Mobile devices

US government employees are being attacked by mobile phones from old Android and iOS systems

According to a new report, nearly half of Android cell phones used by US and local government employees are running outdated versions of the operating system, exposing them to hundreds of vulnerabilities that can be exploited for attacks.

These statistics come from a report by cybersecurity firm Lookout, based on an analysis of 200 million devices and 175 million apps from 2021 to the second half of 2022.

The report also warns of an increase in all threat metrics, including phishing attempts against government employees, reliance on unmanaged mobile devices, and liability points in mission-critical networks.

Old mobile operating system

Older versions of mobile operating systems allow attackers to exploit vulnerabilities that can be used to hack targets, run code on a device, plant spyware, steal credentials, and more.

For example, last week Apple released iOS 16.1, Determine actively exploited zero day A memory corruption flaw used by hackers against iPhone users to achieve arbitrary code execution with kernel privileges.

Monitoring Reports Ten months after iOS 15 was made available to users, 5% of federal government employees and 30% of local and state government machines were running older versions of the operating system.

The situation is much worse for Android, ten months after the release of version 12, approximately 30% of federal and approximately 50% of state and local government devices are still required to upgrade to the latest versions, and thus remain vulnerable to bugs that can be made. exploited in attacks.

It should be noted that Android 13 is the latest version of the operating system, however, it was released after the first half of 2022, from which this data was collected.

Android versions used ten months after v12
Android versions used ten months after v12 (Whatch out)

Notably, 10.7% of the federal government and another 17.7% of state and local government devices were running Android 8 and 9, which reached end of support in November 2021 and March 2022 respectively.

These two versions of the operating system carry over two thousand known vulnerabilities that Google will not fix, and the list only grows every month.

Mobile phone attacks on the rise

According to Lookout, the most common attack against mobile users is malware delivery, accounting for about 75%, while credential harvesting accounts for most of the remainder.

While commodity malware usually infects Android mobile devices with fake apps, advanced spyware developers are Known for using zero-day vulnerabilities in Targeted attacks Against journalists, politicians and activists.

Analysts say when comparing annual statistics, malware distribution is gradually declining, and credential theft attacks are on the rise.

In 2022, 1 government employee out of 11 Lookout employees was targeted with a phishing attack, with both managed and unmanaged devices having roughly the same targeting rate.

Among those who clicked on malicious links and were warned about their mistakes, 57% did not repeat their mistake, 19% clicked again, and 24% clicked three times.

How did government employees perform against phishing in 2021
How did government employees perform against phishing in 2021 (Whatch out)

To help secure devices, the US Cybersecurity and Infrastructure Agency (CISA) has createdCatalog of known vulnerabilitiesIt contains a list of vulnerabilities that have been effectively exploited in attacks and the deadline by which federal agencies must patch them.

However, while CISA advises state, local, and tribal governments to follow the same guidelines, it is not obligated to do so under this guidance.

Moreover, the report comes just days before the US midterm elections, as Trilex and the FBI have reported election workers And the election officials They are targeted with phishing campaigns to install malware or steal credentials.

#government #employees #attacked #mobile #phones #Android #iOS #systems

Leave a Comment

Your email address will not be published. Required fields are marked *