What is mobile malware?
Mobile malware is malicious software specifically written to attack mobile devices such as smartphones, tablets, and smartwatches. These types of malware rely on exploits of particular mobile operating systems and mobile phone technology. Although mobile malware is not as pervasive as malware that attacks traditional workstations, it is a growing threat to consumer devices. Mobile malware is becoming a challenge to the mobile security industry as attacks increase in frequency and strength.
Mobile malware developers, also called cybercriminals, may have one or several objectives, including stealing data, signing users up for services and charging them fees for services they did not agree to or locking a device or data and demanding money for its release.
Types of mobile malware
These are adapted for the cellular environment and designed to spread from one vulnerable phone to another.
This is a type of malware that infects other devices while remaining active on infected systems. Cybercriminals can transmit worms through short message service (SMS) or Multimedia Messaging Service (MMS) text messages and typically do not require user interaction to execute commands.
This is a type of malware that runs automatically once a user installs it on a device. It gains complete access to the device and its contents and starts communicating with and receiving instructions from one or more command and control servers. A cybercriminal called a botmaster adds and manages the infected devices to a network of mobile bots (botnet).
These attacks often come in the form of email or SMS text messages. SMS phishing, sometimes called SMiShing, uses text messaging to convince victims to disclose account credentials or to install malware. The attack masquerades as a reputable entity or person and distributes malicious links or attachments that can extract login credentials or account information from victims.
This is a type of malware that locks the data on a victim's device or the device itself, typically by encryption, and demands payment before the data or device is decrypted and access returned to the victim. Unlike other types of attacks, the victim is usually notified that an exploit has occurred and is given instructions on how to recover the data. Cybercriminals often demand payment in a cryptocurrency such as Bitcoin, so that the cybercriminal's identity remains unknown.
These attacks synchronize with calendar apps, passwords, email accounts, notes and other sources of personal data, collects that data and sends it to a remote server.
It is often attached to free software downloads or to links clicked by users. Peer-to-peer (P2P) file sharing has increased the amount of spyware and the ramifications. Adware is a type of spyware.
This virus type requires users to activate it. In mobile devices, cybercriminals typically insert Trojans into non-malicious executable files or apps on the device. The user activates the Trojan virus when he or she clicks or opens a file. Once activated, Trojans can infect and deactivate other applications or the device itself and paralyze the device after a certain period of time or a certain number of operations. Banking Trojans target both international and regional banks by using fake versions of legitimate mobile apps or through phishing campaigns.
Wireless Application Protocol (WAP) clickers are Trojan viruses that use WAP billing to charge fees directly to a user's mobile phone bill. Mobile network operators use WAP billing for paid services or subscriptions. This form of payment charges fees directly to the user's service account, avoiding the need to register a credit card or set up an account. A WAP clicker covertly subscribes to a cybercriminal's services and charges the mobile device owner's account.
Examples of mobile malware attacks
In February 2018 ADB.Miner cryptocurrency mining malware was first reported infecting Android-based smartphones, tablets and television sets. The malware infects the device to mine a type of cryptocurrency called Monero (XMR) coins and sends all acquired funds to a single wallet.
The Cabir worm was the first verified example of a worm created specifically for mobile devices. It was developed in 2004 and designed to infect mobile phones running Symbian OS. When a phone is infected, the worm displays the message 'Caribe' on the phone's screen every time the phone is turned on. The worm attempts to spread to other phones in the area using wireless Bluetooth signals, although the recipient has to confirm this manually.
The first worm known for Apple iOS platforms, Ikee, was discovered in 2009. Ikee works on jailbroken iOS devices. The worm spreads by trying to access other devices using the SSH protocol, first through the subnet that is connected to the device. It repeats the process by generating a random range and finally uses some preset ranges that correspond to the IP address of certain telephone companies. Once infected, the device's wallpaper is replaced by a photograph of the singer Rick Astley, a reference to the Rickroll phenomenon. The worm does not affect users who have not jailbroken or installed SSH on their iPhones.
In 2015, an Android app called Porn Droid locked users' smartphones and changed the access PIN numbers, demanding a $500 payment. Internet of things (IoT) ransomware may not be far behind. Two researchers, Andrew Tierney and Ken Munro, demonstrated malware that attacked, locked and demanded a one-bitcoin ransom on a generally available smart thermostat at the 2016 Def Con conference.
Mobile malware statistics
In Q2 2022, there were over 5 million cyber attacks targeting just Kaspersky-protected mobile devices, using vectors such as malware, adware and riskware, according to a Kaspersky study. The same study highlighted that within that same time period, over 400,000 malicious installation packages were distributed, including more than 50,000 mobile banking trojans. Mobile banking trojans were the most common of these types of packages.
Cryptocurrency mining scams, where an application runs cryptocurrency mining processes in the background of an application's typical functions, are another growing threat for mobile devices. McAfee reported over 100,000 victims of this type of attack on mobile devices.
Panda Security published some data comparing malware levels in the two most frequently used mobile OSes -- iOS and Android. A study revealed that mobile malware was about 50% more common on Android devices than it was in iPhones. That figure doesn't reflect the severity of each individual instance of malware.
Mobile malware prevention
Anti-malware software for mobile devices can minimize the risks, but administrators should be proactive to reduce attacks. Anti-malware software can come in two forms: apps that users can download to their devices, and mobile threat defense, which administrators can incorporate into an Enterprise Mobility Management (EMM) strategy and then deploy to their mobile device fleet.
Businesses and mobile administrators can reduce mobile attacks by upgrading to the latest security updates and OS updates for iOS and Android. Administrators should keep up to date about mobile threats so they can blocklist and allowlist apps, which prevents users from downloading certain applications onto a device. Administrators can also perform jailbreak/rooting and unlocked bootloader detection, disallow untrusted sources and third-party app stores, and require complex passcodes.
User training is also important. Users must know what they should and should not do with their devices. Mobile device management (MDM) and unified endpoint management (UEM) systems can also help protect both personal and company-owned devices and ensure that admins have the proper visibility to keep things in check.
Consumer mobile users should keep their devices up to date with the latest OS updates and educate themselves on emerging threats.