Mobile Device Malware Attack Vectors

Smartphones represent a massive, almost impossible to remove, security flaw in any cyber defence. Essentially everyone has one, and they take it with them everywhere. Some people have more than one phone, with specialized devices for their work or data storage. These devices travel thousands of miles and find themselves in different people’s hands all the time. Smartphones have become so integral to the modern business landscape that it’s hard to imagine a world without them, and the convenience they bring it seen as outweighing the risks. There has been a rise in malware attacks against cell phones and other mobile devices (such as cell-enabled tables) in recent years as their vulnerable nature is exploited.

Malware attacks against mobile devices fall into four broad categories. The first would be pre-installed malware that is found on cheap alternative phones that are not normally carried by a major service provider. These phones come with pre-installed bloatware and malware that renders any attempts at privacy meaningless. In most cases it’s impossible to remove the malware, so short of buying a new phone there’s no way to solve the problem.

The second kind of mobile attack is fake apps that have made their way onto the legitimate app store for the OS. These apps are usually found and removed quickly, but sometimes they persist and allow the creators access to private files. Be sure to check the developer of any app that you download, and if the app is very new it should be avoided on a secure device. The Third method is related to the classic banner ad attack traditionally seen on full-sized computers when a user goes to a website a large ad is put on their screen. Touching the ad starts the download for the malware, and there is no way to close the pop-up. The reaction to click the pop-up to close it does all the work without any complicated delivery system.

Finally, and certainly the most exciting is when malware is installed directly on to a device through physical means. This doesn’t necessarily require a flash drive or memory card to be installed, even charging a device can lead to it being compromised. The virus that infected the US wireless network is believed to have come from an infected USB port in Russia that infected a phone. This infected device brought the virus back, with the owner none the wiser because they’d only charged their phone. Remember, a USB port’s primary purpose is transferring data.

Max is a Data Privacy Coordinator at a major global law firm and a science fiction author residing in the Philadelphia area. He has been writing for since early 2017.