How bad actors deliver mobile malware into your device

Mobile malware is getting smarter and is exploiting a host of new attack vectors. But there are things all of us can do to stop it from further extending its reach.

The COVID-19 pandemic and the many uncertainties that have followed it have cemented an already prominent trend: 

Our reliance on mobile devices and mobile applications to help us manage our daily personal and professional activities is increasing rapidly.

As proof of this, look no further than the case of a fire at a data center recently causing an outage that downed the popular South Korean “super app”, Kakao. Its absence for a few days felt genuinely debilitating for some. 

And you better believe that bad actors aren’t going to stand idly by while this trend continues to gather pace around us. Not when they have such a massive opportunity to profit from it. This reality helps to explain why there’s been a surge in mobile malware attacks recently. As ProofPoint reported, there was a 500% increase in attempted mobile malware attacks in Europe during early 2022

This is a strong sign that mobile malware continues to pose threats and cause harm to its victims - from stealing and abusing personally identifiable information (PII), to performing automated attacks to extort money from a bank account (otherwise known as automatic transfer system (ATS) malware).

In this article we’ll share several ways bad actors deliver malware into your device and spread its reach still further. And crucially we’ll also explain how you can protect against malware attacks.

Malware infection vectors

Fraudulent apps

Developing and distributing fraudulent apps is the easiest and most commonly-used vector by which bad actors spread malware. As we’ve already said, cybercriminals are well aware of our reliance on apps to perform daily tasks. And so it makes perfect sense for them to develop (and then inject malware into) the kind of lifestyle app that we already trust and use everyday. The type of app that has a consistent level of demand - like a cashback app, for example. Most people like to try out various cashback apps to get the best deals, while businesses offer cashback as a way to drive more sales and increase brand loyalty. 

Another example is an app that promotes a service or facility for increasing Instagram followers quickly. The unsuspecting Instagram user would be unaware that the primary goal of this app is actually to credential harvest people just like them.

Bad actors leverage various distribution channels to make sure that their malware reaches its intended target. Examples include (but are not limited to):

  • Uploading the app to public application stores such as the Google Play Store or Apple App Store
  • Crafting a seemingly benign phishing message, notification, or alert that contains a link to download the fraudulent app. This is sent to target victims via widely-used communication channels such as SMS, email, and messaging apps
  • Displaying a false advertisement (malvertising) via websites and social media apps

Malicious, pre-installed apps

Nowadays, it’s difficult to find and buy a device without at least some pre-installed applications - especially on Android devices. Because of its open nature, device manufacturers are free to perform any customizations on Android at will. And one of these is to pre-install some applications that users can disable but cannot remove. 

Some device manufacturers even grant these pre-installed applications elevated privileges and special permissions. While this freedom gives manufacturers the ability to ship useful apps to provide a better experience for their users, it might also become a delicate attack vector for bad actors to deliver malware to your device. This is often the case with many low-cost Android devices, as reported by Malwarebytes.

There are several possible situations that might be influencing this trend. But first up is the fact that low-cost Android device manufacturers are under continuous pressure to drive significant revenue. Malware developers are aware of this and are set up to exploit it. For example, they might masquerade themselves as an advertising agency and create an app that displays ads to the device users. Then they could work with a device manufacturer in some ad revenue sharing model provided that their app is pre-installed in every manufactured device. So, the device manufacturer agrees to their terms and ships their app as part of the system firmware. That is, without knowing that it has been embedded with various malicious payloads ready to launch with a single command from a remote C&C (command & control) server.

Another possibility is that low-cost Android device manufacturers are also pressured to reduce expenses as much as possible. So, they outsource some (or all) of their device manufacturing processes to contractors. Malware developers could exploit this opportunity by pretending to be a device foundry that provides white-label Android devices, before offering it to those manufacturers. With a tight budget and limited resources to produce a quality device, this could prove a tough offer to pass up on. Once a partnership is formed, this bogus foundry can freely ship whatever it wants into the device. This includes pre-installing malware into the OS that users would then be unable to remove.

Malicious software development kit (SDK) and libraries

Another way your device can become infected with malware is through a supply chain attack carried out on apps that you use. A good example of this kind of attack was highlighted in Snyk’s findings on the Mintegral SDK

The fact that app developers use libraries and dependencies compromised by malware is perhaps not that surprising given the pressure they’re often under to deliver. They’re so focused on getting the job done efficiently that something of an overreliance on third-party dependencies and libraries is now pretty commonplace in the industry. 

But clearly integrating a third-party library is a double-edged sword. While it can dramatically speed up the development process, it can also expose - or even attack - your app from the inside. For example, malware developers could intercept all device network communications and collect device data stealthily. Or they could download and then load malicious code from a remote C&C server (known as dropper malware).

Outdated, deprecated, or vulnerable OS

Google and Apple continuously implement security improvements for Android and iOS respectively. This includes introducing new security features as well as patches and fixes for known vulnerabilities. However, having device manufacturers incorporate or ship these improvements into their OS update package will ultimately not always be enough. That’s because at the end of the day it’s the device owners themselves who decide whether or not they want to update their OS. 

