By Mike Knight
Proofpoint researchers have reported that, starting in early February, there has been a 500 per cent jump in mobile malware delivery attempts in Europe.
According to the researchers, this rise is in keeping with a trend that has been evident in the last few years where attackers have been increasing their attempts at smishing (SMS/text-based phishing) and sending malware to mobile devices.
Android Is A More Popular Target
Research shows that Android is a far more popular target for cyber criminals than Apple iOS. This may be because Apple’s App Store has strict quality controls and iOS doesn’t allow sideloading. Most mobile malware is still downloaded from app stores, and this may be due to Android’s more open approach. For example, it is open to multiple app stores and users can easily sideload apps from anywhere.
What Mobile Malware Does
The Proofpoint research shows that even though the basic purpose of malware (i.e to give attackers control of a system) remains the same, the latest versions are becoming more advanced. Proofpoint reports that some of this malware is capable of activities such as recording telephone and non-telephone audio and video, tracking locations, destroying or wiping content and data, to name but a few. Also, mobile banking malware lays in wait until the user activates a financial app and then intervenes to steal credentials or information.
Adapted For Different Languages, Regions, and Devices
Proofpoint’s Cloudmark Mobile Threat Research has revealed that Mobile malware isn’t limited to any specific geographic region or language and that threat actors adapt their campaigns to a variety of languages, regions and devices.
Common Mobile Malware Types
Some of the common types of mobile malware highlighted in Proofpoint’s research include:
- FluBot – spreads by accessing the infected device’s contacts list or address book and sending the information back to a command-and-control (C&C) server. This malware can access the internet, read and send messages, read notifications, make voice calls, and delete other installed applications.
- TeaBot – a multifunctional Trojan that can steal credentials and messages and stream an infected device’s screen contents to the attacker.
- TangleBot – Discovered by Proofpoint and Cloudmark researchers in 2021, this mobile malware spreads via fake package-delivery notifications.
- Moqhao – originating from China, this remote access Trojan has spying and exfiltration features so it can monitor device communications and grant an attacker remote access to the device.
How To Protect Your Device
Ways to protect your device from becoming infected with mobile malware include:
- Use a mobile antivirus app from a trusted source (three quarters of users don’t have this on their smartphone).
- Be wary of unexpected or unrequested messages with links, URLs or requests for data of any type, and don’t click on the links.
- Report spam, smishing and suspected malware delivery to the Spam Reporting Service by using the spam reporting feature in your messaging client or forwarding suspicious text messages to 7726 (“SPAM” on the phone keypad).
What Does This Mean For Your Business?
With many people now using their smartphone for many aspects of business, remote working and BYOD now commonplace, while mobile malware is surging and becoming more sophisticated, there is clearly an increased risk.
Those with Android smartphones need to be particularly cautious. With three-quarters of users not having a trusted mobile antivirus app on their phone, downloading and using one would be a good place to start (while ensuring it’s a trusted one). Also, awareness should be raised among staff of the danger of clicking on links in unsolicited and suspicious messages (smishing risk) and of the danger of downloading apps outside of the Google Play Store.
Caution should also be used when downloading apps within the Google Play Store as some may harbour malware. It’s good practice also to avoid using public Wi-Fi, especially without a VPN, and to keep Bluetooth and Wi-Fi disabled when they’re not in use to minimise the risk of hacking attempts.
By Mike Knight