What is mobile malware, really?

Many types of apps and attacks get included under this moniker. What are the differences?

While researching mobile security statistics and determining how best to break down all the different data out there, I noticed that security vendors often combined a variety of malicious and potentially harmful apps under the term “mobile malware.” This allows them to show off much higher numbers than there might otherwise be. Not everything underneath the umbrella term is necessarily dangerous, though all offer some level of potential harm for users and/or enterprises.

But overall, it’s too vague a term when you’re trying to understand the data and figure out how worried enterprises should really be. So, let’s dive deeper into mobile malware and figure out what all gets swept up under it and how dangerous each is.

Types of malware

Potentially harmful apps come in all shapes and sizes. Some apps may not treat data the way we would like them to, but otherwise do nothing nefarious. Some apps are designed to exploit software/OS zero-day vulnerabilities or known bugs to steal data. And still other malware may focus on delivering pop-up ads for quick monetization.

More outright malicious apps can go even further, rooting or jailbreaking devices to prevent easy removal, while they also spy or add the device to a botnet. Other apps might be modified and weaponized versions of legitimate apps, abusing the original apps reputation and permissions.

So, what do vendors generally consider mobile malware? Here’s a breakdown of some common types:

This is arguably the most well-known (but not necessarily the most common) mobile malware and also one of the more harmful. Ransomware locks down your data or the entire device, demanding you pay the hacker to regain access to what’s yours (sometimes you can factory reset the device if you have your data all backed up, instead). Ransomware attacks often make the news, with one recent mobile example being SLocker on Android.

This is the most common type of mobile malware and is itself a category of malware that is less directly harmful to users—hence its name, which I came across in the Verizon 2018 Data Breach Investigations Report (DBIR). Most nuisanceware is more annoying than actively dangerous (though to be clear, no malware is “safe” or OK). Some malware included under this term include adware and chargeware.

Adware are apps that inject popup ads onto a user device, as well as apps that use your device to click ads. Both variants are designed to create quick revenue, while sometimes collecting personal information—often for more targeted ad campaigns. One recent example is Falseguide, which was hidden on companion apps to legit, popular apps.

Chargeware are apps that quietly purchase paid apps and services without user approval, this often includes premium SMS services and premium dialers. One example is ExpensiveWall on Android, which kept finding its way onto Google Play. A similar example is apps that trick users into expensive subscriptions after being downloaded by users.

This is malware hidden within legitimate-looking apps. The apps could do any type of malicious activity, like steal your data or phish for your credentials.

One of the most-often discussed types is Banking Trojans, which focus on stealing banking credentials; two examples are Charger and Ztorg.

Another popular Trojan are apps designed to root or jailbreak a user’s device without their knowledge, to prevent them from deleting said malicious app. The Pegasus spyware jailbroke iPhones, while Copycat for Android left 14 million devices affected, with 8 million actually rooted.

This category of mobile malware encompasses apps that aren’t designed to be malicious, but don’t do an especially good job of protecting user data; whether that’s sending user data off to remote servers or collecting more data than they need—creating a potential opening for hackers or the simple misuse of data. Riskware is more of a potential worry for enterprises than the average consumer. The classic example is a flashlight app that asks for access to your contacts.

This type of mobile malware has popped up with the growth and popularity of cryptocurrencies. It is either designed to try and gain access to a user’s digital wallet (like Banking Trojans) or use the device’s compute power to mine cryptocurrency. One example is Poloniex, which was a malicious app parading around as the official app of the cryptocurrency exchange (it didn’t get an official app until July 2018), which then stole users’ funds.

Lastly, there’s spyware, designed to do as its namesake suggests: spy/record user data and activities (often snuck onto a device through apps that require higher permissions). Spyware is often, but not always, part of targeted malware campaigns, unlike other malware designed to cast a wider net. Two recent examples of mobile spyware are Pegasus and X-Agent.

How one gets malware

Despite the amount of malware that exists out there in the wild, it’s actually pretty rare for it to get on mobile devices. I’ll get into the actual numbers regarding breached devices another time, but here are some common ways mobile malware gets onto your device:

  • First, you can get it by sideloading apps from mobile browsers and not official app stores, which is most often a worry for users with jailbroken/rooted devices or Android devices that allow unknown sources. Much of the malware in existence reside outside of official app stores, since those have quality review processes. While there’s a conversation to be had about how good those review processes are, users are overall much safer using apps from the official stores.
  • User carelessly downloads an app from within an app store without paying close attention. Fake versions of legitimate apps make it onto app stores all the time—sometimes with capitalization being the only immediate identifier that it’s not the app the user really wants.
  • Granting high level user permissions to apps that shouldn’t need it. The core of the app may appear legitimate, but it could then make a delayed call to a server to download its true payload.
  • Successful mobile phishing attacks. It’s easier to obscure URLs and get users to click on them than desktops.

Another important concept to keep in mind is that hackers that know about dangerous bugs might want to save them for attacks on high-value targets, instead of using them widely and having OS makers notice and patch them. This isn’t necessarily a mobile-specific point, but still very relevant for this conversation.

Stop with the scare tactics

There’s so much that gets grouped under the term “mobile malware” that it’s become clear to me that it’s disingenuous for white papers to combine the numbers—especially given how unlikely it is for anyone to have malware on their device. It happens, yes, but combining the numbers just preys upon our fear of anything labeled “malware” rather than really providing informative numbers we can use and learn from. Large, scary numbers just create hysteria—it’s time to break down the numbers. How much ransomware is out there compared to nuisanceware?

Nuisanceware isn’t good, but it’s not contributing to enterprise data breaches (yet). Verizon came to that conclusion after speaking with Lookout for their 2018 Data Breach Investigations Report. The capacity for a breach via mobile malware exists, but it’s much more likely that an organization will suffer a data breach as a result of social engineering or network-focused attack. Stealing contacts is a concern; that’s why we saw contacts become one of the types of data that MDM can protect in iOS 11.3.

Don’t ignore mobile malware, both on the consumer and enterprise sides; just realize that a lot of the mobile malware statistics out there obfuscate the reality.

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.