Akamai has acquired Guardicore to extend its Zero Trust solutions and help stop ransomware. Read more

Blog

RSS

What A Funny App I Got Here!

Written by

Aleksandra Blaszczyk

June 21, 2021

Aleksandra Blaszczyk is a security researcher at Akamai Technologies.

When you hear the word "malware",  the first thing that might come to your mind is a PC or laptop. You think about some weird advertising pop-ups or unrecognized processes running in the background.

We tend to forget that our mobile device is also a small computer. This small computer is mostly used to text friends, check news, or even watch funny cat videos; and yet, it can be infected with malware, too. 

However, spotting something malicious on a smartphone is harder than on a PC, since mobile malware isn't as obvious. Unlike a computer, smartphone users typically won't see a clear sign that something is wrong, such as a pop-up or a fast-moving fan.

One of the main purposes of having a mobile device nowadays is not to call people but to browse the internet and use social media. Statistics from 2020 say that 81% of Americans own a smartphone, and 35% of phone users check their phones more than 50 times a day [1]. To put it in perspective, 35.13% of the world has a smartphone [1]. When it comes to age groups, 98% of people aged 25-29 and 46% of the 65+ group are owners of smartphones. [2]. 

In the US, the most popular usage is internet browsing and accessing social media apps [3]. In 2020, the study indicates that Americans in the 25-40 demographic were spending 40 minutes on phone calls out of an average of 5.7 hours of phone usage, whereas people aged 57-75 spend 24 minutes out of an average of 5 hours[4]

Malware targets both mobile and desktop operating systems. When the amount of time a given person uses their mobile device is factored into the overall attack surface malware looks to exploit, the risk posed becomes clear. By spreading general awareness around the types of malware targeting mobile devices, as well as risk posed by infection, it's possible to reduce the seriousness of the threat to a degree, and increase personal resilience to these types of attack. 

Types of malware

Malware, a general term for malicious software, includes viruses, worms, trojans, and other harmful programs that are developed to do damage, disrupt operations, or gain unauthorized access to a device. Mobile malware is still on the rise when compared to PC-based malware in terms of complexity and attack volume, but that doesn't make it any less problematic.

Here are the most common types of mobile malware seen in the wild:

Spyware

Spyware is a type of malware designed to track and follow victims. Criminals use spyware to read emails, text messages, listen to conversations, and track a victim's location. Depending on the function, spyware usually installs with default permissions granting the criminal near-total control over the device. Spyware is rarely installed alone, and is often found as part of a larger malware package.

Madware/adware

Madware is a name given for mobile adware. The main purpose of this malware is to blanket the victim's device in advertising. Madware comes in different forms, like banners or pop-ups. It usually functions alongside spyware and uses information collected from the infected device in order to target the ads, as well as making adjustments to the device in order to hide from ad-detection. In some cases, developers will leverage madware in their free app, often in the form of non-skippable ads.

Doing so enables the developer to monetize their work. Kaspersky lab reports that the share of adware attacks increased in 2020 from 21% in 2019 to 57%[5].

RiskTool

The main function of RiskTool is to interfere with the device's operating system by terminating some processes, extending the runtime of malicious programs, and making running applications undetectable. One notable example of RiskTool would be cryptomining software.

Kaspersky reports that RiskTool's share of mobile threats decreased in 2020 to 21% from 32% in 2019 [5]. Similar to spyware, RiskTool is often installed as part of a larger malware deployment, in order  to hide all malicious and suspicious activity of AdWare or Trojans.

Trojans

Trojans are usually inserted into a non-malicious-looking application. Trojans are related to viruses. On mobile phones, viruses target known vulnerabilities for exploitation, rather than replicate like worms. Overall, trojans accounted for about 12% of mobile threats in 2020 [5].

The most threatening types of trojans are:

Mobile Trojan: This malware can be disguised as the official app, but its only purpose is to capture credentials. Such malware is one of the biggest threats on mobile devices currently.

Fake AV Trojan: These trojans look and behave like a paid antivirus software, demanding pay for detecting and removing false threats.

