A recent study found that over half of the Android-based mobile phones used by state and local government workers in the United States were running outdated operating system versions, leaving them open to hundreds of potential attack vectors. These figures came from a survey by the cybersecurity company Lookout, which examined 175 million applications and 200 million devices between 2021 and H2 of 2022.
In addition, the research forewarns an increase in all threat metrics, including attempts at phishing attacks against government personnel, reliance on unmanaged mobile devices, and vulnerability spots in mission-critical networks. Attackers can make use of flaws in outdated mobile operating systems to penetrate targets, run programs on the device, install spyware, steal passwords, and other things. For example, Apple patched iOS 16.1 last week to address a zero-day memory corruption vulnerability that hackers were actively exploiting to attack iPhone users and execute arbitrary code with kernel privileges.
According to Lookout, ten months after iOS 15 was made accessible to consumers, 30% of devices used by state and local governments and 5% of federal employees’ devices were still running outdated operating systems. For Android, the situation is significantly worse because, ten months after the introduction of version 12, about 30% of federal devices and nearly 50% of state and local government devices still required an update, leaving them susceptible to faults that may be used in attacks.
The most recent version of the operating system, Android 13, was launched after the first half of 2022, from which this data was gathered. Therefore, it should be highlighted. Notably, 10.7% of federal government devices and another 17.7% of state and local government devices ran Android 8 or 9, which would no longer receive security updates after November 2021 and March 2022, respectively. There are currently over 2000 known vulnerabilities in these two OS versions, and the list is growing monthly. Google will not patch any of them.
Lookout reveals that credential harvesting makes up most of the remaining proportion, while malware distribution accounts for roughly 75% of attacks on mobile users. Advanced spyware makers employ zero-day vulnerabilities in targeted attacks on journalists, politicians, and activists, whereas commodity malware often infects Android mobile devices via phony apps. Researchers say that when comparing year-over-year statistics, cyberattacks involving credential theft are on the rise while malware circulation is steadily declining.
In 2022, managed and unmanaged devices were targeted by phishing attacks, affecting 1 in every 11 government employees tracked by Lookout. After being notified about their mistake after clicking on the fraudulent links, 57% of those people did not repeat it, 19% clicked twice, and 24% clicked three times. The U.S. Cybersecurity & Infrastructure Agency (CISA) has developed a “Known Exploited Vulnerabilities Catalog” that includes a list of vulnerabilities currently being actively exploited in attacks and a deadline by which federal agencies must patch them. This catalog was created to help secure devices.
State, local, and tribal governments are not compelled to abide by this instruction, despite CISA recommending to do so. The FBI and Trellix allege that phishing attempts are targeting election workers and election officials to obtain credentials or install malware only days before the U.S. midterm elections.