Lots of device owners are ignorant about the need to update their OS for security and privacy reasons. And, once more, this opens some gaps that can be exploited by malware developers.

One of the most recent mobile malware attacks that exploited outdated or deprecated OS is BlueFrag. By exploiting a bluetooth implementation vulnerability in Android 8 and 9, bad actors could remotely distribute malware and execute arbitrary code through a Bluetooth daemon privilege without the need for any end user interaction. 

While mobile malware that exploits OS vulnerabilities is not quite as common these days, the damage it can cause makes it a scary proposition.

Tips for malware attack prevention

It used to be thought that mobile malware developers and authors primarily target device owners. While they are still a significant target, the story isn’t so simple anymore. The rise of devices shipped with pre-installed malware and supply chain attacks injecting malware into popular libraries shows that bad actors are taking aim at manufacturers and app developers, too. 

These types of malware attacks are particularly anxiety inducing because often you’d be completely unaware an attack had even taken place until it’s too late. So, malware attack prevention is now a shared responsibility between device owners, manufacturers, and app developers.

We’ve shared some specific advice below for end users of applications. But if you’re reading this article as a business that has lots of people using your app(s), remember that you also have a responsibility to educate. As we wrote in a separate article recently, having empathy for your end users and speaking clearly to them about the threats that exist is something of a secret ingredient for improved security.

1. Application developers and vendors

Implement a software composition analysis (SCA) practice

The entry point of a supply chain attack is usually the application or software. And app developers should be the first line of defense to prevent this kind of threat from happening. 

One of the best ways to mitigate this risk is to incorporate a software composition analysis practice into the development process and to leverage dependency scanners. OWASP has built a tool called DependencyCheck which can be used by development and security teams to scan for vulnerable dependencies. It’s vital to incorporate dependency checking throughout the entire development cycle to ensure that this kind of risk can be detected and mitigated as soon as possible. In other words, before it reaches your end users. 

We recently launched a new feature into our own DexProtector to extract and scan mobile applications for known vulnerabilities and malicious dependencies. We’re thrilled that many of our clients have already benefited from this functionality and see it as being increasingly important in the coming months and years. 

In addition, you can also host vetted copies (after a comprehensive analysis) of publicly available libraries or dependencies on your local repository. And you can configure it so your build system pulls only from that repository. This can help prevent malicious or vulnerable dependencies finding their way into your application.

Perform device attestation

Malware often tries to fool device users or exploit system vulnerabilities to disable critical device security features. Especially those that might get in the way of it achieving its goals. So, Google Play Protect (built-in anti-malware feature by Google/Android) for example, or SELinux enforcement, or bootloader/OEM lock. 

It’s important that app developers carry out attestation to make sure the runtime environment is safe for the app to operate in. They can also alert users if there are any potential risks or anomalies (including malware) detected so they can take further action about it.

2. Device manufacturers

Incorporate anti-malware features within the OS itself

Not all end users will heed advice about installing anti-malware solutions on their devices. And third-party anti-malware tools might not have full privilege to protect those users anyway. That’s why incorporating a malware scanning feature within the OS itself - something only you as device manufacturers can do - would significantly help prevent malware from being installed and harming users.

3. End users of mobile devices

Only download apps from trusted sources

Always make sure that you download applications from trusted and secure sources such as recognized application stores such as the Google Play Store. That is, unless the app developer or owner officially directs you to a secure channel.

Keep your OS up-to-date

Keeping your OS up to date ensures you’ll benefit from the latest security improvements and features that help prevent malware from operating. For example, Google recently hardened its restriction to use Accessibility Service permissions on Android 13 for sideloaded apps. This move makes it much more difficult for malware authors. What’s more, device manufacturers often roll out their own security patches and fixes which you should also take advantage of.

Use trusted anti-malware solutions

Sometimes, however hard you try, it can be difficult to completely avoid the risk of malware from being installed on your device. Especially those that take the form of seemingly benign apps. 

But you can rely on trusted anti-malware tools to scan for the presence of malware on your device and work on your behalf to remove it. They can also advise you on how to remove a particular malware in the event that they’re not able to do so on their own. This could be due to not being able to remove pre-installed apps due to limited privileges.

Together we can stop mobile malware extending its reach

The mobile malware landscape is rapidly and continuously evolving. Bad actors work around the clock to deliver new and more sophisticated varieties. But together - those of us who work in security, alongside device manufacturers, developers and vendors, and end users of apps - can make malware a much less scary proposition. 

Here at Licel we see step one of this journey as increasing awareness levels about mobile malware infection vectors and sharing tips for closing the gaps when it comes to malware attack prevention.

We hope that this article has gone some way to achieving these goals for you. But we’re not done just yet. We’ll follow up this piece with another one where we’ll take more of a technical look at how mobile malware exploits OS & application vulnerabilities. So watch this space.