Mobile malware is nothing new. But in recent months, attackers have been getting more creative and resourceful with how they conceal, distribute and deploy these threats.

This newfound creativity is part of a mobile threat trend that can be summarized as follows: Attacks are on the rise, they’re focusing on mobile devices and they’re getting far more aggressive with their methods.

Mobile Threats by the Numbers

The numbers are staggering. Kaspersky Lab’s “Mobile Malware Evolution 2018” report found that the number of devices attacked by malware increased from 66.4 million in 2017 to 116.5 million in 2018 — and we should assume another big rise for 2019. The researchers also found that the “quality” of malware — its precision and impactfulness — is on the rise. The number of so-called “Trojan-droppers” — malware that gets past security to deliver its payload — doubled from 2017 to 2018, according to the report.

In its most recent “Mobile Threat Report,” McAfee detailed how mobile phones are being increasingly targeted with mobile app backdoors, banking Trojans and cryptomining malware. One alarming trend is the number of fake apps appearing in dozens of app stores, raising from around 10,000 fake apps in the middle of 2018 to approximately 65,000 by the end of the year.

In addition, Verizon’s most recent “Mobile Security Index 2019” found that a majority of those surveyed believed their organization is at risk of mobile threats. One-third of companies reported suffering a compromise that involved mobile devices. Despite this, more than half said they had sacrificed security to “get the job done.” An incredible 81 percent of respondents said they had personally used insecure public WiFi for work, despite knowing that the practice is both unsafe and prohibited by company policy.

All this is to say that the threat from mobile devices is increasing at an extremely high rate, yet most organizations are woefully unready.

A New World of Mobile Malware

All that data around the rising threat of mobile-based attacks doesn’t fully address the quality of the latest malware. Just look at the creative thinking behind a recent incarnation of malware called Anubis.

Anubis’ Motion-Based Evasion Tactics

Distributed inside at least two apps available on the Google Play store, Anubis banking malware concealed itself using the target phones’ motion sensors. Researchers often use emulators to hunt for Trojans in apps — or they search on real phones, which are often mounted and motionless. The Anubis creators figured out that one difference between security researchers and real-life users is motion. By activating only after motion was detected, the malware could remain invisible to many researchers but still activate on phones in the wild.

Trend Micro reported in January that the motion-activated Anubis appeared in two seemingly legitimate apps: a battery extender app with a 4.5-star rating and a currency converter. Once activated, Anubis installed a keylogger for stealing credentials or took screenshots for the same purpose.

Preinstalled Mobile Malware

Downloading apps is one way to sneak malware onto phones. Preinstalling it is another. The technology firm Upstream discovered in January that the Alcatel smartphone models Pixi 4 and A3 Max contained malware out of the box. The malware was hidden in a preinstalled weather app called Weather Forecast-World Weather Accurate Radar. The app was also available separately on the Google Play store and was downloaded more than 10 million times. It has since been removed.

The malware collected various bits of data, such as location data, user email addresses and International Mobile Equipment Identity (IMEI) numbers and may have loaded adware. It also subscribed users to a for-pay phone number service.

Clipper Malware on Google Play

Another unwelcome trend is the appearance of older methods of compromise in legitimate app stores. For example, the first clipper malware ever discovered on the official Google Play store was found by the security company ESET in February: Android/Clipper.C. Previously, clipper malware was the exclusive province of desktop PCs or unauthorized app stores.

Clipper apps replace the clipboard contents of a device with other data. For example, a clipper app might switch the account for a deposit during a cryptocurrency transaction, redirecting the transaction to the attacker’s account.

In addition, Android/Clipper.C attempted to nab credentials and private keys and send them to the attacker’s Telegram account to steal Ethereum funds, but it could also replace either an Ethereum or a bitcoin wallet address.

Attack Campaigns on a Massive Scale

Yet another new trend is that some malware is being distributed on a massive scale. Some 150 million Android users were impacted recently by malware called SimBad. The malware disguises itself as advertising, according to Check Point, mostly inside a large number of mobile games.

