Urgences 24 sur 7 – (888) 287-5858   Connexion au Portail TitanSupport    Contactez-nous      Blogue

From Mainstream to MaliciousAs Xiaomi smartphones show an increase in popularity, a surprising pattern emerges: cybercriminals are following the same trends as everyday users. Our research uncovers a striking overlap between popular consumer devices and those favored in illicit online activities. Are attackers simply adopting what’s widely available, or does brand loyalty extend into the cyber underworld?

In September, media reports highlighted significant research findings by Counterpoint Research: Xiaomi surpassed Apple in August 2024 to become one of the world’s largest smartphone brands. This milestone underscores Xiaomi’s growing presence in the smartphone market. According to Counterpoint Research’s graphic (see Figure 1), Samsung and Apple frequently alternate in holding the top position, but Xiaomi tends to rise in popularity, especially during Apple’s predictable seasonal declines.

MainstreamBlogFig1

Figure 1. Counterpoint Research’s graphic from their website

The media totally exaggerates the significance of Xiaomi smartphones, especially when we take a global look at the figure above. While Xiaomi has gained attention for its growing market presence, it remains far behind industry giants like Apple and Samsung in terms of both sales volume and overall popularity. Nevertheless, Xiaomi has shown steady growth, carving out a respectable portion of the market. This consistent increase suggests that, although Xiaomi may not rival the market leaders yet, it is establishing itself as a notable player with a promising trajectory.

Given that these three brands command the largest share of the smartphone market, it raises the question of whether cybercriminals, compared to the general population, follow similar trends in device preference.

To explore this, we analyzed data collected from our research honeypots and our open-source tool, PyRDP. PyRDP is an advanced tool that captures and analyzes attacks on remote desktop protocol (RDP) connections, logging essential details such as the « client name » (the name of the device connecting to our systems). From February 2021 to December 2023, we collected data on 29,169 unique hits containing client names, allowing us to determine the type of devices that attackers use to access our honeypots.

Phone usage to connect to RDP

One of the interesting observations of our honeypot data was that attackers do not exclusively use computers to connect to our system through RDP. There are also instances of phone usage. Our findings indicate that a small subset of attackers—0.85% (or 250 cases)—connected via smartphones rather than traditional computers.

With our data, it is impossible to know for sure what are the reasons why a malicious actor might use a phone over a computer to access our system through RDP, but we came up with some hypotheses. Besides the fact that smartphones provide better mobility than a computer, phones may have different network identifiers (e.g., mobile IP addresses or VPNs) that are less likely to match known malicious patterns that Intrusion Detection Systems (IDS) might flag. Some cybersecurity defenses might not prioritize phone connections in their alerting protocols, potentially lowering the chances of detection. In the same vein of avoiding detection, mobile devices often leave a smaller digital footprint, particularly if the actor is using temporary or « burner » phones. Phones can connect through different networks, avoiding association with known malicious IP addresses tied to desktop environments. Finally, connecting over mobile data rather than a potentially monitored Wi-Fi or wired network can provide an extra layer of obscurity, as mobile network IPs rotate more frequently.

Device Popularity Across Brands

In Table 1, we present a detailed list of all smartphone brands used to connect to our RDP system, along with the frequency of their usage over the past three years. Our data reveals a striking trend: attackers connecting via smartphones show a strong preference for iPhone, Xiaomi, and Samsung—remarkably similar to the order of brand popularity in the general population. This alignment suggests that cybercriminals’ choices in mobile devices often mirror general consumer preferences.

MainstreamBlogTable1

Table 1. Frequency of each smartphone brand used to connect to RDP

In a previous blog, we noted a similar finding in browser preferences, observing that attackers tend to favor the same popular browsers as the broader public. This reinforces the notion that cybercriminals may not be as different from typical users as one might expect. Their tech preferences align with mainstream trends, suggesting that even within the realm of illicit online activity, brand and tool preferences follow familiar consumer patterns.

This observation underscores an interesting point: while motivations may differ, cyber delinquents remain influenced by the same technology trends and brand loyalty that shape the broader digital environment.

 

Popularity Trends Over Time

To observe the increase of popularity over time, we mapped the number of instances in which an attacker would connect with one of the biggest smartphone brands over three years. One of the initial observations drawn from this (see Graph 1) is the marked increase in smartphone usage for accessing RDP in 2023. This upward trend indicates a shift in attacker behavior, suggesting that mobile devices are becoming more prevalent tools for cyber activities traditionally conducted on computers. This rise may reflect advancements in smartphone technology, making them powerful and accessible enough to support complex operations, as well as the growing availability of mobile-based hacking tools and techniques.

MainstreamBlogGraph1

Graph 1. Use of the different smartphone brands over time by attackers in our system

When examining the brand usage trends over time, we observed a notable shift in 2023. Xiaomi showed a marked increase in popularity, even surpassing iPhone. In the CounterPoint research Figure presented at the beginning of this blog, we see that Xiaomi wins in popularity for only a certain period of the year, and this, only when iPhone is at an all-time low. The trend that we observed with our data is different in the sense that the rising prevalence of Xiaomi devices is way more notable than what is observed in the general population trend. This increase not only reflects Xiaomi’s growing appeal but also suggests that cybercriminals may be capitalizing on its accessibility, performance, and global availability.

