Threat landscape about mobile devices
The ubiquity and systematic use of smartphones, along with the increasing number of features and data they handle, make them targets of interest for cyber-crime actors.
Mobile phones are an integral part of everyday life. Their use in every aspect of life, personal as well as professional, makes them a prime target for malicious actors. This document introduces the various technical methods deployed by malicious actors to compromise mobile phones, and also offers an overall view of the various cyber threats affecting mobile phones, accompanied by real-life examples of cyberattacks observed in France or elsewhere. It also addresses specific security recommendations to users of mobile devices.
A growing and sophisticated threat
Over the past three years, ANSSI has handled several cases of mobile phones compromised by an irresponsible use of spyware targeting individuals. The numerous communication protocols used, such as cellular network, Wi-Fi, Bluetooth and NFC, suffer from several weaknesses facilitating the interception of exchanged information, or even the alteration of data in order to deploy spyware code on the devices. Operating systems and applications installed on the device may also constitute another intrusion vector for spyware deployment. Some sophisticated threats indeed exploit chains of 0-day vulnerabilities which do not require any user interaction to compromise the device, usually referred to as zero-click. The sophistication of these infection chains and their stealth, as well as the absence of detection solutions significantly increase the difficulty of response efforts.
Furthermore, mobile phones are increasingly a prime target for cyber-crime actors. Their for-profit attacks involve less sophisticated malware and rely on social engineering methods to collect their victims’ personal and professional data. Depending on its nature, the collected data may be reused to launch phishing campaigns or to gain access to a related information system. The opportunistic nature of these for-profit attacks means that cyber-criminal activities impact individuals and organisation without regard for their geographical localisation or economic sector.
Cooperation to reduce the risks
Mobile phones can be targeted by state-sponsored offensive actors in the course of espionage or surveillance operations, drawing upon resources developed internally or by the national defense and industrial base, or acquired externally from specialised companies known as Private Sector Offensive Actors (PSOA). PSOAs can facilitate access to advanced capabilities for states which do not own these offensive technologies or for states wanting to complicate the process of attribution. PSOAs thus contribute to the multiplication of threats sources and to the uncontrolled dissemination of mobile-oriented offensive tools, which increases the threat level on mobile devices.
In response to these threats, France and the United-Kingdom have launched consultations to tackle the proliferation and irresponsible use of commercial cyber intrusion capabilities (CCIC). This initiative has been named the Pall Mall Process during its formal launch in 2024 and has lead to the production of a code of practices for states. It promotes both an enhanced cooperation between manufacturers to reinforce the security of the mobile devices and to increase the information sharing on observed threats, and recommendations on the legal frameworks regulating the use and the marketing of CCICs.
To accompany this overview, recommendations are provided along the way, to help reduce the attack surface of these devices both for individual users and for organisations and their Chief Information Security Officer (CISO).