Our recent Threat Report showed that while, on the whole, overall threat detections fell by 13.2%, there was one category that thrived: Android. The category registered a remarkable growth of 57% in detections, driven by a 163% increase in Adware and an 83% increase in HiddenApps detections. Whilst Android users worldwide are being targeted, the countries with the most detected threats over the past 12 months were – unsurprisingly – Ukraine (9.3%) and Russia (9.2%).
Today, we all carry a phone in our pocket. In fact, there are more active mobile devices in the UK than people (85 million versus 68 million). But how are cyber criminals targeting Android devices, are we seeing the same with iOS devices, and will the rise of technologies such as ChatGPT present new threats in the months to come?
The most prevalent Android threats
Adware and HiddenApps were responsible for much of the growth seen in Android threat detections. The Adware in question was mostly found at third-party stores, where it was packed together with legitimate apps. These Potentially Unwanted Applications (PUAs) are where the user wants a specific app but is not warned that the cost for it will be paid by watching ads. The most prevalent example seen was Fyben which saw a 1100% growth in detections. Fyben was packed mostly with mobile games, many of which were released in the run up to the holiday season. The most detections were seen in Ukraine, Mexico, Brazil, Russia, and Turkey, and was thought to be because the games were otherwise not available in those countries. This meant users were more likely to download them from unofficial sites.
The other most prevalent category seen, HiddenApps, is a type of Android threat where a deceptive app hides their own icons, then stealthily display ads. In the hands of a less experienced user, they can be difficult to uninstall.
These are by no means the only threats though. We are also seeing cybercriminals favour Clickers, which open ads and click on them in the background. Clickers are usually packed with useful legitimate apps and placed in digital stores, even official ones such as Google Play. Clickers cash in from advertisers without the user knowing they are being shown. Whilst they often remain under the radar, they can affect a device’s performance and internet usage.
Other types of threats seen recently on Android devices include the Spy.Agent.BOC spyware that used the lure of exclusive World Cup news and live broadcasts to steal SMS messages, contact lists, photos, and more. Trojanised versions of legitimate VPN apps were also seen that exfiltrated contacts, SMS messages, device location, recorded phone calls, and more. A backdoor called Shagle that lifted messages from popular chat and social media apps. A new version of malware called FurBall, which conducted mobile surveillance operations against Iranian citizens. And the continued scourge of well-known Android banking malware families Cerberus and Hydra.
The most prevalent iOS threats
Whilst Android threats continued to grow in prevalence, there has been a slight decline in most types of iOS detections over the same period. The only exception[HC1] is PUAs, with detection rising by 3.3%. It remains the most widespread type of iOS detection, accounting for 52%. Whilst it is not malware as such, as mentioned above PUAs can often perform actions that negatively impact device performance and increase the possibility of the user being infested with actual malware due to the PUAs having extensive access to iOS processes and files.
The second most prevalent category of iOS detections, Adware, includes common threats such as OSX/Pirrit, OSX/Bundlore, OSX/Genieo, OSX/MaxOfferDeal, and VSearch. It did, however, experience a decrease of 15.4% in total over the period analysed.
ESET telemetry registered the most iOS detections in the United States (20.7%), Japan (11.7%), France (7.7%), Germany (5.6), and the United Kingdom (4%), all of which are countries where Apple devices are particularly popular.
Even though threat detection across Apple devices is decreasing, various groups continue to develop new threats targeting them. There was a new attack framework called Alchimist capable of deploying cross-platform malware called Insekt which had remote administration capabilities. A new supply-chain attack called SentinelSneak that used a malicious module that posed as a software development kit from SentinelOne. And a keychain-stealing malware named KeySteal, which was embedded in a trojanised open-source application, although it was rarely seen in the wild.
Besides malware and similar threats, vulnerabilities and bugs present a real cause for concern for Apple fans. Once thought of as watertight operating system, there was a bug found in Ventura 13.0 that obstructs security products from the access they need to do their scans. There have also been accusations that Apple does not take bugs seriously enough. This is because the company does not always patch the same bugs in older versions of its software. For example, if a vulnerability is actively exploited and Apple patches it on versions 13.X, it might not be addressed in previous versions, such as 12.X.
In many ways this is a pivotal time for Apple. After a tug of war with US agencies, the company has finally decided to expand end-to-end encryption protections in its iCloud service. This is obviously a good thing. However, the feature, called Advanced Data Protection for iCloud, still has to be enabled by the user. It is, though, available on iPhones with iOS 16.2, iPads with iPadOS 16.2, Macs with iOS 13.1, and various other Apple devices.
New threats are coming
At the beginning of 2022, it was predicted that we would see the mobile device threat scene dominated by malware allowing cybercriminals to cash in on cryptocurrencies. However, the drastic downturn in the value of cryptocurrencies led to the bad guys pivoting quickly.
As the world wakes up to the potential uses – and dangers – of artificial intelligence (AI) apps such as ChatGPT, malware writers have already started to use the technology to develop new tools. And, unfortunately, due to the very nature of the technology, it means that they will be able to pivot quicker than ever before.
In the original Threat Report the Apple OS mentioned is macOS rather than iOS. However, macOS is for laptops and not mobile devices so isn’t really a like for like comparison as per the outline. We therefore, changed it to iOS throughout. If this is incorrect though, please change back. [HC1]