Cybersecurity blog header

Malicious mobile apps: Do you know what you install on your smartphone?

Malicious mobile applications can have serious consequences for businesses and citizens

Malicious mobile applications allow smartphones to be infected with malware to commit bank fraud or spy on people and companies

Photos, videos, documents, messages, applications… We are running out of space in our mobile memory without realizing it. To help us free up space, we have applications explicitly designed for this purpose in the Play Store and App Store. But what if they are malicious mobile apps?

Last year, Google blocked over 2 million malicious mobile apps and 330,000 accounts attempting to upload such apps to its official store.

Over the past few years, thousands of Android smartphones have been infected with the Anatsa malware, a banking Trojan hidden in malicious but, at first glance, seemingly harmless mobile apps. Criminals use this malware to commit financial fraud and steal money from the accounts of victims who have installed mobile banking applications.

However, malicious mobile apps are not only used to infect smartphones with banking Trojans. They are also the gateway to other programs, such as spyware used to obtain personal data, access messages, or even listen to phone calls.

In this article, we will analyze the threat posed by malicious mobile applications to the daily lives of citizens and companies and give some tips on preventing security incidents with severe consequences.

1. Why do cybercriminals use malicious mobile applications?

In 2024, we know smartphones are critical devices in our daily lives. We use them to access our bank accounts, check our personal and corporate email, carry out professional activities, communicate with family, friends, clients and colleagues, and perform multiple actions.

As such, essential devices, smartphones, and the applications installed on them have become priority targets for criminals.

The main objectives of malicious actors designing malicious mobile apps infected with malware are:

  • Obtaining access credentials to online bank accounts or accessing the apps of financial institutions without the victims’ realizing it is a way to steal money from them. Banking Trojans such as Vultur, Brokewell or Medusa have been used in recent months.
  • Spying on citizens, managers, and companies to sell, exfiltrate or use confidential information, private data and company secrets in future attacks. Malicious actors have used spyware such as VajraSpy or SpyLoan for these purposes.
  • Taking control of the cell phone and hijacking personal or corporate data by installing ransomware such as Rafel RAT. From there, victims are extorted to pay a ransom in exchange for decrypting the data.
  • Wiping information from the device to delete high-value data and damage the victim, especially if it is a company.
  • Attacking legitimate applications by overwriting files in their root directories to execute code unauthorized or stealing tokens to access user accounts and seize sensitive data, as in the case of Dirty Stream.

2. The operations of malicious actors: making apps visible, obtaining permissions, executing malware

How do cybercriminals achieve their goals? By using malicious mobile applications called droppers. In other words, they download malware, such as spyware or ransomware, onto their installed device, depending on what the malicious actors are trying to achieve.

2.1. Installation of malicious mobile applications

Fake apps have to be credible. Malicious actors use applications such as memory space cleaners, PDF or QR code readers, antivirus applications or instant messaging apps. In addition to these malicious mobile applications, we must add apps that pretend to be tools known to all citizens, such as Instagram or WhatsApp, and applications linked to the social context of the moment, such as streaming applications during sporting events, such as the European Championship or the Olympic Games.

Beyond designing the theoretical features and functionalities of malicious mobile applications, hostile actors must get these apps installed by victims on their cell phones. How do they achieve this?

  1. Placing malicious mobile apps in the top search positions in the official Android or iOS stores. To do this, they can even create fake reviews about the app’s usefulness.
  2. Using social engineering techniques such as phishing, smishing, quishing or SEO poisoning to redirect victims to the app’s profile in the corresponding store.
  3. Facilitating malicious mobile apps through alternative channels to the official stores allows for evading the control of Android and iOS, which continuously crawl their stores looking for fake or dangerous apps.

2.2. Obtaining permissions

Malicious mobile apps serve a dual purpose: they contain malware as a payload and obtain the permissions necessary for the attack’s success. What permissions are we talking about? Permissions for accessibility, reading SMS messages, geolocation, camera, microphone, and notifications?

When we install an application, it asks us to grant it a series of permissions to function. It is common for users not to analyze the requested permissions with precision and to accept their granting without thinking about whether they are logical or excessive.

Thanks to these permissions, criminals can perform key malicious actions to circumvent the security mechanisms of legitimate devices and applications, mask their presence, go unnoticed and accomplish their goals.

It has been detected that, in many campaigns of this type, the malicious code is not incorporated into the malicious mobile applications until several days after it is installed on the mobile device, as in the case of Anatsa.

