According to Google Researchers, the days of mobile device compromise are upon us. Threat actors have developed a sophisticated methodology for exploiting vulnerabilities found in Chrome and Windows platforms, allowing for the installation of malware on Android and Windows mobile devices.

Background

By now, most of us are aware the BYOD is an abbreviation for the practice of using personal devices for work – in other words, Bring Your Own Device. For most organizations, BYOD is an accepted, although discouraged, inevitability. Employees not only prefer to use their own personal devices, in many instances, but they also seem determined to do so.

For employees, BYOD is advantageous because it gives them the flexibility to use a device they are familiar with, as well as perform job-related tasks, regardless of their location. For employers, in addition to improved worker productivity, organizations also benefit from reduced equipment costs since they are able to forego the purchase of expensive hardware including laptops, tablets and mobile devices. A superfluous win-win!

Unfortunately, with the mass migration of organizations across the globe to a work-from-home model as SARS-CoV-2 maintains its grip on the world’s economies, mobile device compromise has become an all too alluring vector for threat actors to ignore.

Zero-Day Exploits

Earlier this month, Google researchers identified what they are calling a ‘sophisticated hacking operation’ that exploited vulnerabilities in Google Chrome and Microsoft Windows, allowing mobile device compromise through the installation of malware on Android and Windows Devices.

At least four of the identified exploits were zero-days, indicating they took aim at vulnerabilities that, at the time*, were unknown to Microsoft, Google and a majority of cybersecurity researchers. The level of sophistication starts with the method of delivery. Threat actors distributed the exploits through what is known as ‘watering-hole’ attacks.

Watering-hole attacks start with the careful identification, and exploitation of high-traffic websites frequented by the targets of interest. These watering-hole websites are then “laced” with malicious code that is designed to install malware on visiting users’ devices. According to researchers, these ambush sites engage two separate exploit servers – one for Windows users, and another for Android users – each of which delivered different exploit chains.

* Google and Microsoft have since patched the security flaws.

These exploit chains are designed for efficiency and flexibility through their modularity.
Project Zero, Google Research Team

Signs of Sophistication

Through investigation, the Google Research Team recognizes that the attack chains are practical options for both mobile and desktop users, however, the success rate of mobile device compromise is higher due to the reduced size of the user interface. What sets this hacking operation apart, is not the use of zero-day exploits and clever use of infrastructure, but the efficiency, flexibility and strength of the attack code in tandem. It is very clear that this campaign was carried out by highly sophisticated threat actors.

Project Zero has yet to attribute the attack to anyone, however, it’s quite clear that the number of individuals with this sort of skill, and the means to do so, is quite small. The four zero-days identified by Project Zero include the following:

  • CVE-2020-6418 – Chrome Vulnerability in TurboFan (resolved February 2020)
  • CVE-2020-0938 – Font Vulnerability on Windows (resolved April 2020)
  • CVE-2020-1020 – Font Vulnerability on Windows (resolved April 2020)
  • CVE-2020-1027 – Windows CSRSS Vulnerability (resolved April 2020)


The identification of these exploits, by Project Zero, demonstrates that threat actors now recognize mobile device compromise as a valuable option as society becomes increasingly invested and dependent on their mobile operating systems for not only personal use, but business use as well. As individuals and organizations become more dependent on mobile, threat actors are prioritizing mobile devices, users, and apps as chief targets.

Threat actors are also aware of the fact that, even if users have automatic updates turned on, they can be quite slow to update their apps and operating systems – for instance, if they are not charged or plugged in at the initial prompt. In addition to this Project Zero has recognized evidence that the threat actors have intentionally developed exploits targeting older Android devices, past their support dates, noting that the Android landscape remains quite variable with a great number of devices that are never updated.

The Future

Although phishing has long been the most common method of mobile device compromise, the approach and consideration are on the rise due to the growth in mobile device use and the drive towards a remote workforce during the COVID-19 pandemic. By sending, receiving, and storing important company data, on personal mobile devices, users are putting their organizations at risk. Today, more than ever, it is absolutely vital for employees to remain aware, make use of best practices, and perhaps most importantly, not to underestimate the sensitive nature of the data being shared through mobile devices. If you would like to learn more about the true risk of mobile device compromise or any of our services, please contact us to learn more!