit.(MITRE T1533, COLLECTION)3. Location tracking(MITRE T1430, COLLECTION)AD-FRAUD4. Location trackingThe two most prevalent types of app-generated ad-fraud include rough ad networks that display adsoutside of the application’s scope, and auto-clickers that mimic the target victim’s interactions with ads.5. Application discovery(MITRE T1430, DISCOVERY)(MITRE T1418, DISCOVERY)In addition to the damage they cause publishers, they also impact the user experience by draining thedevice’s battery and by compromising the device owner with data theft and by enabling financial fraudvia subscription to services. 2021 CHECK POINT SOFTWARE TECHNOLOGIES LTD. ALL RIGHTS RESERVED
09MOBILE SECURITY REPORT 2021THE DEVICE:VULNERABLE BY NATUREIn the Check Point Achilles research discussed earlier, we presented the fact that at least 40%of the world’s mobile devices are inherently vulnerable to cyberattacks.As we can see, vulnerabilities are not exclusive to the operating systems of mobile devices butcan also be inherent to the actual hardware. This means that when the threat is deeplyingrained in the device, it is often hidden and typically attacks by surprise, leaving users andorganizations unprepared.THE IMPACT OF HARDWARE VULNERABILITIESWhen the vulnerability is hardware based, such as with the Qualcomm DSP chip mentionedearlier, the damage can bring the following impact on users: Attackers can leak informationincluding photos, videos, call-recordings, real-time microphone data, GPS and locationdata, and more, and without any user interaction required. Attackers can render the mobile phone unresponsivewhere the owner would have to factory reset the device, causing its entire contents to bepermanently deleted. Malware and other malicious codecan completely hide their activities and render them un-removable. 2021 CHECK POINT SOFTWARE TECHNOLOGIES LTD. ALL RIGHTS RESERVED
10MOBILE SECURITY REPORT 2021THE DEVICE:VULNERABLE BY NATURETHE IMPACT OF OS VULNERABILITIESANDROIDiOSIn 2020 multiple vulnerabilities were discovered in Android, the mostsevere of which can enable remote code execution within the context ofa privileged process.The major vulnerabilities discovered in iOS in 2020, include: A ‘sign in with Apple’ bug that left any account exposed to a hijack attack;This vulnerability enables an attacker to install programs, view,change, or delete data, and create new accounts with full user rights. A zero-click vulnerability that enables threat actors with remote codeexecution and infection capabilities via sending emails that consume a lot ofmemory;StrandHogg, is another new privilege vulnerability that allows hackersto gain access to almost any app. A zero-click radio proximity exploit that can cause any iOS device inradio-proximity to reboot, with no user interaction;As for the good news, Samsung patched a zero-click vulnerability thathad been impacting all of its smartphones since 2014, as well as avulnerability that causes crashes in devices that are eligible forreceiving security updates. 2021 CHECK POINT SOFTWARE TECHNOLOGIES LTD. ALL RIGHTS RESERVED CheckRa1n and ROM, jailbreak vulnerabilities; and LightSpy, a modular malware that exploits a remote code executionvulnerability in the Safari browser. This malware grabs data from the iOSKeychain, which is responsible for handling credentials that are stored onthe device.
11MOBILE SECURITY REPORT 2021MDM:A POWERFUL NEW ATTACK VECTORDuring 2020, Check Point observed an event with significance that isfar-reaching. Namely, for the first time, corporate MDM was used asan attack vector.And the reason is that when it is breached, so is the entire mobile network.To illustrate, a new Cerberus malware variant infected over 75% of onecompany’s devices via corporate-owned Mobile Device Manager (MDM).Regrettably, the MDM’s most notable feature, and arguably the reasonfor its existence – a single, central control for the entire mobilenetwork, is also its major weakness.This malware is very damaging, for once installed, it can collect largeamounts of sensitive data, including user credentials, and send it to aremote command and control (C&C) server. 2021 CHECK POINT SOFTWARE TECHNOLOGIES LTD. ALL RIGHTS RESERVED
12MOBILE SECURITY REPORT 2021MAJOR ACTORS ON THE PROWLThe mobile endpoint has become a very attractive target for various APT groups, such asAPT-C-35 (DoNot), APT-C-50 (DomesticKitten), RoamingMantis, and APT-C-23 (Hamas),who are conducting elaborate and sophisticated targeted attacks with a mobile arsenalwith new and advanced capabilities.For example: Machine learning tools are being used to bypass human verification mechanisms suchas captcha; They are stealing encryption keys for popular applications; and They are exploiting OS and popular applications vulnerabilities, among others.A noteworthy campaign is the newly discovered Firestarter campaign of DoNot, whichuses the legitimate Google service – Firebase Cloud Messaging, to notify its authors ofthe final payload location, and is therefore very difficult to detect.There is also Rampant Kitten, an ongoing surveillance operation by Iran that targetedexpats and dissidents for years, and which was unraveled by Check Point. A 2020 updateto the Rana Android malware enables snooping via Whatsapp and Telegram IM. And aHamas Android espionage malware was also discovered.In addition, mobile ransomware, which has long been associated with the traditionallandscape, has been found by Check Point to have evolved into a major mobile threat aswell.As noted earlier, one of the biggest threats in 2020 came from Lucy, aMalware-as-a-Service (MaaS) botnet and dropper for Android devices. And anothercomes from MalLocker.B, an advanced malware that is difficult to detect and manages toevade many available protections. 2021 CHECK POINT SOFTWARE TECHNOLOGIES LTD. ALL RIGHTS RESERVED
