Mobile malware is nothing new. But in recent months, attackers have been getting more creative and resourceful with how they conceal, distribute and deploy these threats.

This newfound creativity is part of a mobile threat trend that can be summarized as follows: Attacks are on the rise, they’re focusing on mobile devices and they’re getting far more aggressive with their methods.

Mobile Threats by the Numbers

The numbers are staggering. Kaspersky Lab’s “Mobile Malware Evolution 2018” report found that the number of devices attacked by malware increased from 66.4 million in 2017 to 116.5 million in 2018 — and we should assume another big rise for 2019. The researchers also found that the “quality” of malware — its precision and impactfulness — is on the rise. The number of so-called “Trojan-droppers” — malware that gets past security to deliver its payload — doubled from 2017 to 2018, according to the report.

In its most recent “Mobile Threat Report,” McAfee detailed how mobile phones are being increasingly targeted with mobile app backdoors, banking Trojans and cryptomining malware. One alarming trend is the number of fake apps appearing in dozens of app stores, raising from around 10,000 fake apps in the middle of 2018 to approximately 65,000 by the end of the year.

In addition, Verizon’s most recent “Mobile Security Index 2019” found that a majority of those surveyed believed their organization is at risk of mobile threats. One-third of companies reported suffering a compromise that involved mobile devices. Despite this, more than half said they had sacrificed security to “get the job done.” An incredible 81 percent of respondents said they had personally used insecure public WiFi for work, despite knowing that the practice is both unsafe and prohibited by company policy.

All this is to say that the threat from mobile devices is increasing at an extremely high rate, yet most organizations are woefully unready.

A New World of Mobile Malware

All that data around the rising threat of mobile-based attacks doesn’t fully address the quality of the latest malware. Just look at the creative thinking behind a recent incarnation of malware called Anubis.

Anubis’ Motion-Based Evasion Tactics

Distributed inside at least two apps available on the Google Play store, Anubis banking malware concealed itself using the target phones’ motion sensors. Researchers often use emulators to hunt for Trojans in apps — or they search on real phones, which are often mounted and motionless. The Anubis creators figured out that one difference between security researchers and real-life users is motion. By activating only after motion was detected, the malware could remain invisible to many researchers but still activate on phones in the wild.

Trend Micro reported in January that the motion-activated Anubis appeared in two seemingly legitimate apps: a battery extender app with a 4.5-star rating and a currency converter. Once activated, Anubis installed a keylogger for stealing credentials or took screenshots for the same purpose.

Preinstalled Mobile Malware

Downloading apps is one way to sneak malware onto phones. Preinstalling it is another. The technology firm Upstream discovered in January that the Alcatel smartphone models Pixi 4 and A3 Max contained malware out of the box. The malware was hidden in a preinstalled weather app called Weather Forecast-World Weather Accurate Radar. The app was also available separately on the Google Play store and was downloaded more than 10 million times. It has since been removed.

The malware collected various bits of data, such as location data, user email addresses and International Mobile Equipment Identity (IMEI) numbers and may have loaded adware. It also subscribed users to a for-pay phone number service.

Clipper Malware on Google Play

Another unwelcome trend is the appearance of older methods of compromise in legitimate app stores. For example, the first clipper malware ever discovered on the official Google Play store was found by the security company ESET in February: Android/Clipper.C. Previously, clipper malware was the exclusive province of desktop PCs or unauthorized app stores.

Clipper apps replace the clipboard contents of a device with other data. For example, a clipper app might switch the account for a deposit during a cryptocurrency transaction, redirecting the transaction to the attacker’s account.

In addition, Android/Clipper.C attempted to nab credentials and private keys and send them to the attacker’s Telegram account to steal Ethereum funds, but it could also replace either an Ethereum or a bitcoin wallet address.

Attack Campaigns on a Massive Scale

Yet another new trend is that some malware is being distributed on a massive scale. Some 150 million Android users were impacted recently by malware called SimBad. The malware disguises itself as advertising, according to Check Point, mostly inside a large number of mobile games.

