Mobile Malware

Mobile malware is not a marginal phenomenon: Kaspersky blocked over 33 million mobile malware attacks in 2024. Android (a more open platform) is particularly at risk, but iOS is by no means immune. Mobile malware is especially critical for businesses, as employees’ smartphones often have access to email, Teams, VPNs, and corporate apps.

Types of Mobile Malware

Banking Trojans (most common threat)

Attack:

• Fake banking app or overlay on top of a genuine app
• Steals: login credentials, transaction TANs, account details
• ATS (Automatic Transfer System): transfers funds automatically

Known families:

• Anatsa (TeaBot): Android banking Trojan, 650+ banks
• TrickMo: MFA bypass via remote control
• SpyNote: Remote Access Trojan (RAT), camera/microphone access
• Cerberus: Rental malware with keylogger + Google Authenticator overlay

SMS Stealers

Attack:

• Intercepts SMS messages
• Steals: OTP codes (SMS-based 2FA)
• Criminals purchase stolen OTPs on dark web marketplaces

Example attack: The attacker knows the password (from a leak) but still needs the SMS OTP. After infecting the device with an SMS stealer, the attacker waits for the victim to log in and intercepts the OTP code in real time.

Spyware and stalkerware

Commercial Spyware (State Actors):

• Pegasus (NSO Group): state surveillance, iOS zero-click
• Predator, Hermit: state actors
• Infection vector: zero-click (no click required) or link

Commercial Stalkerware (Private Individuals):

• FlexiSPY, Spyic, Cocospy: for “partner surveillance”
• Data collected: GPS, SMS, calls, photos, social media
• Installation usually requires physical access to the device (approx. 5 minutes)

Mobile Ransomware

• Less common than desktop ransomware, but on the rise
• Locks the device or encrypts files
• Android: Scareware (fake police alerts) is more common than actual encryption
• Important data: iCloud/Google Backup provides protection

Adware / PUP (Potentially Unwanted Programs)

• Most common malware category
• Displays aggressive ads, slows down the device
• Spread via third-party app stores

Cryptominers

• Uses CPU/battery for crypto mining
• Causes overheating, battery damage, high data consumption
• Often hidden in games or "premium" apps

Distribution Methods

1. Malicious Apps (most common method)

• Official: fake apps in the Google Play Store (despite review)
• Sideloading: APKs from unknown sources (Android)
• Enterprise profiles: iOS apps outside the App Store via MDM profile

Disguised app types:

• “Free” premium apps that normally cost money
• VPN apps (many spy on users)
• “Cleaner”/“RAM booster” apps (always suspicious)
• Fake banking apps or utility apps

2. Smishing (SMS phishing)

• “Your package cannot be delivered: [Link]”
• Link opens a fake installation page
• User installs “official app” = malware

3. Malvertising

• Malware-infected ads in apps
• Drive-by downloads on mobile websites

4. Zero-click exploits

• No user interaction required
• Attacks via: iMessage, WhatsApp, SMS
• Pegasus: simply receiving a message leads to infection
• Targets: journalists, activists, politicians

5. QR code phishing (quishing)

• Fake QR codes lead to malware downloads
• Found at public charging stations, restaurants, and on posters
• “Scan here for Wi-Fi access”

Corporate Protection Measures

MDM/UEM (Mobile Device Management)

• Manage all business devices via MDM
• Policies: no sideloading, screen lock, device encryption
• Remote wipe in case of loss/theft
• Compliance check: Is the device secure? → Otherwise, no access

MTD (Mobile Threat Defense)

• Specialized security apps for mobile devices
• Solutions: Lookout, SentinelOne Mobile, Zimperium, Jamf Protect
• Detects: Malware, network attacks (Evil Twin Wi-Fi), system compromise
• Integration with MDM and SIEM

BYOD Security

• Work Profile (Android Enterprise): separates personal from business
• iOS Managed Apps: business apps without device control
• Conditional Access: insecure devices → no access to M365
• MAM (Mobile App Management) without MDM: app-level control only

Measures for Employees

• Only apps from official stores (App Store, Google Play)
• Regularly check app permissions—a flashlight app doesn’t need a microphone or GPS
• Regular OS updates (patches close zero-day vulnerabilities)
• Do not use SMS OTP – better to use a TOTP authenticator or FIDO2
• Public Wi-Fi networks: Use a VPN
• QR codes: Check the destination URL before opening
• Device PIN: At least 6 digits; Face ID/fingerprint alone is not sufficient

Indicators of Compromise (IoC) on Mobile

• Battery drains unusually fast
• High data usage by unknown apps
• Unknown apps in the app list
• Device is warm even when not in use (mining?)
• Pop-ups and redirects while browsing
• Unusual SMS or call charges

Forensics and Incident Response on Mobile

Android

1. Disable Wi-Fi and cellular data (Airplane Mode)
2. Do not reset—secure evidence first
3. Android Debug Bridge (ADB): Logs + installed apps
4. Mobile forensic tools: Cellebrite UFED, Oxygen Forensic
5. Upload APK to VirusTotal
6. Reset only after forensic backup

iOS

1. Enable Airplane Mode
2. Stop iCloud backup (backup overwrites forensic data)
3. iOS Forensics: Cellebrite, GrayKey (expensive, government agencies)
4. Spyware check: iVerify (Lookout) for iOS malware scanning
5. Factory reset after data backup

Pegasus Detection

# MVT (Mobile Verification Toolkit) from Amnesty International:
python3 -m mvt-ios check-backup --iocs indicators.stix2 /backup

Searches for known Pegasus IOCs in backups. For iOS, a jailbreak via checkra1n is possible for deeper analysis.