Verticals Targeted: Financial, Government, Journalism, Various
This report is part of PolySwarm’s 2022 Recap series. This edition provides an overview of the 2022 mobile malware threat landscape.
- The 2022 mobile malware threat landscape saw a 500% increase in malware distribution in early 2022, and mobile malware continued to be rampant throughout the year.
- Some of the attack vectors used by threat actors to distribute mobile malware in 2022 include apps injected with malicious code, zero-click attacks, TOAD, and smashing.
- Types of mobile malware that were prolific in 2022 include banking trojans, dropper apps, spyware, mobile ransomware, and subscriber trojans.
Mobile malware has emerged as an increasingly common threat. The 2022 mobile malware threat landscape showed evidence of increased efficiency in propagating malware, particularly on Android devices. Industry researchers noted a 500% increase in mobile malware in the first quarter of 2022, and mobile malware has continued to be rampant throughout the year. Of the mobile malware, PolySwarm analyzed, the majority targeted financial interests in some form. Most were banking trojans or RATs capable of stealing a victim’s credentials used for financial institutions.
Mobile Device Susceptibility
Traditionally, Android phones have been more susceptible to malware targeting mobile devices, and Apple devices have been more secure. Threat actors are now taking advantage of Apple users’ complacency about security and are using new tactics to specifically target those devices. Threat actors targeting iOS configuration profiles are also an emerging threat. iOS configuration profiles are created using Apple’s iPhone configuration utility and are used by IT services and mobile providers to configure and restrict settings and to install security certificates.
It is ironic that configuration profiles, which are often used to install security settings, can also be used as an attack vector. Threat actors can create configuration profiles to force a device to use a malicious proxy or VPN. This allows the threat actor to monitor device traffic or redirect the victim to a phishing page. A threat actor can also use configuration profiles to forge a certificate to impersonate secure websites, such as a bank or corporate login page. Configuration profiles can be delivered as an attachment via email or from a website. While installing a configuration profile requires the user to accept installation, most users are not security savvy enough to question whether or not the profile is legitimate. Threat actors take advantage of this naivety. Despite this susceptibility, in 2022, we still saw very few mobile malware families successfully targeting Apple’s iOS devices.
At present, Android devices continue to be more susceptible to malware than their Apple counterparts and account for the majority of successful mobile malware installations. Android’s Accessibility Service is meant to provide services to assist disabled persons with accessing and interacting with their Android devices. However, threat actors have learned to take advantage of this feature, leveraging the legitimate API to create fake overlay screens to steal credentials and other sensitive information. Android is working on addressing this problem.
Often, mobile malware is distributed by masquerading as a legitimate app on the app store or being offered as a sideloaded app from an unofficial repository. However, in 2022, we have observed an increase in other attack vectors.
Zero-click attacks are a tactic that does not require user interaction to install malware on the victim’s device. These attacks often leverage 0-day exploits and are used in espionage campaigns perpetuated by sophisticated threat actors. Once the victim’s device is compromised, the threat actor can install a myriad of malware, including surveillance software, ransomware, and banking trojans. Two known zero-click attack methods are parser application exploits and WiFi proximity attacks. In a parser application exploit attack, a victim opens a picture in a PDF or mail application while the threat actor silently works in the background. In a WiFi proximity attack, threat actors find exploits on a WiFi stack and upload exploit code into the victim’s kernel space to compromise the device.
TOAD, or telephone-oriented attack delivery, is a tactic that allows threat actors to trick potential victims into entering their phone numbers and other personal information into a phishing site. The threat actors use the collected numbers to call the victims, pretending to be support agents. Their goal is to trick potential victims into installing malware on their devices. The malware installed in these attacks is typically a banking trojan, and related messages sent to the victim often claim to be from a financial institution. Additional information gathered by the threat actors allows them to bypass security questions.
Smishing is a tactic that uses SMS messages to distribute malware. Threat actors send messages impersonating known contacts or trusted brands to coax victims into clicking a link or sharing personal data. Once a device is compromised, the threat actors can steal the victim’s contact list and use it to further propagate the malware.
Types of Malware Targeting Mobile Devices
Threat actors use a variety of malware when targeting mobile devices. Some of the most prolific in 2022 were banking trojans, dropper apps, spyware, mobile ransomware, and subscriber trojans.
One of the most commonly observed categories of mobile malware continues to be banking trojans. Banking trojans steal a victim’s information, targeting logins to financial institutions and sometimes cryptocurrency apps. Some Android banking malware families have been updated to include functionality that allows them to steal credentials from overlay screens using Accessibility Service, even if the victim has simply entered the information and has not submitted it. These credentials can be used for on-device fraud.
On-device fraud is a tactic used by threat actors to initiate transactions from a victim’s compromised device. This tactic, which is becoming increasingly popular, is often implemented using previously stolen banking credentials. In the first half of 2022, there was a significant increase in the number of malware families using Android OS to conduct fraud using the device itself.
In 2022, the Android app store was plagued with a variety of dropper apps masquerading as legitimate applications, including productivity and utility applications. Threat actors have found dropper apps to be one of the most effective ways to deliver mobile malware. Droppers are popular due to their high return on investment for distributing malware versus other methods such as TOAD, Smishing, malicious advertisements, and exploits.
Spyware is a category of mobile malware impacting both iOS and Android devices. Some of the more well-known spyware affecting mobile devices are government-grade surveillance tools and are often used for espionage. Two of the more well-known malware families in this category are Pegasus and Predator.
Like traditional ransomware, mobile ransomware prevents the victim from accessing their device functionality or files until a ransom is paid. The threat actors behind mobile ransomware attacks may also steal a victim’s data to use for double or triple extortion, threatening to sell or leak the data if the victim does not pay the ransom.
Subscriber trojans are a type of mobile malware that facilitates billing fraud by subscribing a victim to a paid service or app without their knowledge. Most subscriber trojans masquerade as legitimate apps, with threat actors taking a legitimate app and injecting malicious code, then uploading it to the app store with a name that is very similar to that of the legitimate application.
Tracking Mobile Malware With PolySwarm
PolySwarm tracked a variety of mobile malware families this year. Some of these families include: