With the sharp rise in malware scams affecting Android users in Singapore this year, mobile malware has gained plenty of traction for their role in facilitating malicious cyber activity. This issue of CyberSense examines in greater detail the various types of mobile malware, and what we can do to guard against these threats.
THE MOBILE MALWARE THREAT LANDSCAPE
According to reports by cybersecurity analysts, mobile malware has been on the rise globally both in terms of volume and its level of sophistication. This trend is likely to persist, as the reliance on and adoption of mobile devices continue to grow:
(a) Growing reliance on mobile devices. Mobile devices have increasingly replaced personal computers as the default device on which individuals transact and interact daily (e.g. online banking, shopping and use of social media services). These devices represent data-rich targets for cybercriminals and/or surveillance purposes.
(b) Growing adoption of mobile devices. The number of unique mobile subscribers worldwide is still increasing and is projected to reach 6.3 billion by 2030 (from 5.4 billion in 2022). This meant that the attack surface associated with mobile devices will only continue to grow, and that mobile devices will remain highly attractive targets for threat actors.
Yet, individuals are less conscientious in protecting their mobile devices than personal computers today. For instance, separate surveys by McAfee and security.org have shown that only 50% of individuals have installed anti-virus solutions on their mobile devices, compared to more than 80% of individuals who have done so on their computers. These are worrying statistics, given the extent of malicious activities that can be facilitated through mobile malware.
SO, WHAT CAN MOBILE MALWARE DO EXACTLY?
Table 1 below provides an analysis of the notable mobile malware types – which can be broadly categorised into: trojans, spyware, adware and ransomware – as well as their characteristics.
Table 1: Notable mobile malware types
|Malware Type||Characteristics||Affected Segment|
|Trojan||Trojans are software that appear to be useful or legitimate, but have hidden functions that are malicious. Generally, trojans may perform specific or a mix of malicious functions, such as gaining remote access, intercepting text messages, or stealing the targets’ banking credentials and financial information. |
One trojan that has been prevalent in 2023, especially for its role in facilitating scams, is SpyMax. Threat actors typically use social engineering tactics (e.g. fraudulent advertisements) to lure victims to install SpyMax which has been packaged to appear as a legitimate application (app), before tricking victims to turn on “accessibility services” on their mobile devices. Thereafter, the malware may perform various malicious activities including keylogging to steal banking credentials, and to perform unauthorised transactions.
Android devices are being targeted more by SpyMax, as Android’s open nature allows for greater customisation, but also makes it easier for threat actors to distribute malicious apps.
|Spyware||Spyware generally allow for the victims’ activities to be monitored covertly, including their internet usage, location and keystrokes. This is often used to facilitate credential theft by cybercriminals. Spyware may also be used for intelligence gathering or law enforcement purposes. Spyware are typically spread through phishing, malicious email attachments, fraudulent SMS messages, or the exploit of known vulnerabilities. |
Mobile devices are particularly targeted by spyware (as compared to computers) given their ubiquity, allowing for victims to be monitored almost 24/7. An example of a spyware is Pegasus, which gained prominence in 2021 for being allegedly used against journalists and human-rights activists to conduct surveillance. Pegasus is also prominent for being a zero-click exploit which requires no action from the victims’ part to trigger.
Both iOS and Android devices could be targeted by Pegasus, although Pegasus is more widely reported for its deployment on iOS devices.
|Adware||Adware are software that display advertisements on the victims’ devices, often in the form of pop-ups or banners, or load them in the background without the victims’ knowledge. Compared to other types of mobile malware, adware may appear comparatively benign. However, adware often also track the victims’ online activities and erode their privacy, with the intent to monetise the information and/or to serve more targeted advertisements. Further, adware may lead the victims to download other malware inadvertently. |
Adware are commonly spread through malicious apps. Notably, a report by McAfee published in April 2023 revealed that a total of 38 Minecraft-like mobile games that were available on Google Play Store actually contained adware, potentially affecting 35 million Android users worldwide.
