What is next in AI Security
Register Today
Table of Contents
Threats

What is Mobile Malware?

5 min. read
Table of Contents

Mobile malware is malicious software, such as trojans and ransomware, explicitly designed to target operating systems and applications on mobile devices.

Mobile users are subjected to mobile malware attacks through social engineering exploits that allow them to circumvent the mobile security systems on popular platforms such as Apple and Android. Widely used attack tactics include:

  • Viruses
  • Worms
  • Trojans
  • Adware
  • Spyware.

Various motives drive attackers, but their primary goals often include the theft of sensitive data to facilitate identity theft, financial fraud, or espionage, as well as the installation of malicious software designed to capture credentials.

Crisis in the Kitchen: Unraveling a Malware Incident

Crisis in the Kitchen: Unraveling a Malware Incident

 

Understanding Mobile Malware

The sophistication and variety of mobile malware have rapidly evolved, presenting significant threats to mobile users. These users are increasingly targeted through advanced social engineering tactics, which enable attackers to bypass comprehensive security systems on popular platforms like Android and iOS, unleashing a range of malicious software activities.

The continuously evolving landscape of mobile technology and the proliferation of mobile device use in personal and professional contexts further underscore the pressing need for heightened awareness and defense mechanisms against mobile malware threats.

Scope of Mobile Malware

Although mobile threats are less pervasive than traditional malware, cybercriminals are increasingly exploiting the mobile-first trend. For organizations, the explosion of bring-your-own-device (BYOD) and personal device use for work gives attackers fertile ground to launch mobile malware attacks.

Despite efforts to control personal device usage, their shadow use is pervasive. The lack of security on these mobile devices makes them a target for attackers seeking to gain access to networks and systems to steal assets or conduct additional attacks.

Due to the limited visibility into mobile devices and the multitude that lack anti-malware antivirus software, they are increasingly used to launch zero-day and other devastating attacks.

Additional reasons for the growth of mobile malware are:

  • A growing volume of sensitive and high-value tasks are carried out on mobile devices.
  • Mobile devices are often connected to insecure external networks, like public Wi-Fi.
  • Threat actors can hide malicious software amongst legitimate apps in third-party app stores.
  • Users are more likely to click malicious links in legitimate-looking email or text messages on mobile devices.

 

Historical Context and Evolution of Malware

Mobile devices have been targeted since the turn of the millennium. Purpose-built mobile malware was first seen in 2004. Since then, mobile malware has grown in use and sophistication. The following timeline provides a brief overview of its evolution.

2004

The first mobile virus, a worm called Cabir, was released, using the Bluetooth OBEX push protocol to spread. It targeted the Symbian operating system, one of the earliest smartphone operating systems used by Nokia, Sony Ericsson, and Samsung.

2005

The Commwarrior worm was discovered. It was the first mobile malware to propagate using Bluetooth and MMS messaging.

2009

Ikee and Duh, two mobile malware worms, emerged and targeted jailbroken iPhones. This type of mobile malware exploited a hard-coded password in the Secure Shell (SSH) daemon running on targeted devices and exposed it in jailbreak.

2010

FakePlayer malware targeted Android and iOS devices. This mobile malware was disguised as a media player app. Once installed, it secretly sent premium-rate SMS messages to Russian shortcode numbers, resulting in costly unauthorized user charges.

2011

A mobile malware attack on Google Play triggered a surge in mobile Trojans and spyware embedded in malicious apps, which were especially prevalent on third-party Android marketplaces.

2011 also saw the evolution of the traditional malware banking Trojan, Zeus, to Zitmo (Zeus-in-the-mobile). Zitmo intercepted SMS messages with two-factor authentication (2FA) codes to enable attackers to access users' banking accounts.

2012

The evolution of banking malware continued with the adaptation of OpFake. The mobile version of this malware evolved from an early SMS Trojan. Disguised as an Opera Mini web browser (i.e., a lightweight web browser for mobile devices) updater, OpFake emerged as one of the first large-scale botnets targeting Android devices.

2013

FakeDefender emerged as a mobile ransomware targeting Android devices. It posed as a fake antivirus application that blocked access to the device, demanding a ransom to regain control.

2014

AirPush, intrusive mobile adware, started pushing unwanted ads to targeted devices. While the pop-ups usually just resulted in a poor user experience on the infected device, some variants behaved maliciously by displaying ads in the notification bar, delivering malvertising, and creating shortcuts to spam users.  

2015

Gazon, an Android virus, was used to infect mobile devices. Once compromised, the mobile malware sent phishing messages to contacts on the device containing a link to install malware. In this case, the link was disguised as an Amazon rewards app.

2016

HummingBad, mobile adware, infected over 10 million Android devices. This mobile malware generates fraudulent ad revenue by displaying ads in the background.

2017

Xavier mobile malware emerged targeted Android devices with an information-stealing ad library embedded within more than 800 seemingly legitimate apps in the Google Play Store. Once installed, Xavier collected sensitive data and evaded detection by encrypting its communications.

2018

Rotexy was used in more than 70,000 attacks. This mobile malware evolved from earlier versions initially identified as SMS spyware Trojans, becoming more sophisticated over time by combining the features of both ransomware and a banking Trojan.

2019

StrandHogg was first publicly disclosed as a new strain of mobile malware that exploited a vulnerability in Android's multitasking system. This mobile malware allowed malicious apps to masquerade as legitimate ones, steal credentials, and access sensitive data without root access.

2020

Smishing (SMS phishing) attacks have become more sophisticated and prevalent. The global pandemic was widely exploited for smishing attacks, taking advantage of individuals' fears and desire for information about COVID-19.

2021

The expansion of 5G and IoT networks enabled mobile malware to evolve. New strains of mobile malware, such as Mirai variants, infected IoT devices. Additionally, Android ransomware, FLocker, evolved to target IoT devices.

2022 - present

AI-driven malware (e.g., Cerberus and Emotet) and fileless attacks (e.g., HummingWhale, derived from HummingBad, and XLoader) emerged, enabling mobile malware to evade traditional detection mechanisms. These mobile malware strains can adapt quickly, making traditional signature-based detection ineffective.

 

How Is Mobile Malware Used?

The most common use of mobile malware is to steal sensitive information, such as usernames and passwords, bank account numbers, Social Security numbers, private messages, and location information.

Cybercriminals also use mobile malware to generate revenue through ad fraud (e.g., sending unwanted ads to generate fake ad clicks) and installing cryptomining tools to generate cryptocurrency.

Mobile malware is also used to compromise accounts and exploit vulnerabilities. Once installed, mobile malware can be spread to other devices in the initial target’s network. Mobile malware can also move laterally across networks to gain additional access privileges.

 

What Are Common Types of Mobile Malware?

Mobile malware comes in many of the same varieties as traditional malware but is optimized to exploit the differences in mobile environments. Early strains of mobile malware targeted legacy platforms, such as BlackBerry OS and Symbian OS. Today, most mobile malware targets iOS and Android devices. The following are several of the most widely seen types of mobile malware.

Cryptomining Malware

Attackers use cryptomining malware to generate cryptocurrency using compromised mobile devices' processing power. An example is the ADB.miner mobile malware, which targets Android devices for this purpose.

Drive-By Downloads

Traditional drive-by-download malware is used to target mobile devices. Some types of malware that can be pre-installed in drive-by downloads include trojans, ransomware, keyloggers, botnets, and data transfer tools.

MMS Malware

MMS malware spreads through text messages with text, photos, and videos. An example of MMS malware is FluBot, used in a large-scale smishing attack that targeted Android devices in Europe.

Mobile Bots

Mobile malware is used to create mobile botnets. Ikee.B was the first mobile malware bot software detected. SpamSoldier is an Android SMS botnet that sends spam messages to other victims without the user's permission.

Mobile Phishing

Mobile phishing attacks are sent via email or SMS text messages, often called SMiShing. Tactics used for mobile phishing include using Tiny URLs to disguise malicious sites and URL padding, which conceals a malicious domain by embedding it in a legitimate one.

Remote Access Tools (RATs)

RATs are used to access data on infected mobile devices. They are often used to access information on mobile devices, such as installed applications, call history, address books, web browsing history, and SMS data. RATs also send SMS messages, enable device cameras, and log GPS data.

Trojan Horses

Cybercriminals typically insert Trojans into non-malicious executable files or apps on compromised devices. Several types of Trojans used for mobile malware exploits include bank Trojans, SMS Trojans, and Wireless Application Protocol (WAP) clickers.

 

Mobile Malware Attack Real-World Scenarios and Consequences

The following are several examples of mobile malware attacks. These cases illustrate specific threats and demonstrate the impact of mobile malware.