2.3. Malware execution

As we saw when we broke down the targets of malicious actors using malicious mobile apps, criminals use a wide range of malware types depending on what they are looking to get from their victims’ smartphones:

  • Banking Trojans.
  • Spyware.
  • Ransomware.
  • Adware.
  • Wiper.

As in many other areas of cybersecurity, malware designed to infect cell phones is becoming increasingly sophisticated. It requires fewer permissions to succeed and is more difficult to detect.

Criminals seek to infect mobiles with malware to spy or commit fraud

3. A threat to citizens, but also businesses

Smartphones are essential in our private lives, but they also play a critical role in the daily lives of millions of professionals and companies. It is widespread for managers and workers to have applications for corporate use installed on their cell phones and to receive calls or use instant messaging applications to send messages for work purposes.

Companies must, therefore, be aware of the risks associated with malicious mobile applications. This is especially true when you consider that some campaigns specifically target specific companies and professionals, using social engineering techniques to get them to download fake apps.

The consequences of spyware or ransomware infecting a corporate mobile or personal smartphone with access to business applications can be devastating: financial fraud, theft of business information, theft of intellectual property, data hijacking or deletion, and more.

4. Tips to avoid being attacked by malicious mobile applications

To deal with the risks posed by malicious mobile applications for citizens and companies, it is advisable to follow a series of basic tips that limit the possibility of installing dangerous apps or granting them the permissions that criminals need to complete their mission:

  • Update the mobile operating system continuously. In many cases, cybercriminals take advantage of outdated mobile operating systems to overcome security mechanisms that are less advanced and robust than those in the latest version of the operating system.
  • Download apps only from the official Android (Play Store) and iPhone (App Store) mobile stores. Both Google and Apple constantly work to detect and remove malicious mobile apps from their stores and ensure their security through tools such as Google Play Protect. On the other hand, downloading apps from other sources, such as third-party sites, exponentially increases the possibility of introducing malicious mobile applications disguised as genuine and useful solutions into our smartphones.
  • Be wary of unknown apps and ensure they are trustworthy before installing them. It is always advisable to download only known apps or apps developed by trusted companies.
  • Review and limit application permissions. No application should have more permissions than necessary to function correctly.
  • Check the data and battery consumption of background applications. This information can help us detect activities that are taking place on our mobiles without our realizing it.

4.1. Specific tips for companies

  • Install antivirus software on corporate mobile devices to analyze the applications running on them, detect threats, and respond immediately and effectively.
  • Develop corporate security policies on the downloading of applications on corporate mobile devices.
  • Train and raise awareness among all company professionals. Organizations’ staff, particularly their managers, must be aware of how dangerous malicious mobile applications can be. Conducting social engineering tests focusing on malicious mobile applications can help.
  • Engage advanced cybersecurity services to strengthen the company’s security posture and protect critical assets such as corporate mobiles. For example, undergo a Red Team exercise in which the scenario is focused on malware execution on mobile devices.

Google MASA is an initiative to prevent malicious mobile applications from appearing in the Play Store

5. Google MASA: An initiative to protect the mobile app ecosystem

To combat the presence of malicious mobile applications in the Play Store, Google has not only developed Google Play Protect but has also launched Google MASA. This initiative seeks to assess the security of applications and provide guarantees to users.

To this end, Google MASA contemplates an application evaluation system based on MASVS, the OWASP foundation’s mobile app security verification standard.

Thus, mobile app developers can voluntarily submit their apps for evaluation by experts in mobile app security audits.

If an app passes the assessment and the vulnerabilities or weaknesses detected are resolved, Google will issue the MASA certificate so that the application will have a badge in the Play Store so that all users know that it has been evaluated according to the global reference standard.

5.1. What are the benefits of Google MASA?

  • Citizens, professionals and businesses downloading mobile applications can be assured in advance that they are installing secure apps and not malicious mobile applications.
  • For companies developing legitimate mobile applications, Google MASA helps them enforce their security policies from design throughout the app lifecycle. In addition, they can benefit from the trust of users who prefer to download certified applications over others who are not certified.
  • For Google, this is a way to strengthen the security of the Android app ecosystem and combat the proliferation of malicious or insecure mobile applications that trigger security incidents and undermine the company’s reputation.

In short, it is necessary to exercise caution when downloading mobile applications and permitting them to perform actions on devices. Otherwise, citizens and companies may suffer from financial fraud and theft of critical information.