According to a new report, nearly half of Android-based mobile phones used by US state and local government employees are running outdated versions of the operating system, exposing them to hundreds of vulnerabilities that can be exploited for attacks.
These stats come from a report by cybersecurity firm Lookout, based on an analysis of 200 million devices and 175 million apps from 2021 to H2 2022.
The report also warns of an increase in all threat metrics, including attempted phishing attacks against government employees, reliance on unmanaged mobile devices and blame points in networks. reviews.
Outdated mobile OS
Outdated versions of mobile operating systems allow attackers to exploit vulnerabilities that can be used to breach targets, execute code on the device, install spyware, steal credentials, and more.
For example, last week Apple released iOS 16.1, patching an actively exploited zero-day memory corruption flaw used by hackers against iPhone users to achieve arbitrary code execution with kernel privileges.
Lookout reports that ten months after iOS 15 was made available to users, 5% of federal government employees and 30% of state and local government devices were running older versions of the operating system.
The situation is much worse for Android, as ten months after the release of version 12, about 30% of federal devices and nearly 50% of state and local government devices had yet to upgrade to the latest versions, thus remaining vulnerable to bugs. which can be exploited in attacks.
It should be noted that Android 13 is the latest version of the operating system, but it was released after the first half of 2022, from which this data was collected.
Notably, 10.7% of federal government and an additional 17.7% of state and local government devices were running Android 8 and 9, which reached end of support in November 2021 and March 2022, respectively.
Both of these operating system versions have over two thousand known vulnerabilities that Google won’t fix, and the list is only growing every month.
Mobile attacks are increasing
According to Lookout, the most common attack against mobile users is spreading malware, which accounts for around 75%, while credential harvesting accounts for most of the remaining percentage.
While basic malware typically infects Android mobile devices using fake apps, advanced spyware developers have been known to use zero-day vulnerabilities in targeted attacks against journalists, politicians, and activists.
Analysts say that comparing year-over-year statistics, malware distribution is gradually decreasing and credential theft attacks are increasing.
In 2022, 1 in 11 government employees monitored by Lookout were the target of a phishing attack, with managed and unmanaged devices having roughly the same targeting rate.
Of those who clicked on the malicious links and were warned of their mistake, 57% did not repeat their mistake, 19% clicked again, and 24% clicked more than three times.
To help secure devices, the U.S. Cybersecurity & Infrastructure Agency (CISA) has created a “Catalog of Known Exploited Vulnerabilities” which contains a list of vulnerabilities actively exploited in attacks and a timeframe by which federal agencies must address them. to correct.
However, while CISA advises state, local, and tribal governments to follow the same guidelines, they are not required to do so under this guideline.
Additionally, the report comes just days before the midterm elections in the United States, with Trellix and the FBI reporting that election workers and election officials are being targeted by phishing campaigns to install malware or steal devices. credentials.