13MOBILE SECURITY REPORT 2021THREATS ON THE HORIZONAs we have seen, the mobile threat landscape presented multiple, new, and great challenges to security in 2020. And when we look ahead to 2021 and beyond,we recommend that every organization take the following into consideration when crafting the security strategy for the year ahead:COMPLEXITY IS ON THE RISETHE PROLIFERATION OF DROPPERS IS INCREASINGCheck Point researchers have observed the increasing complexity inmalware functionality and infrastructure used by threat actors, as well asthe countermeasures that they are using to avoid detection.Another prediction for 2021 is the shift away from "direct malware" on officialmarkets towards the use of “droppers,” which are used by attackers to controlwhich payload is served, if any, or to bypass security evaluation by officialmarkets.Malware will keep evolving and adapting to the new techniques and methodsthat are employed by security vendors to protect users and their devicesagainst malicious actors who are attempting to gain access.MALWARE IS GOING NATIVETHIRD-PARTY HOSTS ARE MORE COMMONMore and more malware is implementing malicious behavior by usingnative-code, making it difficult for security vendors to detect maliciousbehavior, with Haken, Tekya, and Joker as a few examples.Check Point researchers have also observed that more and more malware isshifting away from inserting malicious code into applications. Rather, it is nowopting to assume the payload from a third-party party host.And due to the fact that malicious behavior is implemented in native code (asopposed to via Java) it also becomes harder to analyze and, therefore, harderto detect.For example, Joker aims at a hybrid approach with a variant that embeds thepayload as encoded class-strings, which decode and load the payload uponreceiving a command from the command-and-control server.IT’S ALL ABOUT THE MONEYFraudulent ad revenue and banking Trojans should also be on everyorganization’s radar.It may not be new that malicious actors are financially driven, seeking evernew methods to generate revenue from fraud. What is new is the growth inthe number of applications that conducted ad fraud over the past year, witha greater focus than ever on abusing the CPI model. 2021 CHECK POINT SOFTWARE TECHNOLOGIES LTD. ALL RIGHTS RESERVEDRainbowMIX, for example, executed a single ad fraud campaign on GooglePlay, compiling over 240 Android applications, and having been downloadedover 14 million times.This is estimated to have flooded agencies with over 15 million dailyimpressions, and to have greatly impacted the user experience, usability,battery performance, and to have made it easier for second stage malwareto execute financial fraud and theft of sensitive information.
14MOBILE SECURITY REPORT 2021HARMONY MOBILE:ADDRESSING MOBILE PROTECTION NEEDSCheck Point is helping organizations all over the world secure the mobile endpoint with HarmonyMobile.Harmony Mobile is a Mobile Threat Defense solution that keeps corporate data safe by securing themobile devices of employees across every attack vector, including the network, apps, and operatingsystem.Designed to reduce admin overhead and increase user adoption, it fits perfectly into the existingmobile environment, deploys and scales quickly, and protects devices without impacting userexperience nor privacy.AMONG ITS UNIQUE CAPABILITIES ARE: Preventing malicious app downloads Preventing phishing across all apps Preventing man-in-the-middle attacks Blocking infected devices from accessing corporate apps Detecting advanced jailbreaking and rooting techniques and OS exploitsHarmony Mobile’s MARS app vetting feature enables security admins to easily analyze newapplications and provide internal app vetting during development cycles, enabling comprehensivesecurity and privacy review for app approval within the organization’s environments.To learn more about how Harmony Mobile can help you protect yourorganization’s mobile fleet, we invite you to schedule a personalized demo byclicking here. 2021 CHECK POINT SOFTWARE TECHNOLOGIES LTD. ALL RIGHTS RESERVED
ABOUT CHECK POINT SOFTWARE TECHNOLOGIES LTD.Check Point Software Technologies Ltd. is a leading provider of cyber securitysolutions to governments and corporate enterprises globally. Its solutionsprotect customers from cyber-attacks with an industry leading catch rate ofmalware, ransomware and other types of attacks. Check Point offers amultilevel security architecture that defends enterprises’ cloud, network andmobile device held information, plus the most comprehensive and intuitiveone point of control security management system. Check Point protects over100,000 organizations of all sizes.CONTACT USWorldwide HeadquartersU.S. Headquarters5 Ha’Solelim Street, Tel Aviv959 Skyway Road, Suite 300,67897, IsraelSan Carlos, CA 94070Tel: 972-3-753-4555Tel: 800-429-439 / 650-628-2000Fax: 972-3-624-1100Fax: 650-654-4233Email: [email protected] learn more about us, visit: www.checkpoint.com 2021 CHECK POINT SOFTWARE TECHNOLOGIES LTD. ALL RIGHTS RESERVED
Premium dialers are another threat to be aware of. These include, WAPDropper, an Android malware that subscribes victims to telco-provided premium services, and the Joker malware, whose proliferation Check Point has found to have experienced a 100% increase in its inﬁltration of Google Play, inclu