With the rise of smartphones and the increasing dependency on mobile devices for various activities, the threat of mobile malware has become a pressing issue. According to a recent research report:
- 71% of employees leverage smartphones for work tasks
- Unique mobile malware samples rose 13% in the past year
- Users who engage in sideloading apps are 200% more likely to become infected with mobile malware
This article aims to provide a comprehensive understanding of mobile malware, its impact on users and organizations, how it spreads, examples of recent mobile device malware attacks, and preventive measures to combat this growing threat.
What is Mobile Malware?
Mobile malware refers to malicious software specifically designed to exploit vulnerabilities in mobile devices and operating systems. It can encompass a wide range of threats, including viruses, worms, Trojans, adware, and spyware. As mobile devices become more sophisticated and technologically advanced, so does the complexity and proliferation of mobile malware.
The Evolution of Mobile Malware
Spotlight: New Malware Leverages Optical Character Recognition (OCR) to Steal Crypto Wallets
A particularly nefarious mobile malware stealer called CherryBlos is designed to extract text from photos and images on Android devices using OCR. Bad actors are using it to steal crypto wallet seed phrases, which users often screenshot and then save to their phones when setting up a new wallet for backup or recovery purposes. With seed phrases in hand, criminals can gain access and quickly drain the user’s crypto wallet.
As users increasingly use mobile apps for activities previously restricted to websites, like online banking and social networking, the rates of mobile malware observed by security professionals have risen proportionally. With millions of apps available for download, users often unknowingly expose themselves to potential threats. Malicious apps can be disguised as legitimate ones, making it difficult for users to tell what’s safe and what isn’t.
Types of Mobile Malware
There are several types of mobile malware to be aware of:
Viruses: These are malicious programs that can replicate and spread from device to device. They can cause damage to files, applications, and the overall system.
Worms: Similar to viruses, worms can replicate themselves, but they do not require a host file. They can spread rapidly across networks and devices.
Adware: Adware displays intrusive advertisements on the device, often redirecting users to unwanted websites or prompting them to install other malicious applications.
Spyware: This type of malware silently gathers sensitive information from the device, such as passwords, banking details, session cookies, and browsing habits, without the user’s consent.
Cybercriminals are constantly innovating and developing new forms of malware to stay one step ahead of security measures, although when looking at recaptured logs in the SpyCloud database we primarily see data that was exfiltrated by one or more mobile Trojans – commonly referred to as “RATs,” or remote access Trojans. Notably, we’re seeing Trojan malware campaigns largely target banking and financial service providers to perpetuate fraud, with the number of observed mobile banking Trojans doubling last year.
The Impact of Mobile Malware on Users
Personal Data and Login Credentials at Risk
One of the primary concerns with mobile malware is the potential threat to personal data. Bad actors can gain access to private information like your contacts, messages, location data, and much more. This compromised data can be used for identity theft, fraud, phishing attacks, or selling on the dark web. It’s an invasion of privacy that can lead to long-term consequences for a victim, with personal information being used to impersonate you. Mobile malware can also target your passwords, which can then give cybercriminals a direct line to gain unauthorized access to your other apps and accounts.
Financial Implications of Mobile Malware
Financial fraud is another significant consequence of mobile malware. Fake banking apps that replicate a legitimate app, or Trojan malware using an “overlay” strategy on top of a legitimate app, for example, can enable an attacker to steal credentials, credit card details and other sensitive financial information, or take control of the device remotely, leading to unauthorized transactions, credit card fraud, and even draining the victim’s bank accounts.
The Impact of Mobile Malware on Organizations
The impact of mobile malware extends beyond individual users and can also have significant consequences for businesses and organizations. A successful mobile malware attack can compromise sensitive corporate data, disrupt operations, and damage a company’s reputation.
If sensitive or proprietary data stored on smartphones and tablets, or data transmitted over mobile networks, is compromised by an attacker, it can lead to a data breach, potentially resulting in regulatory fines, lawsuits, and reputational damage. The loss of intellectual property or customer information can be particularly damaging.
Mobile malware infections can also disrupt business operations. For example, if mobile devices used for work become infected, employees may be unable to perform their duties, resulting in productivity losses.
How Mobile Malware Spreads
Understanding how mobile malware spreads is a critical piece of the puzzle for both individuals and organizations.
Malicious Apps and Downloads
As mentioned above, one common method used for spreading mobile malware is through malicious applications or downloads. Malware-infected apps can be disguised as legitimate software, making it challenging for users to distinguish between genuine and malicious ones. In some cases, infected applications may ask the user to grant the app certain permissions, which then allow the attacker to perform malicious actions like stealing banking credentials.
Phishing and Social Engineering
Phishing attacks are also prevalent in the mobile ecosystem, and it’s been reported that 82% of phishing sites now target mobile users. Cybercriminals may use social engineering techniques like sending fraudulent messages or emails to deceive users into revealing sensitive information, clicking on a malicious link, or downloading a malicious app.
Supply Chain
Recently, there have also been campaigns to spread mobile malware via the supply chain. As seen with the Badbox and PeachPit Trojans, some knock-off Android devices are being sold to mobile users with malware pre-installed on the device, capitalizing on consumers looking for a good deal on a new phone.
The Role of Operating Systems in Mobile Malware
The choice of operating system can significantly affect the vulnerability to mobile malware.
