Part 2/2: What Can Mobile Malware Do?
First published: 22/11/2019
updated: 22/10/2022
Erik Vasaasen
In a previous post, we discussed what malware can do once it is active on your phone. But how do end-users get malware in the first place? In this post we explain the sources of malware, and how to avoid it.
How to get Malware
There are a few broad categories for how users get malware:
- The most common source is when they are tricked into installing it themselves. Often this is a phishing email that seems to come from a bank. Perhaps it looks trustworthy, offering the user’s full name, card number, and prompts a banking update.
- There are annoying pop-ups that unexpectedly and quickly appear in the middle of a screen during an online game. Often the user clicks on the “install now” button accidentally and, low and behold, the malware is in.
- Called a drive-by attack, the download and install are unintentional by exploiting a weakness in a web browser or a mail program. A user doesn’t even have to visit a questionable web site! There have been many cases where the malware has spread through an ad campaign on an otherwise reputable site.
- A scary vector is what is called a “remote exploit”. Here, users don’t need to do anything for their phone to get infected. Examples are attacks against phone provisioning, vulnerable SIM cards, and even OS functions for unpacking MMS messages. Any of these can happen at any time without the user’s involvement.
- Lastly, malware can already be installed on a device when the the user buys it. This is particularly the case with very cheap phones from small manufacturers in the far-East. It might not come as a big surprise, but the quality control is often non-existent for those $35 no-name phones from Aliexpress.
If your phone happens to be “rooted” or “jailbroken”, it is not by default un-secured. This is because the same process which lets you root your phone is also the one that allows it to update faster than what the manufacturer intends.
However, at the same time, it also provides a mechanism for malware to gain rights without having to exploit operating system vulnerabilities. As you probably could have guessed, this makes it slightly harder to detect any malware.
Avoiding Malware
So, what can you as an end-user do to avoid malware? Here is a list of quick tips:
- Be wary of email scams and pop-ups which tell you to “update your software now”. There have been many cases of fake apps that mimic banking apps, tricking the user into submitting a username and password.
- Avoid running old versions of Android and make sure to choose a phone from a producer that provides OS updates. iOS and the larger Android manufacturers usually provide more frequent updates over a longer time period.
- Don’t get fooled into installing software from outside the Android App store. It is very unlikely that your bank will tell you to install an update of their app from a non-verified location.
- For Android users, you might be vulnerable if you’re running the web browser that came with the phone when you bought it. As such, be sure that you install Chrome or Firefox instead. For iOS users, Apple does not allow 3rd party web-browsers to implement their own browsing engine. Note that Firefox can install an ad-blocker, adding extra protection against drive-by attacks.
When you’re installing new apps, be wary of those that require permissions such as “receive SMS”, or those that install new accessibility services. These can be used to receive OTP pins sent by SMS and remote control the user interface of apps.
Software Solutions and Okay
There are some software solutions, such as antivirus packages, that claim to protect you against malware. Yet it is questionable if they can actually offer much protection.
With a Windows or Mac computer, you can choose to install Administrator or root-level software which analyses files and the running processes. But as you may have guessed, this is not possible on Android and iOS.
On a phone, software can, at-most, check if there are programs with questionable names installed, or perhaps monitor your non-encrypted web traffic. This provides little protection against malware (that does not follow official developer guidelines) from gaining root-access on your phone.
With Okay, one of our fundamental assumptions is that all devices already have some sort of malware, is vulnerable to malware, or will be vulnerable to malware very soon. This is perhaps a pessimistic view, but it is necessary when the stakes are so high. Aka, sensitive user information.
Across the world, the daily value of transactions verified on phones is certainly hundreds of millions of euros, if not more. For criminals, this is a very tempting target, which is why we aim to make security around authentication and transaction as strong as possible.