What did 2019 see for mobile security? More Punycode phishing, and jailbreaking returns

I previously spent several months examining 2018 in depth, so let’s see what the first couple of mobile security reports show for 2019.

At the beginning of last year, I reviewed recent mobile security stats provided by vendors like Lookout, Wandera, Zimperium, and Symantec for late 2017 and 2018. Now that it’s a year later, I wanted to see what happened in 2019 regarding mobile security—with a specific look at any numbers around phishing, how up to date OSes are, sideloading apps, and how often devices are being jailbroken or rooted. 

Zimperium and Wandera both recently released reports worth reading while IBM X-Force released their report on the entirety of the enterprise, giving us an additional look at whether mobile sees the same type of attacks as traditional endpoints.

Wandera mobile threat landscape

Wandera recently released their report [PDF] “Understanding the key trends in mobile enterprise security in 2020,” pulling data from their global network of “425 million sensors” across bring your own device and corporate-owned deployments.

Phishing was the defining issue during my dive into mobile security stats last year, and Wandera still sees this as the biggest worry organizations have today. One troubling aspect is that phishing methods keep getting refined. About 87% of successful mobile attacks are now done outside of email apps, and instead through messaging, gaming, and social media attacks. Attackers continue to work on making it harder for users to tell whether a URL is real or fake: 7% of URLs now use Punycode to trick users. We’re also seeing services like Let’s Encrypt used to give phishing URLs SSL certification, tricking users into clicking what they assume is a safe link because they see the HTTPS or the lock symbol in the address bar.

Regarding sideloaded apps, Wandera reports that 5.8% of iOS and 1.1% of Android devices had at least one sideloaded app. For iOS, that’s up from the 3.4% of devices in 2018 that had at least one sideloaded app, with this growth potentially due to the increased presence of BYOD deployments. Meanwhile, the percentage of Android apps having at least one sideloaded app is very low and at odds with Zimperium's data, which you'll see later.

Most people who used to jailbreak or root their devices did so to install third-party apps not in Google Play or the App Store. However, I found out last year that it’s super easy to sideload an app, reducing the need to jailbreak or root a device for that purpose. Yet, Wandera saw a 50% growth in the number of jailbroken iOS devices and a 20% increase in rooted Android devices. This surprised me, but people will always want to jailbreak or unlock their devices, with Wandera noting that jailbreaking/rooting is done to install unauthorized software functions and apps or to essentially unlock a device from one specific carrier.

One last data point I wanted to examine was just how up to date devices are in the enterprise, and the news wasn't great. The number of iOS devices being what Wandera calls “severely out of date” grew from 8.2% in 2018 to 29.1% in 2019 among their enterprise customers. Meanwhile, only 0.7% of Android devices were running a severely out of date version of the OS, which is a drop from 2% in 2018. When I previously spoke with them around Wandera’s mobile security data, they explained that a device was considered “out of date” if it was on a version of the OS with a CVE considered to be high severity. 

Zimperium mobile threat data

Let’s pivot now to Zimperium’s report, “State of Enterprise Mobile Security,” which dropped in early February. Zimperium pulled the data from their customer base of 45 million enterprise endpoints.

Unfortunately, in this report, Zimperium doesn’t have any data to share around phishing. They do acknowledge that phishing is a threat, but don’t have anything to show right now. Instead, their focus is on network-based attacks, which in their words, “dominated” last year, as 19% of mobile endpoints experienced a network-based attack. (Zimperium separates attacks and threats in the report, with an attack being an active attempt to hack a device versus a threat like unencrypted public Wi-Fi and captive portals.) Nearly 94% of those attacks were man in the middle variants (Zimperium counts any time someone attempts to hijack traffic to steal credentials/data or deliver an exploit).

Regarding sideloading apps, 48% of Android devices were found to have at least one, compared to 3% of iOS devices. Quite a difference from Wandera’s data, with Zimperium noting that for their customers, “users are the admins of mobile endpoints,” where they have the ability to download apps themselves without requiring an admin’s permission.

Much like Wandera’s data around OS updates, Zimperium’s data, too, shows that devices aren’t being kept up to date as well as they once were. About 48% of iOS devices were four versions (minor updates are counted as a version) behind the latest, while 58% of Android devices were at least two or more versions behind.

IBM X-Force

Lastly, I looked at the IBM “X-Force Threat Intelligence Index 2020,” which released this week, to get an idea about the security issues facing all endpoints in the enterprise.

The top infection vectors for all endpoints for 2019 is split three nearly even ways between phishing (31%); scan and exploit (29%), attackers scan a system for unpatched vulnerabilities they can exploit; and stolen credentials (29%). IBM actually reports that phishing dropped from 44% to 31% in a year, while scan and exploit went from 8% to 29%--quite a big leap. IBM X-Force says that we’ll likely continue to see the risk surface for organizations continue to grow: there’s already over 150,000 publicly available vulnerabilities for which attackers can scan against.

Thoughts on what we’re seeing

While it’s just two mobile security reports, it does provide an interesting initial look at 2019. Organizations are starting to see iOS devices not being updated as regularly. Interestingly, Zimperium’s customers are much more likely to be behind on Android updates than Wandera’s.

Phishing remains a huge worry for the enterprise, but looking at Wandera and IBM’s data, it’s a bigger worry for mobile endpoints. It’s easier to trick users into clicking on malicious links by having them appear legitimate with Punycode. Usage of Punycode grew from being involved in 5.16% of phishing attempts in 2018 to 7% in 2019; this shows us that attackers see obfuscating the URL to have success in phishing attacks.

Lastly, I was actually surprised to see a resurgence in jailbroken and rooted devices in the enterprise. Many who used to jailbreak or root their devices did so to install apps not found on official app stores, but given how easy it is sideload apps, maybe they found other reasons to do it. Jailbreaking did certainly come up in the news more often last year, such as when Apple accidentally undid a patch in 2019 and made it possible to easily jailbreak most devices.

Dig Deeper on Mobile security