mobile malware

Mobile malware is malicious software specifically written to attack mobile devices such as smartphones, tablets, and smartwatches. These types of malware rely on exploits of particular mobile operating systems and mobile phone technology. Although mobile malware is not as pervasive as malware that attacks traditional workstations, it is a growing threat to consumer devices. Mobile malware is becoming a challenge to the security industry as attacks increase in frequency and strength.

Mobile malware developers, also called cybercriminals, may have one or several objectives, including stealing data, signing users up for services and charging them fees for services they did not agree to or locking a device or data and demanding money for its release.

Types of mobile malware

The most common mobile malware attacks include viruses, worms, mobile bots, mobile phishing attacks, ransomware, spyware and Trojans. Some mobile malware combines more than one type of attack.

Mobile viruses are adapted for the cellular environment and designed to spread from one vulnerable phone to another.

A computer worm is a type of malware that infects other devices while remaining active on infected systems. Cybercriminals can transmit worms through short message service (SMS) or Multimedia Messaging Service (MMS) text messages and typically do not require user interaction to execute commands.

A mobile bot is a type of malware that runs automatically once a user installs it on a device. It gains complete access to the device and its contents, and starts communicating with and receiving instructions from one or more command and control servers. A cybercriminal called a botmaster adds and manages the infected devices to a network of mobile bots (botnet).

Mobile phishing attacks often come in the form of email or SMS text messages. SMS phishing, sometimes called SMiShing, uses text messaging to convince victims to disclose account credentials or to install malware. The attack masquerades as a reputable entity or person and distributes malicious links or attachments that can extract login credentials or account information from victims.

Ramsonware is a type of malware that locks the data on a victim's device or the device itself, typically by encryption, and demands payment before the data or device is decrypted and access returned to the victim. Unlike other types of attacks, the victim is usually notified that an exploit has occurred and is given instructions on how to recover the data. Cybercriminals often demand payment in a cryptocurrency such as Bitcoin, so that the cybercriminal's identity remains unknown.

Spyware synchronizes with calendar apps, passwords, email accounts, notes and other sources of personal data, collects that data and sends it to a remote server. It is often attached to free software downloads or to links clicked by users. Peer-to-peer (P2P) file sharing has increased the amount of spyware and the ramifications. Adware is a type of spyware. 

A Trojan horse virus requires users to activate it. In mobile devices, cybercriminals typically insert Trojans into non-malicious executable files or apps on the device. The user activates the Trojan virus when he or she clicks or opens a file. Once activated, Trojans can infect and deactivate other applications or the device itself and paralyze the device after a certain period of time or a certain number of operations. Banking Trojans target both international and regional banks by using fake versions of legitimate mobile apps or through phishing campaigns.

Wireless Application Protocol (WAP) clickers are Trojan viruses that use WAP billing to charge fees directly to a user's mobile phone bill. Mobile network operators use WAP billing for paid services or subscriptions. This form of payment charges fees directly to the user's service account, avoiding the need to register a credit card or set up an account. A WAP clicker covertly subscribes to a cybercriminal's services and charges the mobile device owner's account.

Examples of mobile malware attacks

In February 2018 ADB.Miner cryptocurrency mining malware was reported infecting Android-based smartphones, tablets and television sets. The malware infects the device to mine a type of cryptocurrency called Monero (XMR) coins and sends all acquired funds to a single wallet.

The Cabir worm was the verified example of a worm created specifically for mobile devices. It was developed in 2004 and designed to infect mobile phones running Symbian OS. When a phone is infected, the worm displays the message 'Caribe' on the phone's screen every time the phone is turned on. The worm attempts to spread to other phones in the using wireless Bluetooth signals, although the recipient has to confirm this manually.

A Trojan called Loapi can cause battery damage
on Android devices.

The worm known for Apple iOS platforms, Ikee, was discovered in 2009. Ikee works on jailbroken iOS devices. The worm spreads by trying to access other devices using the SSH protocol, through the subnet that is connected to the device. It repeats the process by generating a random range and finally uses some preset ranges that correspond to the IP address of certain telephone companies. Once infected, the device's wallpaper is replaced by a photograph of the singer Rick Astley, a reference to the Rickroll phenomenon. The worm does not affect users who have not jailbroken or installed SSH on their iPhones.

In 2015, an Android app called Porn Droid locked users' smartphones and changed the access PIN numbers, demanding a $500 payment. Internet of things (IoT) ransomware may not be far behind. Two researchers, Andrew Tierney and Ken Munro, demonstrated malware that attacked, locked and demanded a one-bitcoin ransom on a generally available smart thermostat at the 2016 Def Con conference.

Mobile malware statistics

Mobile malware represented 3.5 percent of all malware attacks in 2017, according to security software company McAfee Labs' March 2018 Threat Report. However, some security experts believe that mobile malware is underreported.

Mobile banking became a target for malware designers in 2018 as users came to rely on their smartphones to conduct banking tasks. In 2017 there was a 60 percent increase in mobile banking Trojans, according to McAfee Labs. 

The number of mobile malware threats increased 46 percent in 2017, from approximately 18 million events at the beginning of 2017 to nearly 25 million events by the end of 2017.


Anti-malware software for mobile devices can minimize the risks, but administrators should be proactive to reduce attacks. Anti-malware software can come in two forms: apps that users can download to their devices, and mobile threat defense, which administrators can incorporate into an Enterprise Mobility Management (EMM) strategy and then deploy to their mobile device fleet.

Businesses and mobile administrators can reduce mobile attacks by upgrading to the latest security updates and OS updates for iOS and Android. Administrators should keep up-to-date about mobile threats so they can blacklist or whitelist apps, which locks out users from downloading certain applications onto a device. Administrators can also perform jailbreak/rooting and unlocked bootloader detection, disallow untrusted sources and third party app stores, and require complex passcodes.

User training is also important. Users must know what they should and should not do with their devices.

Mobile device management (MDM) and unified endpoint management (UEM) systems can also help protect both personal and company-owned devices and ensure that admins have the proper visibility to keep things in check.

Consumer mobile users should keep their devices up to date with the latest OS updates and educate themselves on emerging threats.

This was last updated in December 2018

Continue Reading About mobile malware

Dig Deeper on Mobile security

Unified Communications