Mobile threats have been around nearly as long as the mobile phone, but they continue to increase in number and complexity as mobile devices become more embedded in, and critical to, our everyday lives. What started out as a somewhat limited attack surface more than a decade ago has grown into a vast landscape of devices utilizing the iOS and Android operating systems. These devices include mobile phones, tablets, televisions, medical devices, alarm systems, and point-of-sale credit card payment systems, among others.
Mobile platforms are primed for exploitation by governments engaged in espionage. They provide a quick, all-in-one means to acquire sensitive data from precisely chosen targets. Mobile phones today offer access to user location, contacts, email, texts and instant messaging, as well as encrypted communication applications and business files. Mobile devices also often bridge the gap between a target’s professional and personal lives.
Targeted mobile espionage campaigns complement traditional computer network, human, and signals intelligence efforts and play to the advantage of governments stuck in an asymmetrical power imbalance with other nations. They also offer something traditional espionage means do not: plausible deniability and a lighter attack footprint.
Because of these advantages, the market for exploits targeting mobile devices has skyrocketed. As of this publication, the going rate for a zero-click exploit for the Android operating system has hit $2.5 million dollars, while zero-click iPhone exploits have dropped to $1 million dollars (Greenberg, 2019). These nosebleed prices are reflective of the increasing difficulty of producing reliable exploits given the significant financial and technological investments in security by smartphone manufacturers over the past several years. Yet, difficult does not mean impossible.
Indeed, the sheer scale of mobile malware that is in-use by state or state-sponsored APT groups that BlackBerry researchers observed in producing this report and the ease with which this mobile malware has been interwoven with desktop malware campaigns, shows definitively that at least several nation states have overcome that barrier.