In fact, SimBad carries out phishing attacks that lead users to websites where even more malware is downloaded. Once launched, SimBad is difficult to stop or uninstall. Apps containing the SimBad malware have since been removed from the store.

Distributing Malware via Image Files

Malware can even be smuggled onto a phone without apps. A new Android bug enabled a standard photo file format to serve as the vehicle for an attack. Google discovered the method, fixed it with a February patch, then described it in a security bulletin. The flaw enabled hacks of Android smartphones via PNG files by way of a purpose-built PGN that could execute code. It’s worth noting that the vast majority of Android phones are not updated frequently and did not get the patch quickly.

What Can We Do to Combat Creative New Malware Strains?

The bottom line is that mobile malware techniques to compromise security cannot be easily predicted. What can be predicted is that threats will continue to rise, new methods will continue to be devised and mobile devices will continue to be the focus of intense malware activity.

The point of all this is not to guard specifically against the examples in this article, but to understand the growing threat — and reflect on the fact that far too many organizations are unprepared. So what can they do to prepare for the unpredictable?

To get started, here are some mobile security best practices and policies to follow and enforce:

  • Keep devices current with the latest updates.

  • Stick to official and authorized app stores. While many of the threats reported here actually appeared on the official Google Play store, it’s important to note that affected apps are removed immediately once discovered. The same can’t be said for unauthorized sources for mobile apps.

  • Minimize the number of apps installed and favor reputable app developers.

  • Embrace a comprehensive approach to mobile security that can protect against even unreported or unpredicted threats.

  • Understand that some of the newest threats can only be stopped with powerful artificial intelligence-based tools.

  • Improve and enforce policies against using public WiFi and in favor of using good password management.

Nobody can predict how creative new malware methods will infiltrate the mobile devices used by employees at your organization. But it’s easy to predict that these attempts will be made. Security decision-makers can no longer think about these threats as theoretical or secondary in importance to other work. It’s time to act on what we know is coming: something unpredictable.

More from Endpoint

Contain Breaches and Gain Visibility With Microsegmentation

Organizations must grapple with challenges from various market forces. Digital transformation, cloud adoption, hybrid work environments and geopolitical and economic challenges all have a part to play. These forces have especially manifested in more significant security threats to expanding IT attack surfaces. Breach containment is essential, and zero trust security principles can be applied to curtail attacks across IT environments, minimizing business disruption proactively. Microsegmentation has emerged as a viable solution through its continuous visualization of workload and device communications…

Self-Checkout This Discord C2

This post was made possible through the contributions of James Kainth, Joseph Lozowski, and Philip Pedersen. In November 2022, during an incident investigation involving a self-checkout point-of-sale (POS) system in Europe, IBM Security X-Force identified a novel technique employed by an attacker to introduce a command and control (C2) channel built upon Discord channel messages. Discord is a chat, voice, and video service enabling users to join and create communities associated with their interests. While Discord and its related software…

3 Reasons to Make EDR Part of Your Incident Response Plan

As threat actors grow in number, the frequency of attacks witnessed globally will continue to rise exponentially. The numerous cases headlining the news today demonstrate that no organization is immune from the risks of a breach. What is an Incident Response Plan? Incident response (IR) refers to an organization’s approach, processes and technologies to detect and respond to cyber breaches. An IR plan specifies how cyberattacks should be identified, contained and remediated. It enables organizations to act quickly and effectively…

Deploying Security Automation to Your Endpoints

Globally, data is growing at an exponential rate. Due to factors like information explosion and the rising interconnectivity of endpoints, data growth will only become a more pressing issue. This enormous influx of data will invariably affect security teams. Faced with an enormous amount of data to sift through, analysts are feeling the crunch. Subsequently, alert fatigue is already a problem for analysts overwhelmed with security tasks. With the continued shortage of qualified staff, organizations are looking for automation to…