Remote Access Trojan: Like RiskTool, this trojan will hide and obfuscate files and programs.

SMS Trojan: The main task of this trojan is to send and intercept text messages, most of the time for premium services.

Password Stealing Trojan: As the name suggests, this trojan was created to steal passwords and secret keys, as well as inspect cache and cookies files.

Dropper Trojans: These trojans are designed to distribute malware across mobile platforms. Droppers are often bundled together and contain many different types of malware.

IM Trojan: IM trojans impersonate messaging apps with a goal of credential theft.

Drive-by download 

Drive-by-downloads are attacks that can deliver various types of malware, unleashing a wide range of threats. Criminals will leverage various vulnerabilities in order to launch drive-by attacks. Often, such attacks happen without the user being aware, as the payloads are downloaded in the background.

However, criminals will also take advantage of official app stores and try to distribute malicious applications from there too. Moreover, drive-by attacks also happen frequently on non-official app stores. According to a 2020 report on unwanted apps, between 10% and 24% of users reported encountering at least one unwanted, potentially malicious app, via app stores [6].

Phishing / smshing / email

Phishing attacks on mobile devices (including SMS-based attacks called smishing), as well as email-based attacks with a mobile focus, are a favorite of criminals. These attacks take advantage of the mobile platform's limits and often lure victims with a promise of a reward of some kind (a free vacation for example) or the threat / stress of a missed delivery or some sort of urgent matter that requires immediate attention.

Once the victim clicks the link, they're either directed to a webpage that requests personal information or a webpage that appears to be broken. Both attack types are problematic; however, the second - broken webpage - attack is directly harmful to the device. The victim sees a broken webpage; unbeknownst to them, however, the website wasn't broken. Instead, it was downloading malware in the background.

Right now, the most popular attack in Europe is smishing. Criminals are using the missed delivery lures, as well as payee lures ('a new payee has been added to your account') in the case of financially-based attacks.

Conclusion

As you can tell, the malware threat to mobile devices is extensive and just as robust as the malware threat to desktop systems. The notion that users are to blame in many cases just isn't true these days because drive-by downloads and seemingly harmless applications remove the user from the equation.

Education and awareness are key elements of defense when it comes to protecting users from phishing and malware. When possible, users should be encouraged to keep applications updated and to only download applications from official channels. Likewise, warnings against jail-breaking devices are also a wise decision, as jail-broken devices often lack many of the protections that ship from the factory.

It's okay to be skeptical of random requests and notices; so users should be encouraged to question everything, even if those messages come from alleged trusted sources (or corporate sources for those in an enterprise setting).

Finally, in an enterprise setting, empower staff by offering continuous threat education, and making them feel comfortable reporting suspicious text messages, phone calls, or emails. It's also important to maintain strict controls across the network, and leverage data encryption whenever possible.

References:

  1. RescueTime. 2019. Screen time stats 2019: Here's how much you use your phone during the workday. Data: 11000 responders, received from RescueTime app users who consented to providing statistical data
  2. Newzoo. 2021. Newzoo Global Mobile Market Report 2020. Number of smartphone users worldwide from 2016 to 2023.
  3. Paw Research Center. 2021. Mobile Fact Sheet. Data: Surveys of U.S. adults conducted 2002-2021.
  4. Statista Global Consumer Survey. 2020. Which kind of smartphone apps do you use regularly?. Data: 3805 respondents, age group: 18-64 years.
  5. Provision Living. 2019. Smartphone screen time. Data: 2000 responders, age group: 25-40 and 57-75 years.
  6. SecureList by Kaspersky. 2021. Mobile Malware Evolutions 2020.Data: detection verdicts of Kaspersky products received from users who consented to providing statistical data.
  7. Platon Kotzias, Juan Caballero, Leyla Bilge. 2020. How Did That Get In My Phone? Unwanted App Distribution on Android Devices. in IEEE Symposium on Security and Privacy (SP).


Written by

Aleksandra Blaszczyk

June 21, 2021

Aleksandra Blaszczyk is a security researcher at Akamai Technologies.