Pegasus Spyware

WhatsApp was attacked with Pegasus spyware that exploited a vulnerability in its platform. This Pegasus attack led to the compromised mobile phones of individuals, including business executives and journalists. The malware allowed attackers to intercept encrypted communications and steal sensitive data.

XcodeGhost

In this third-party supply chain attack, several popular apps, including WeChat, were infected when developers unknowingly used a compromised version of Apple’s Xcode to build their software. Organizations using these apps were affected as malicious backdoors exposed their data to attackers.

GriftHorse Trojan

The GriftHorse malware was hidden in apps downloaded from the Google Play Store. When users installed these apps, they enrolled in fraudulent premium SMS services, which led to fraudulent charges.

FluBot Trojan

The FluBot Trojan was spread through Smishing attacks. This mobile malware stole passwords and banking information from Android devices.

 

Mobile Malware Detection and Prevention Strategies

Many tools and techniques are used to detect and prevent mobile malware from infecting devices. The following are several of the most commonly used tactics supported by cybersecurity tools:

Signature Detection

Signature detection identifies mobile malware by looking for unique features of different variants, such as the file hash, the domains, the IP addresses it contacts, and strings within an executable. While signature detection is effective, it cannot identify zero-day threats and evolving malware variants.

Anomaly Detection

Artificial intelligence (AI) is used to power many anomaly detection tools. These systems start with a model of regular operation and continuously scan for deviations from that model. Anomaly detection is an effective method for identifying novel mobile malware threats.

Behavioral Detection

Like anomaly detection, behavioral detection tools leverage AI and models of normal behavior. Because mobile malware commonly engages in unusual behavior, behavioral detection tools effectively identify potential mobile malware based on device activity.

 

Best Practices for Protect Against Mobile Malware

Most standard cybersecurity best practices apply to mobile malware. Several best practices specific to mobile malware include the following.

Use Secure Wi-Fi

Using password-protected Wi-Fi connections protects against man-in-the-mobile attacks. Like man-in-the-middle attacks, these attacks take advantage of public networks where threat actors position themselves as users and their intended audience. Threat actors can steal information and direct users to malicious sites by compromising the connection.

Do Not Jailbreak or Root Mobile Devices

Jailbreaking (typically referring to Apple devices) or rooting (typically to Android devices) involves removing software restrictions imposed by the manufacturer to give the user administrator-level access to the operating system.

While this enables extensive customization and the ability to install apps unavailable through the official app store, it increases the risk of infection from mobile malware.

Disable Features when Not in Use

Wi-Fi networks and Bluetooth connections are vulnerable points of access for mobile malware. To avoid exploitation by cybercriminals, these features and infrared should be deactivated when not in use.

 

Mobile Malware FAQs

Mobile malware presents a number of risks for individuals and organizations with varying degrees of impact. The main risks are data breaches, theft of valuable assets, operational disruption, and compliance violations. The impact of mobile malware attacks includes fiscal losses, reputational damage, and fines due to compliance violations and legal actions.
  • ADB.miner—2018—targeted Android devices with cryptocurrency mining mobile malware
  • Agent Smith—2019—targeted Android devices and infected over 25 million, replacing legitimate apps with malicious versions without the user’s knowledge.
  • Gooligan—2016—targeted Android devices and infected over 1 million users, stealing their Google account credentials.
  • Infamous Chisel—2023—targeted Android devices and enabled network monitoring, traffic collection, network backdoor access via The Onion Router (Tor) and Secure Shell (SSH), network scanning, and Secure Copy Protocol (SCP) file transfer.
  • XcodeGhost—2015—targeted iOS devices, infecting over 4,000 apps, including popular apps such as WeChat.
  • BlueBorne Attack—2017—exploited Bluetooth vulnerabilities to spread mobile malware across Android and iOS devices.

Several signs of mobile malware are:

  • Unexpected new apps
  • Unusual ads or pop-up windows in apps and browser
  • Poor device performance and freezing or shutting down unexpectedly
  • Rapid battery drain
  • Increased data usage
  • Sporadic data consumption
Use reputable antivirus software, avoid downloading apps from unknown sources, update your device regularly, avoid clicking suspicious links, and be cautious when connecting to public Wi-Fi.
If your device is infected, remove suspicious apps, run a malware scan using security software, reset the device to factory settings if necessary, and update your device to the latest software version.

Related content

Get the latest news, invites to events, and threat alerts