In fact, SimBad carries out phishing attacks that lead users to websites where even more malware is downloaded. Once launched, SimBad is difficult to stop or uninstall. Apps containing the SimBad malware have since been removed from the store.

Distributing Malware via Image Files

Malware can even be smuggled onto a phone without apps. A new Android bug enabled a standard photo file format to serve as the vehicle for an attack. Google discovered the method, fixed it with a February patch, then described it in a security bulletin. The flaw enabled hacks of Android smartphones via PNG files by way of a purpose-built PGN that could execute code. It’s worth noting that the vast majority of Android phones are not updated frequently and did not get the patch quickly.

What Can We Do to Combat Creative New Malware Strains?

The bottom line is that mobile malware techniques to compromise security cannot be easily predicted. What can be predicted is that threats will continue to rise, new methods will continue to be devised and mobile devices will continue to be the focus of intense malware activity.

The point of all this is not to guard specifically against the examples in this article, but to understand the growing threat — and reflect on the fact that far too many organizations are unprepared. So what can they do to prepare for the unpredictable?

To get started, here are some mobile security best practices and policies to follow and enforce:

  • Keep devices current with the latest updates.

  • Stick to official and authorized app stores. While many of the threats reported here actually appeared on the official Google Play store, it’s important to note that affected apps are removed immediately once discovered. The same can’t be said for unauthorized sources for mobile apps.

  • Minimize the number of apps installed and favor reputable app developers.

  • Embrace a comprehensive approach to mobile security that can protect against even unreported or unpredicted threats.

  • Understand that some of the newest threats can only be stopped with powerful artificial intelligence-based tools.

  • Improve and enforce policies against using public WiFi and in favor of using good password management.

Nobody can predict how creative new malware methods will infiltrate the mobile devices used by employees at your organization. But it’s easy to predict that these attempts will be made. Security decision-makers can no longer think about these threats as theoretical or secondary in importance to other work. It’s time to act on what we know is coming: something unpredictable.

More from Endpoint

The Needs of a Modernized SOC for Hybrid Cloud

5 min read - Cybersecurity has made a lot of progress over the last ten years. Improved standards (e.g., MITRE), threat intelligence, processes and technology have significantly helped improve visibility, automate information gathering (SOAR) and many manual tasks. Additionally, new analytics (UEBA/SIEM) and endpoint (EDR) technologies can detect and often stop entire classes of threats. Now we are seeing the emergence of technologies such as attack surface management (ASM), which are starting to help organisations get more proactive and focus their efforts for maximum…

5 min read

X-Force Identifies Vulnerability in IoT Platform

4 min read - The last decade has seen an explosion of IoT devices across a multitude of industries. With that rise has come the need for centralized systems to perform data collection and device management, commonly called IoT Platforms. One such platform, ThingsBoard, was the recent subject of research by IBM Security X-Force. While there has been a lot of discussion around the security of IoT devices themselves, there is far less conversation around the security of the platforms these devices connect with.…

4 min read

X-Force Prevents Zero Day from Going Anywhere

8 min read - This blog was made possible through contributions from Fred Chidsey and Joseph Lozowski. The 2023 X-Force Threat Intelligence Index shows that vulnerability discovery has rapidly increased year-over-year and according to X-Force’s cumulative vulnerability and exploit database, only 3% of vulnerabilities are associated with a zero day. X-Force often observes zero-day exploitation on Internet-facing systems as a vector for initial access however, X-Force has also observed zero-day attacks leveraged by attackers to accomplish their goals and objectives after initial access was…

8 min read

Patch Tuesday -> Exploit Wednesday: Pwning Windows Ancillary Function Driver for WinSock (afd.sys) in 24 Hours

12 min read - ‘Patch Tuesday, Exploit Wednesday’ is an old hacker adage that refers to the weaponization of vulnerabilities the day after monthly security patches become publicly available. As security improves and exploit mitigations become more sophisticated, the amount of research and development required to craft a weaponized exploit has increased. This is especially relevant for memory corruption vulnerabilities.Figure 1 — Exploitation timelineHowever, with the addition of new features (and memory-unsafe C code) in the Windows 11 kernel, ripe new attack surfaces can…

12 min read