Unstoppable Mobile Malware

Excerpt from Sophos 2022 Threat Report

Windows computers are not the only targets for cybercriminals. Malware also targets the Android and,
to a lesser extent, the iOS platform for mobile devices. As our portable and handheld computing devices
have evolved into the dominant tools that we use for everything from online shopping to multifactor
authentication to messaging our families or friends, protecting those devices from a wide range of difficult-to-eradicate threats becomes an essential task.

Catching Flubot: it’s pretty serious

In 2021, a mobile malware family known as Flubot was one of the predominant banking trojans affecting
the Android platform. The malware presents users with fake bank and cryptocurrency app login screens to
steal the user’s passwords for those services. In addition to robbing bank details, it also steals data like the
contact list, which it then uses to spam the victim’s friends and associates with messages that can lead to
additional Flubot infections.

The malware spreads primarily through SMS text messages. It mimics popular shipment tracking services
from major international parcel shipment services like DHL, FedEx and UPS. The victim receives SMS alerts
with a URL link, and occasionally an SMS that pretends to be a voicemail message – also with a web link.

I worked at an MSP where one of our employees received this text. This was when it was making it over from Europe and started targeting Americans. Fortunately, the user put in a ticket and I advised the user to not click the link and delete the message, averting the malware!

The Flubot malware arrives in the form of a text message that appears to originate from a large, international delivery firm like DHL or
UPS, or sometimes from a service provider like a phone company. The link in the message takes visitors to a page where they download the
malware and infect themselves.

The link usually leads to a compromised website, which is changed frequently to avoid being shut down.
Victims who click the link end up on a webpage designed to mimic the legitimate parcel services they
imitate in the text messages, but which includes a link to download another copy of Flubot

After clicking the link, users are asked to give the app way more permission than necessary.

Like many other Android trojans, Flubot abuses the Accessibility Service to give itself additional malicious
capabilities. The malware’s command-and-control server can retrieve contact details from the victim,
which they use so effectively that Flubot spreads at a higher rate than nearly every other banking trojan. For
evasion purpose, Flubot uses an algorithmically generated domain name. Flubot can generate thousands of
domains and connect only to those that are online.

Flubot’s effectiveness at spreading from user to user by means of SMS messages has been a huge benefit
for the malware. SophosLabs expects Flubot to continue to dominate the list of mobile malware we detect
and block on Android devices throughout 2022 – unless another malware family decides to implement a
similar, rapid method of distribution.

Fake iPhone finance apps steal millions from vulnerable users

It’s no wonder that iPhone users think iOS isn’t susceptible to malware: Apple has for years promoted its
desktop and mobile platforms as the most secure available. But evidence from mobile malware discovered
on Apple’s App Store serves as a stark counterexample.

In the past year, SophosLabs analysts have discovered hundreds of fraudulent applications hosted in Apple’s
walled garden that can be used to steal banking and other sensitive credentials from iPhone users. In 2021,
we discovered a kind of romance scam that targeted vulnerable users and encouraged them to download
malicious iOS apps from a fake “App Store.”

In this unusually personal attack, the criminals target potential victims on dating apps and websites,
engaging in conversations and befriending the users and gaining their trust. The victims are groomed and
eventually encouraged to download iPhone applications that make outlandish promises about investments
that offer huge returns. The victims sign up and are encouraged to invest money, but when they become
suspicious or attempt to close their accounts, they lose access to the “investment” service, and any money
they put into it.

In order to circumvent the protective bubble of the App Store, where such apps would never pass muster
and would have been blocked, the criminals use one of two methods to distribute the apps to victims: they
may use Apple’s enterprise provision methods, or they might use an Apple ad hoc distribution method which
SophosLabs calls Super Signature. In this method, the victim’s phone downloads and installs a special
profile, which (once installed) sends the device information to a server operated by the criminals. Using this
information, they send fake, digitally signed iOS applications to the device, which get installed automatically.

Distribution of these apps is done using any of several third-party services, some shady and some
legitimate. If one service gets blocked, the attackers move on to another. The web links that victims are
redirected to mimic the branding of the legitimate websites. They provide links to download either Android
or iOS apps. This active, ongoing global fraud campaign has led to individuals losing thousands of dollars in
some cases.

SophosLabs expects many more fraudulent apps to exploit such loopholes in the iOS platform in the coming
year, as the technique becomes better known and understood by criminal groups.


Contact us for pricing for Sophos mobile device protection.