Nine events that significantly impacted the past year and will surely shape the security landscape in 2023.
In 2022, there was good news in mobile security, but also less good news: increasingly sophisticated attacks emerged, large-scale campaigns affected millions of people, high-profile hacks cost companies big bucks, etc.
#1. Dark Herring: Targeting 100 million users
Cyber criminals continue to invest in tools and approaches that allow them to expand their reach and ultimately their profits. In January 2022, over 100 million Android users were targeted by the Dark Herring subscription scam campaign.
Around 470 rogue apps hosted on Google Play Store bundled this malware. Once a user downloaded one of these apps, they were directed to a webpage asking them to submit their phone number for verification. In reality, fraudulently collected phone numbers were subjected to an automatic billing service of $15 per month by the operator. It often took months for victims to realize this, who had little chance of getting their money back. Although the exact amounts are unknown, it is estimated that the financial damages suffered by consumers ran into the hundreds of millions of dollars.
#2. Pegasus: Spyware detected that continues to make headlines.
There’s a big difference between detecting malware and eliminating the threats it poses. Pegasus is the perfect example. First discovered in 2016, it is still widespread. In 2021, he has targeted tens of thousands of activists, journalists and government officials. In February 2022, Israeli law enforcement agencies were suspected of using this spyware to spy on public figures, including ministry officials and a family member of the prime minister. In April of the same year, Pegasus also met a handful of senior European Commission officials, and finally, in May, the Spanish Prime Minister was targeted.
#3. TeaBot: a banking Trojan that infects 10,000 people
In March 2022, Cleafy reported that TeaBot, the Android banking Trojan, was downloaded over 10,000 times by unsuspecting victims before it was removed from the official Google Play Store.
The malware was distributed using a legitimate-looking application called “QR Code & Barcode – Scanner”. Specifically, the application offered the promised functionality, but immediately after its installation, it asked permission to install an additional application that contained several samples of the TeaBot malware. Once downloaded, the app was allowed to view and control the device’s screen and record keystrokes. These tactics allowed cybercriminals to access sensitive information such as login credentials and passwords via SMS. This malware targeted users in Hong Kong, Russia and the United States.
#4. Cash App Investing: 8 million potentially exposed users
Last April it was announced that the data of more than eight million users of a stock trading app had been disclosed. These people were users of Cash App Investing, a mobile application powered by Block, a financial services company.
A disgruntled former employee was able to access company reports containing usernames, account numbers, holdings and more. Shortly after news of the attack broke, a class-action lawsuit was filed against the app provider and its parent company.
#5. FluBot: Android malware eliminated
In May 2022, an international police operation took down the Android malware called FluBot. This massive operation, led by Europol and involving authorities across the EU and US, disconnected thousands of compromised devices from the FluBot network and prevented more than 6.5 million spam messages from reaching potential victims.
First discovered in 2020, FluBot has infected tens of thousands of devices worldwide, including more than 70,000 in Spain and Finland. Over time, those responsible for this malware have refined their approaches, for example, sending text messages to trick users into clicking a malicious link to delay delivery of a package. Later iterations also asked them to click a link to view a photo shared by a friend. They went so far as to warn potential targets that their devices were infected with the FluBot virus and that they should take immediate action by clicking on a malicious link.
The installed malware requested access permissions that allowed hackers to steal banking app credentials and cryptocurrency wallet details. FluBot also stole infected devices’ contact details and then sent SMS to their contacts to spread.
#6. 0ktapus phishing: More than 130 companies compromised
Last August, cybersecurity firm Group-IB published a report on a phishing campaign dubbed “Oktapus”. More than 130 companies were affected, including Cloudflare, Doordash, Mailchimp and Twilio. Cybercriminals have targeted employees at companies using Okta, one of the leading identity and access management offerings. They sent text messages with a link that pointed to a phishing site similar to Okta’s authentication page. Once victims submit their credentials, attackers could exploit those details to gain access to their accounts. They also launched various multi-phased attack strategies. You compromised one service and tried to exploit it to hurt another. For example, after breaking into Twilio’s phone number verification services, they attempted to target 1,900 users of the Signal instant messaging app.
#7. Uber Exposed: A large-scale attack carried out by a Lapsus$-affiliated hacker.
In September 2022, Uber suffered a major attack. A hacker used social engineering techniques to gain access to an employee’s account. He repeatedly sent her notifications posing as an IT administrator and asking for access to her account. The Uber employee eventually provided the requested details. The hacker was then able to bypass multi-factor authentication and gain access to a number of internal systems. Ultimately, source code, internal databases, communication channels, etc. are all compromised. He even used a compromised Slack account to send a message to all employees notifying them of the breach.
Reports have linked this intrusion to the Lapsus$ Group, a collective of cybercriminals responsible for attacks on a number of other leading companies (Microsoft, Nvidia, Rockstar Games and Samsung) earlier this year. These attacks have exposed them to ransom demands, not to mention other undue damage related to expertise and remediation, negative publicity, and lost productivity.
#8th. Dirty RatMilad: New Spyware Campaign
While spyware has long been used by states, steady advances in technology have made these tools even more accessible and easier to design and modify. New versions of spyware have been discovered throughout 2022. Specifically, RatMilad, a previously unknown spyware campaign distributed by AppMilad, an Iranian hacking group. The Android malware tricked users into accessing a phone number spoofing app. The attackers used Telegram to spread messages asking to download the app. Once the app was downloaded and permissions were granted on the device, they could control almost the entire terminal. Thanks to the spyware, the attackers could access cameras, record videos, get accurate GPS locations, etc.
#9. World Cup in Qatar: Visitors were warned about spyware
It is very likely that the mobile devices of visitors to the FIFA World Cup last November were infected with spyware. In fact, visitors had to download two mobile applications: an official World Cup application called “Hayya” and “Ehteraz” (TousAntiCovid local). Experts have warned that these apps are a form of spyware, allowing Qatari authorities to access individuals’ data and even view, delete or modify content on their phones.
Governments around the world have warned their citizens about the risks associated with this spyware and advised them to use a disposable phone or reset an old phone’s settings before entering the country.
The headlines of 2022 continue to remind us that protecting the smartphones used by employees is essential. While some of the attacks described above specifically targeted corporate employees, the fact remains that even attacks targeting consumers can ultimately expose corporate assets, including intellectual property and credentials.