• Standard
• Android, IOS, Security, virus

What are mobile phone viruses and how do they work?

Plenty of movies and TV shows that feature hacking for us to have a clear understanding that viruses are bad.  The mobile counterpart of the electronic breed just they have closer ties to your data and activity.  To understand how they work and the scope of a viruses damage, it’s best to think about the creator’s motivation.  Malicious software is often driving to hijack a device, collect data or perform other tasks.  Phones are an entry point to other sources of control and data via WiFi when users join networks (sometimes unintentionally).  Many viruses make money by causing a device to send text messages to a premium number.

A look at some specific viruses

Fakeinst

This looks like an installer for applications but when it is running it sends SMS messages to premium-rate numbers.

FakeDolphin

Malware that utilizes an alternative mobile browser that secretly signs up users for services without knowledge or consent.

Adthief.A

A trojan that hijacks ads from other ads and displays it’s own.

XCodeGhost

identifies iOS apps containing code introduced when the software was created.  It was targeted at Chinese developers (who often download redistributed copies because official Apple download speeds are slow in China)

YiSpecter

Malware that uses private APIs to perform malicious actions on both non-jailbroken and jailbroken iOS.  YiSpecter can download, install and launch arbitrary iOS apps.  It can also replace existing apps with those it downloads.  Also, it can hijack other apps’ execution to display advertisements.  In Safari it can change the default search engine, bookmarks and opened pages.  Lastly, it can upload device information to the C2 server.

Youmi Ad SDK

This advertising SDK, mostly used by Chinese App Store developers it abuses private APIs in order to collect more personal information than is allowed by Apple security and privacy guidelines.  This information includes the list of apps installed on a device, serial numbers of a device and internal components, and user’s Apple ID email address.  256 apps with an estimated 1 million downloads were found to be affected, including the official Chinese McDonald’s app.

WireLurker and Masque Attack

A family of malware targeting both Mac OS and iOS systems.  It is the first in-the-wild malware to install third-party applications on non-jailbroken iOS devices through enterprise provisioning.

AceDeceiver

Malware for non-jailbroken iOS devices. It gets on non-jailbroken devices through a desktop application that exploits design flaws in Apple’s DRM mechanism to install a malicious iOS app from the App Store. It can install the malicious app even after the app is removed from the App Store, and it doesn’t require misusing an enterprise certificate.

Safari JavaScript pop-up scareware

Abuses the handling of pop-up dialogs in Mobile Safari locking out a victim from using the browser. The attack would block the use of the Safari browser on iOS until the victim pays the attacker money in the form of an iTunes Gift Card. During the lockout, the attackers displayed threatening messages in an attempt to scare and coerce victims into paying. However, a knowledgeable user could restore functionality of Mobile Safari by clearing the browser’s cache via the iOS Settings — the attack doesn’t actually encrypt any data and hold it for ransom.

iOS 10.3 changed the handling of JavaScript pop-ups to prevent this problem, making pop-ups “per-tab rather than taking over the entire app”.

What should you do if you have a virus?

First, you want to prevent the virus/app from doing anything else.  To stop this you put your device into safe mode which will then allow you to safely remove the app/virus from the device.  To enter safe mode on Android Press and hold your phone’s power button for a few seconds until Android prompts you to turn off your phone.  Next, tap and hold Power off for a few seconds until your phone asks you to confirm that you want to enter safe mode. Tap OK, and your phone will restart into safe mode.  After you have removed any apps you wanted, you can return the phone to normal with a restart.

So are devices safe?

Overall mobile devices are fairly safe as long as you aren’t rooting a phone and sourcing apps from alternatives to the platforms dedicated store (the safest apps have ample reviews/certifications.)  Many exploits and viruses are through WiFi networks, browsers and fake app download link from sources for apps outside of the dedicated app stores.

Overall, your best practice is to not download any apps on any device unless they are from a trusted platform and have high ratings and a large number of users already using the app. Be sure to keep your device updated, and never connect to an open WiFi network without using a VPN.