Samsung usage shows a stable presence in the general consumer market as a trusted and widely-used brand. Similarly, among attackers, it is also a brand that has remained consistently steady. This trend aligns with broader market patterns, where Samsung continues to maintain a loyal user base across various demographics. Similarly, the iPhone has sustained its popularity over time. This enduring popularity highlights Apple’s strong brand loyalty and the widespread appeal of its devices, which remain attractive for their user-friendly interface, security features, and ecosystem integration. These patterns suggest that both brands are able to retain their appeal in both legitimate and illicit contexts.

Specificity of Xiaomi’s target market

Xiaomi initially focused on the Chinese market but has since expanded rapidly to India, Southeast Asia, and Europe. In India, it has been especially successful, frequently topping sales charts due to its competitive pricing and targeted marketing strategies. The brand’s popularity remains strong in densely populated regions, particularly China, where the sheer market size and demand provide a stable customer base over time.

Xiaomi’s appeal extends beyond general consumers to tech-savvy users, including some features that could attract malicious actors. One potential draw for these actors is Xiaomi’s MIUI, an Android-based operating system known for its high level of customization and frequent updates, which introduce new features and enhancements. MIUI’s versatility appeals to users who value personalization but also presents potential opportunities for exploitation.

Additionally, Xiaomi fosters a robust online user community, where fans discuss device features, customization options, and software updates. This community-driven environment encourages brand loyalty but also offers a resource that could be exploited by malicious actors. These forums provide a wealth of information, which, while intended to support users, could be leveraged by threat actors to identify vulnerabilities or tailor malicious strategies.

Conclusion

Our analysis reveals that cybercriminals’ smartphone preferences align closely with mainstream consumer trends, with iPhone, Xiaomi, and Samsung emerging as the most popular brands among both attackers and general users. Notably, Xiaomi has shown a marked increase in usage in 2023 in our data, surpassing iPhone, which suggests a growing appeal for attackers. This trend could be driven by Xiaomi’s accessibility, performance, and availability.

Also, the observed increase in smartphone use to access RDP in 2023 further indicates that mobile devices are becoming versatile tools in cyber activities, reflecting advancements in mobile technology and the proliferation of mobile-based hacking tools.

This blog post focuses on smartphones as tools for malicious actors rather than as direct targets. Our data did not allow us to determine whether the most popular smartphones are also primary targets for these actors. However, these findings underscore an interesting intersection between consumer technology trends and cyber behavior. Understanding these preferences provides valuable insights into cybercriminal practices, suggesting that broader market dynamics may indeed shape the tools and devices chosen by attackers.

Détection et réponse gérées et étendues GoSecure TitanMC (MXDR)

Détection et réponse gérées et étendues GoSecure TitanMC (MXDR) Fondation

Gestion des vulnérabilités en tant que service GoSecure TitanMC (VMaaS)

Surveillance des événements liés aux informations de sécurité gérée GoSecure TitanMC (SIEM gérée)

Défense du périmètre gérée GoSecure TitanMC (pare-feu)

Détection et réponse des boîtes de messagerie GoSecure TitanMC (IDR)

Passerelle de messagerie sécurisée GoSecure TitanMC (SEG)

Modélisateur de menaces GoSecure TitanMC

Identity GoSecure TitanMC

Plateforme GoSecure TitanMC

Services de sécurité professionnels de GoSecure

Services de réponse aux incidents

Évaluation de la maturité de la sécurité

Services de confidentialité

Services PCI DSS

Services de piratage éthique

Opérations de sécurité

MicrosoftLogo

GoSecure MXDR pour Microsoft

Visibilité et réponse complètes au sein de votre environnement de sécurité Microsoft

CAS D'UTILISATION

Cyberrisques

Mesures de sécurité basées sur les risques

Sociétés de financement par capitaux propres

Prendre des décisions éclairées

Sécurité des données sensibles

Protéger les informations sensibles

Conformité en matière de cybersécurité

Respecter les obligations réglementaires

Cyberassurance

Une stratégie précieuse de gestion des risques

Rançongiciels

Combattre les rançongiciels grâce à une sécurité innovante

Attaques de type « zero-day »

Arrêter les exploits de type « zero-day » grâce à une protection avancée

Consolider, évoluer et prospérer

Prenez de l'avance et gagnez la course avec la Plateforme GoSecure TitanMC.

24/7 MXDR

Détection et réponse sur les terminaux GoSecure TitanMC (EDR)

Antivirus de nouvelle génération GoSecure TitanMC (NGAV)

Surveillance des événements liés aux informations de sécurité GoSecure TitanMC (SIEM)

Détection et réponse des boîtes de messagerie GoSecure TitanMC (IDR)

Intelligence GoSecure TitanMC

Notre SOC

Défense proactive, 24h/24, 7j/7

À PROPOS DE GOSECURE

GoSecure est un leader et un innovateur reconnu en matière de cybersécurité, pionnier de l'intégration de la détection des menaces au niveau des terminaux, du réseau et des courriels en un seul service de détection et réponse gérées et étendues (MXDR). Depuis plus de 20 ans, GoSecure aide ses clients à mieux comprendre leurs failles en matière de sécurité et à améliorer leurs risques organisationnels ainsi que leur maturité en matière de sécurité grâce aux solutions MXDR et aux services professionnels fournis par l'une des équipes les plus fiables et les plus compétentes de l'industrie.

CALENDRIER D’ÉVÉNEMENTS

No upcoming events.

DERNIER COMMUNIQUÉ DE PRESSE

AVIS DE SÉCURITÉ

Urgences 24 sur 7 – (888) 287-5858