App threats

Mobile Security Index
2020 Report

  • Well-known problems like malware and ransomware remain major threats, 
    but emerging ones like cryptojacking can also put your organization at risk. Even apps downloaded from official stores can be compromised or introduce vulnerabilities due to poor coding practices.


    This remains one of the favorite tools of attackers. It constantly tops our list of the threats that organizations are the most worried about. Why? Because it works.

    This year, 86% of organizations said they were concerned about malware, and 20% of those don’t feel prepared for it.

    According to MobileIron, 4.5% of Android devices had known malware.19  That might not sound like much, but it means that if your organization has just 15 devices, then there’s a 50% chance that at least one of them is infected. And if you have 100 devices, that chance goes up to 99%. And one device can be enough to compromise your entire organization.

    As with other threats, criminals are not standing still. They’re constantly finding new ways to increase the destructiveness of malware and break through organizations’ defenses.

    Malware within apps

    One of the most effective ways to trick users into installing malware is to disguise it as a useful or entertaining app. Of organizations that were compromised, 21% said that a rogue or unapproved application had contributed to the incident.

    Of course, sideloading apps from non-official stores or third- party websites increases the risk. Many organizations aren’t regulating where apps are downloaded from. Only 43% said that they limit their employees to using apps from an official app store or one owned by the company.

    And hackers are getting smarter, using more sophisticated techniques to make malicious apps look legitimate. There have been numerous instances of malware-infected apps escaping detection and being spread through official stores like Google Play. Official app stores have thousands of apps to test and approve, and some malicious ones inevitably slip through the cracks. And because testing tends to be more rigorous on the first version, some attackers sneak malware into approved apps via updates.


    "Elusive" malware

    How effective a piece of malware is isn’t just dependent on how damaging it is. Whether they are stealing credentials or enlisting devices to their botnet, hackers want their malware to infect as many devices as possible.

    And hackers are learning a lesson from biological diseases. Some deadly illnesses don’t tend to spread very far due to high mortality rates, limiting their overall impact on a population. By contrast, illnesses like the common cold or flu have a slower onset of symptoms. This longer incubation period gives infected people time to catch planes and trains and spread the disease.

    Elusive malware operates in a similar way. It will stay completely dormant on a device for a period of time—weeks, or even months—until it’s triggered. Because the malicious part of the app hasn’t been activated, the app can gather good reviews (or have them paid for) and users may recommend it to friends and colleagues, helping it spread to many more devices.

    The trigger for the malicious part to spring into action may be as simple as reaching a particular date—reminiscent of early "time bomb" viruses. But criminals are getting increasingly sneaky. There are examples of malware being programmed to trigger after a set number of steps are taken, identified by the onboard accelerometer. This makes it harder for security researchers to spot the malicious code, as tests are normally conducted on lab benches or even in PC-based emulators.

  • The growing availability of ready-made malware is further creating opportunities for even inexperienced criminal actors to launch their own operations.

    —U.S. Secret Service20
  • Insecure coding

    You might only be using apps from the most trusted, reputable companies, but in the rush to get updates out, even they can deploy apps with vulnerabilities. Seventy-five percent of organizations said they were concerned about this threat, and 23% of those didn’t feel prepared for it.

    There’s also the risk of stealers to contend with. Many users take advantage of built-in browser features that save your passwords. But now, malicious malware apps are being created that can interact with your browser and exploit the way this feature has been coded. Originally, these apps were created to compromise cybercurrency wallets, but attackers are now using them to steal user credentials. This could enable them to get into both personal accounts—like banking and shopping accounts—and corporate resources.

  • The number of reported ransomware attacks has decreased, but the loss amount has significantly increased. More money can be extorted from a business— especially a large, profitable one—so hackers are moving from targeting personal devices to corporate owned/ controlled ones.

    — FBI21
  • Ransomware

    Ransomware remains one of the biggest mobile device security threats, but it’s also one that companies feel the most ready for—85% said they are worried but 76% of those felt prepared. This is probably because ransomware has been getting a lot of media coverage, particularly recent attacks on the public sector where city systems have been held for ransom. This awareness has driven many companies to ramp up their defenses. This supports our observation that many companies wait until they themselves, or organizations they know, are hit before taking action to improve their defenses.

    But they may not realize how fast ransomware is evolving. The early versions simply locked the files on your device. Newer variants lock the files you have stored in online services like Google Drive and Office 365. An even more alarming variation is doxware, which instead of encrypting your personal files threatens to publish them online.

  • Figure 15
  • Cryptojacking

    Cryptojacking is the unauthorized use of a device to mine cryptocurrency. As we showed in our previous report, thanks to an experiment carried out by Wandera, it can significantly drain the battery life of devices. And this can lead to bigger problems, like downtime or operational disruption. Although cryptojacking is a relatively new threat, 73% of organizations said they are concerned about it.

    Working with Wandera, we analyzed the volume of cryptojacking attacks and the major cryptocurrencies. We found some correlation (r^2 = 0.26) between the market value and the number of attacks, with a lag of about three months. This analysis is very simple, but does suggest the value of cryptocurrencies has some impact on the volume of attacks. Of course, there are many other factors influencing a hacker’s choice of method of attack.

    Patching apps

    Many companies are not regulating which apps their employees are using—only 62% have banned the installation of unapproved apps within their AUP.

    And the problem isn’t just which apps employees are using, it’s how many of them. A single mobile device can have hundreds of apps installed, each potentially a source of vulnerabilities. That makes it harder to keep them all up to date.

    There are many reasons why users fail to patch their apps: They might have their device set to wait for Wi-Fi access to perform large updates, or they may simply be avoiding the hassle of updating. Setting updates to run automatically in the background can avoid some of these problems, but an untested update could introduce problems itself.

    What’s up?

    On May 12, 2019, the makers of WhatsApp announced that users had been subject to a spate of attacks where hackers exploited a buffer overflow vulnerability to run malicious code. When the culprit called the victim, the code would be executed and the device infected—even if they didn’t answer. Some attacks installed surveillance tools on the device, enabling the attacker to eavesdrop on conversations and track movements.

    The company urged its 1.5 billion users to install a new patched version immediately. But despite the seriousness of the vulnerability, users were remarkably slow at doing so. Even after six months, more than 1 in 15 users hadn’t updated and remained susceptible to attack.

  • figure 16

19 Based on aggregated usage data, MobileIron, January 2019 to September 2019

20 Michael D’Ambrosio, Assistant Director for Investigations, U.S. Secret Service, 2019

21 Donna Gregory, Unit Chief, FBI Cyber Division, 2020

22 Assessment of the effect of cryptocurrency valuation on cryptojacking attack volume, including all cryptojacking incidents encountered by monitored mobile devices around the world, Wandera Threat Research, July 2018 to December

23 Customer case study: The impact of WhatsApp vulnerabilities on security posture over 6 months (May 2019 to October 2019), 2019 Wandera Threat Research 

Services and/or features are not available in all countries/locations, and may be procured from in-country providers in select countries. We continue to expand our service availability around the world. Please consult your Verizon representative for service availability. Contact us.