A report based on an analysis of 200 million devices and 175 million applications between 2021 and 2022 from the cybersecurity firm Lookout returned that many mobile phones used by United States government employees were outdated. The report indicated that as of 10 months after the release of iOS 15, 5% of federal government devices and 30% of state and local government devices were running outdated software. As of 10 months after the release of version 12 for Android, 30% of federal devices and almost 50% of state and local government devices were outdated. Notably, 10.7% of federal employees and 17.7% of state and local government employees were running versions as old as Android 8 and 9. This outdated software leaves government employees vulnerable to thousands of vulnerabilities that could be exploited by a threat actor.
In 2021, approximately 1 out of 11 government employees monitored by Lookout were the recipient of a phishing attack. Of those who clicked on the URL and were made aware of their error, 19% repeated their mistake once and 24% clicked on a phishing email over three times. The primary goals of these phishing attacks have been malware delivery and credential harvesting. While commodity malware usually infects these devices through phishing attacks and fake applications, advanced spyware developers are known to use zero-day vulnerabilities in targeted attacks as well.
Analyst Notes
With bring your own device (BYOD) policies becoming more and more common in the workplace, this report is a prime example of how an organization may be left vulnerable if these policies are not properly implemented. Organizations need to ensure that employees are properly updating devices in an efficient manner. Failure to keep devices current could lead to those devices becoming the vector for initial access within an environment. An attacker may use a compromised device to access email, communication platforms, passwords, or to pull contacts for more targeted phishing attacks.
User education regarding keeping devices up to date is important in BYOD environments, but user education isn’t effective alone with many people continuing to fall victim to the same attacks. With this in mind, the best ways to minimize risk would be to have limit BYOD as much as possible and ensure users are using a VPN when accessing corporate information from their personal device.
https://www.bleepingcomputer.com/news/security/us-govt-employees-exposed-to-mobile-attacks-from-outdated-android-ios/
