The Rise of Mobile Malware

The first smartphone came out in 2007 with the advent of the iPhone. Thirteen years later, 78% of the world’s population had one in hand. Now global smartphone shipments are projected to clear $1.43 billion. The rise of mobile phone usage has been astronomical - as have the threats that follow.

Why Target Smartphones?

Mobile malware is on the rise, and you can’t blame bad actors for going after low-hanging fruit. Researchers noted a staggering 500% increase in mobile malware attempts in the first half of this year alone. Beware people from “Microsoft” calling you out of the blue, never “authenticate” anything unless you’ve initiated it, and if you’re already logged into Twitter, clicking on a link shouldn’t make you “log-in” again.?

Bad actors count on our phone-induced autopilot to get us into trouble, and it does. And, they’re not only after our data. “The main aim of a substantial proportion of mobile malware is to steal usernames and passwords for email or bank accounts, but many forms of mobile malware are also equipped with invasive snooping capabilities,” reads a recent article in ZDNet. These include the ability to “record audio and video, track your location, or even wipe your content and data.”

Mobile Malware Attacks

So, knowing that our phones are prime bait for hackers, what should we be on the lookout for?

Phishing, smishing and vishing?

Phishing attempts aren’t just for your inbox (which we all have on our phone anyway). Those alluring links come via Messenger, SMS text messaging (“smishing”), or even on a voicemail (vishing).

SMS-based trojans?

A number of low-key apps were recently outed for offering users prizes that included an SMS trojan download once they entered their phone number - to collect the prize, of course. Other exploits intercepted text messages filtered for words like “pay”, “bank,” and “balance”. Be careful not to send sensitive information without requiring authentication - and some basic security.

Non-secure WIFI

We all want to save on data, but the bad guys have that figured. Think twice before happily jumping on to “Starbuck_FreeWifi” and consider your surroundings. Or, download a mobile VPN.

Suspicious URLs

Malware doesn’t even require you to enter information on a fake site anymore - just clicking on it can send out crawlers that steal your logins on all your most sensitive mobile apps (including fitness, banking, and trading apps).

Third-party apps?

Android users are a bit more susceptible here because of the openness of Android marketplace - the fact that you can download from third-party app stores makes the whole exchange more of a risk.

?Also, some operating systems are more targeted than others. Accessibility Service has been Android's Achilles' heel in recent years, allowing threat actors to leverage the legitimate API to serve unsuspecting users with fake overlay screens and capture sensitive information. The openness of Android OS can cut both ways as malware finds a way to abuse legitimate (and useful) features, and the restrictions we’ve seen put in place still don’t entirely solve the problem. It’s an uphill battle, so if you’re going to opt for some of these more flexible environments, just make sure to up your defense.

Mitigating Mobile Malware

Here are a few tips for staying safe while still making full use of your mobile device - no matter what operating system you’re on.?

1. Don’t “jailbreak” your device. Or buy one that is. It does away with the built-in security features, makes you more susceptible to malware, doesn’t let you install updates until a jailbroken version is available, and introduces numerous other security issues.
2. Use a VPN. We all know what it’s like to use our phones to check Outlook, send money or join a Zoom call. A Virtual Private Networks (VPN) provides an extra layer of protection when accessing private sites on public WiFi and prevents location-based threats.
3. Check permissions before installing. Applications should only ask permissions for necessary APIs. Be extra cautious with applications asking for SMS handling privileges, and be wary of third-party apps; they’re not tested for viruses like apps in the App Store.
4. Keep your software updated - but not too updated. Companies release updates on mobile devices to address potential vulnerabilities. But, be wary of applications suggesting updates immediately after their installation - they should be the latest version, so if the app asks to update permissions immediately after install, it might be malware.
5. Lock down authentication. Make sure it’s you. Even if malware does find its way onto your phone, it will have a hard time getting past an MFA roadblock; especially one that requires biometrics, security questions, or a one-time passcode (OTP). And consider a password manager like LastPass that will not only keep track of but generate secure, randomized passcodes.?

Now you may be thinking, but what about my employees? They’re the ones walking around with hand-held liabilities. Companies like KnowBe4 offer security awareness training for mobile devices, ensuring you and your team make the transition safely and confidently. OneLogin is another great tool for one-click access to all your cloud and enterprise applications, protecting users on-the-go. And Umbrella for mobile defends against threats at the DNS layer, so even if someone stumbles into a phishing campaign and clicks a bad link, internet-based threats are detected and mitigated at the source.?

If you’re going to have mobile workers, you need a full mobile security suite. Port53, is dedicated to finding you the right security tools for work in a post-perimeter world, and that includes mobile business. We know mobile malware is rampant, tools are myriad, and there are a million ways to go wrong.

We pride ourselves in making the complex simple and letting you know where you stand with our cybersecurity maturity assessment, then helping you get to where you want to be. And, we’re with you every step of the way. Find out all the different ways Port53 secures your mobile workforce.