In general, Android’s open nature makes it easier for threat actors to distribute malicious apps. However, adware campaigns through malicious apps that managed to bypass the official app stores’ security controls have been reported for both Android and iOS platforms.
|Ransomware||While ransomware attacks have mainly targeted computers and servers, cybersecurity analysts have observed mobile ransomware evolving from being more experimental in nature to being a legitimate threat. Victims may suffer from their mobile devices being locked down and/or files on their devices being encrypted.|
An example is the locker ransomware, which alters the victims’ device credentials thereby locking it up. Two common attack vectors leveraged by threat actors to infect mobile devices with ransomware are social engineering to trick victims to download malicious apps, and exploiting known vulnerabilities in apps.
Mobile ransomware appears to be more prevalent for Android devices, although both Android and iOS devices could be targeted.
PREYING ON HEARTS AND MINDS
Regardless the malware type, threat actors have been using social engineering tactics (which includes phishing, impersonation, intimidation, etc.) as a common attack vector to trick victims into downloading malware. In fact, phishing has been reported to consistently rank as the most prevalent initial access vector for cybersecurity breaches.
Social engineering preys on how we process information, which may be susceptible to various persuasion methods. Some of these methods include: (a) inducing a false sense of trust (e.g. trust in the other party’s legitimacy, which can be built through convincing emails or seemingly authentic conversations); (b) using enticing promotions (e.g. eye-catching advertisements or attractive prizes); and (c) displaying inauthentic content (e.g. fake reviews on the app stores or social media accounts).
To avoid falling prey to social engineering attacks, having increased vigilance and even skepticism towards suspicious messages, emails or advertisements would be critical. In addition, if ever requested by unknown parties to download any files or apps, always pause and question why this is necessary. Doing so will lower the chances of making logical errors in thinking or being tricked by the other party’s possible attempts to muddle with our judgement.
Readers may recall receiving WhatsApp messages earlier this year from family or friends warning about potential “scams” involving the deactivation of bank accounts and distribution of free blood pressure monitors (see Figure 1), both of which actually turned out to be legitimate. While the confusion that arose from these incidents was unfortunate, such heightened awareness and zeal to warn one another of potential scams was heartening. Nonetheless, it would be most ideal for us to fact-check with official sources before sharing, to prevent disseminating false information to others.
Figure 1. Legitimate letter and flyer that were mistaken as scams. (Source of photos: The Straits Times)
WHAT ELSE CAN WE DO TO PROTECT OURSELVES?
Besides enhancing our vigilance when communicating or transacting digitally, some other cyber hygiene practices to adopt to better protect our mobile devices against malware include:
(a) Adding the ScamShield app which can detect scam messages and block scam calls, as well as anti-virus apps which can detect malware and malicious phishing links. Readers may refer to Annex A for the list of recommended security apps put together by CSA, which readers can choose from to suit your needs;
(b) Downloading apps only from official platforms such as the Google Play Store (Android) and Apple App Store (iOS), which have measures in place to detect and remove malicious apps. In addition, check the app developers’ reputation, number of downloads, and reviews before downloading new apps, and stick to well-known developers where possible;
(c) Verifying and reviewing the requested permissions when installing new apps, and be wary of apps that request excessive permissions; and
(d) Updating our mobile devices and apps promptly or automatically to ensure the most up-to-date protection against cyber threats, and regularly remove apps that are no longer needed.
Mobile devices represent a large and valuable attack surface that threat actors will continue to target. Staying well-informed, practising increased vigilance, and adopting good cyber hygiene practices can help mitigate the risks of falling victim to online threats, including malware scams which have been prevalent recently.
For more information on how to spot the signs of possible malware infection, and mitigation measures if you suspect that your mobile device has already been infected with malware, please refer to the CSA advisory here.
Annex A: List of recommended security apps
 The Singapore Police Force reported that there were more than 750 cases in the first half of 2023 where victims have downloaded malware onto their phones, with losses amounting to at least $10 million.
 Accurate as at time of writing.
 Accessibility services is a feature on Android devices intended to assist users with disabilities by making it easier for them to navigate the Android device. However, this function also comes with potential security risks, as it can be abused to steal sensitive information, or allow cybercriminals to control the device remotely.
 Readers may refer to the December 2021 issue of CyberSense titled “Zeroing on Zero-Click Attacks Against Mobile Devices” for more information on zero-click exploits.
REFERENCES: Singapore Police Force, Zimperium, GSMA Intelligence, Techjury, Kaspersky, McAfee, The Hacker News, US National Institute of Standards and Technology, Arctic Wolf, ZDNet, The Straits Times, Bleeping Computer.