Android vs. iOS: A Comparative Analysis
Android and iOS are the two dominant operating systems in the mobile market, each with its strengths and vulnerabilities when it comes to malware. Android, due to its open nature, is particularly susceptible to malware attacks, especially when users download apps from unofficial sources. In a recent research study, mobile malware was found on 1 out of 20 Android devices in 2022.
Recent Examples of Mobile Banking Malware Attacks on Androids
The Xenomorph Trojan is an actively maintained mobile banking malware that targets Android users via fake apps in the Google Play Store as well as spoofed websites. Once deployed, an attacker can take over the device owner’s bank accounts and even go so far as to automatically transfer bank or crypto funds from the compromised device to their own. Thousands of Android customers in the US have been targeted in recent months.
Another recent example is the Anatsa Trojan, which as of March 2023 had already infected more than 30,000 devices. In its most recent campaign, attackers are focusing on deploying the malware via malicious apps available via the Google Play Store primarily in the US, UK, and Europe. Once a device is infected, Anatsa can steal login credentials, credit card information, and other financial data via overlay attacks and keylogging that can then be used to perpetrate fraud. This particular malware also facilitates Device-Takeover Fraud (DTO), where the attackers can impersonate the device owner and perform financial transactions directly from the device on the victim’s behalf, making detection by banking anti-fraud systems extremely difficult.
The Fluhorse malware campaign, discovered in May 2023, leverages email phishing to trick victims in Asia into downloading a fake banking app. It then captures the victim’s credentials and credit card information, and can even snatch 2FA codes sent via text to verify access if needed.
Apple’s iOS has a more closed ecosystem, with stricter app review processes, reducing the risk of malware-infected apps. Nonetheless, SpyCloud observes near-consistent infections of iOS devices, commonly including the exfiltration of financial information such as credit card numbers and bank account information.
The Vulnerability of Outdated Operating Systems
Regardless of the operating system, the timely updating of device software is crucial in minimizing the risk of mobile malware. Outdated operating systems often lack necessary security patches and updates, making them more vulnerable to attacks. Users should make sure they regularly update their devices to stay protected.
Preventing and Combating Mobile Malware
To combat the growing threat of mobile malware, smartphones have various security measures built in. These include regular software updates and app store security checks, but user education around safe browsing and downloading practices remains a key component of attack prevention.
User Education Countermeasures
- Only download apps from official and trusted sources like Google Play Store or Apple App Store.
- Regularly update the device's operating system and security software.
- Avoid clicking on suspicious links or opening attachments from unknown sources.
- Enable strong passwords or biometric authentication for device lock screens.
- Be cautious while sharing personal information online or with unrecognized apps. Ask yourself if the app you’ve just installed really needs the permissions it's asking for. For example, does an app for a flashlight really need permissions to access your contact list or send texts and make calls?
Technology Countermeasures
Human error will always be part of the equation, but there are an increasing number of technology solutions that can help security teams swing the odds in their favor.
The Role of Mobile Device Management
Organizations can leverage a mobile device management (MDM) solution on work devices to help enforce several user best practices. Via an MDM, security teams can enforce stringent security policies and the latest security updates, remotely manage and secure devices, and control app installations. Administrators can also enforce encryption, strong authentication, and device compliance to reduce the attack surface. MDM also facilitates remote device wiping in the case of an infection, app whitelisting and blacklisting to mitigate the risk of malicious app installations, and containerization to isolate business data from potential malware threats.
The Role of Antivirus Software
Installing reputable antivirus software on personal mobile devices can add an extra layer of protection against mobile malware for users. Antivirus apps can scan and detect malicious programs, block suspicious websites, and provide real-time protection against potential threats. This added protection has benefits for your organization, too, since compromised data or access to an unmanaged personal device can in some cases open the door to your business applications and data.
Nonetheless, antivirus on its own is no substitute for user awareness and monitoring of their devices. While it’s difficult to ascertain how widespread antivirus software is on all the various mobile devices, a recent analysis by SpyCloud of malware-exfiltrated data from desktop devices (including both Windows and MacOS operating systems) found that more than 54% of all successful malware deployments were recorded on a device which had at least one antivirus or EDR solution installed at the time of data theft.
An Added Layer of Protection: Post-Infection Remediation to Prevent Follow-on Attacks
Countermeasures are effective, but not foolproof, in preventing malware infections. In the event a device is infected – whether that be due to a missed update or a particularly clever attack tactic – infections still happen, so it’s important to monitor your users’ information for malware exposures.
By monitoring for exposures and taking complete malware incident response steps to remediate any infections, you increase the ability to act quickly to shut down any potential for that stolen data to be used in a follow-on attack.
Takeaways
- Mobile malware includes viruses, worms, Trojans, adware, and spyware, posing risks of data compromise, financial fraud, and identity theft for both individual users and organizations. It can spread through infected apps, phishing and social engineering, and supply chain exploitation.
- Android is more susceptible to malware attacks compared to iOS, but both platforms remain vulnerable, underscoring the importance of timely software updates and user awareness in preventing mobile malware. Recent examples of mobile malware attacks on Android devices include the Xenomorph and Anatsa Trojans, highlighting the need for robust security measures and user vigilance when downloading apps and handling sensitive financial information.
- Preventive measures against mobile malware include user education, mobile device management, antivirus software, and post-infection remediation to prevent follow-on attacks, all aimed at reducing the risk of exposure and addressing malware incidents promptly.
- Mobile malware can have significant consequences for businesses, including compromised data, operational disruptions, and reputational damage. Implementing comprehensive security strategies and enforcing best practices are essential for mitigating these risks and protecting sensitive corporate data.