Current Trends in Android Mobile Malware

Whilst Apple products are certainly not invulnerable from dangerous malware, Android phones are continuously hitting the headlines due to seemingly constant malware assaults. Google’s official app store, Google Play, has seen witness to risky malware, including the use of mobile botnets and adware. In addition, state-actors have increased their activity and sophistication in the mobile arena.

Check Point have analysed the trends in Android malware, looking into the dangerous mobile malware which is infiltrating Google Play, subsequently infecting millions of unsuspecting Android users. Read their full report here.

Current Trends

Mobile adware botnets infiltrate

What is a Botnet?

A botnet is a group of devices which are controlled by hackers without the knowledge of their owners. Their use varies, based on the distributed computing capabilities of the devices – the larger the botnet, the greater its capabilities.

Significant Botnets
How a Mobile Botnet Works?
Viking Horde

Discovered by Check Point in April 2016, this was the first mobile botnet attack to infiltrate Google Play. A zombie army of IP address proxies disguised as ads clicked to generate revenue for the attacker. Viking Horde delivers additional malware payloads that are capable of executing any code remotely, potentially compromising the security of data on a rooted device.


This malware, spread through Google Play, enabled access to the infected device’s internal networks, compromising the security of enterprises and organisations, and ultimately allowed cybercriminals to easily breach private corporate networks.


Notable for its wide range of capabilities, the CopyCat malware was discovered in July 2017 and through code injection was able to control any activity on the device. The malware has infected 14 million devices globally, rooting 8 million of them.

Check Point researchers anticipate that the current growth of mobile botnets means they’ll continue to grow in volume and sophistication, emerging as a major player in the mobile threat landscape.
Mobile botnets were used prolifically by hackers in 2018 for the mass IP addresses they accumulated. This information was then used to orchestrate Distributed Denial of Service (DDoS) attacks; taking down websites by overworking the servers which host them. Hackers are also utilising the strength of mobile botnets to mine crypto-currencies.

Mobile Bankers – coming to a Play Store near you

Banking malware is one of the most dangerous threats to mobile users. They’re malicious pieces of code which have been designed to steal personal financial information and transfer funds to the accounts of hackers. Traditional banking malware on PCs have been thwarted by the new and secure security measures adopted by banks. On the other hand, mobile bankers have flourished, bypassing obstacles such as 2-Factor Authentication (2FA) and other defences set by Android.

Mobile banking malware requires little technical knowledge to develop and operate, making them a desirable tool. Once installed, the malware searches on the infected device for a banking app. Upon the user opening it, the malware creates a fake overlay page, stealing the user’s credentials. Using only a few persuasive overlay pages, a server and an infection method, a hacker can operate a thriving banking campaign.

Previously, banker malware has spread largely through third-party app stores and phishing attempts. However, Android malware has recently been infiltrating Google Play, widening its spread.
A new addition to mobile banking malware has been identified by Check Point researchers. Malware masquerading as legitimate cryptocurrency wallets, but in reality, they’ve been stealing money from the ‘secure’ wallet provided. As cryptocurrency trading continues to be popular, this type of malware is expected to continue to grow in sophistication.

State-actors step it up a level

Mobile malware developers fall under one of four categories:

State-level developers – The most sophisticated type, they create malware aimed at reconnaissance.
Exploiters – Develop espionage capabilities for governments and organisations.
Personal spyware developers – Create “parental control” tools which are used to spy on other devices.
Ordinary malware hackers – Hackers driven by gaining illegal profits.

However, malware developers rarely operate independently – sharing tactics, code and technologies.
Recent years have seen a sharp rise in the activity of state-level actors within the mobile world, as new campaigns are identified weekly. GlanceLove malware was uploaded onto Google Play under the guise of the World Cup and dating apps; targeting Israeli soldiers they result in the installation of a Trojan horse, spying on their every move. The Domestic Kitten operation, discovered in September 2018, targeted Kurdish and Turkish natives for over 2 years, gathering information from infected devices such as SMS messages, call records, photos and more.

This rise in activity by state-level actors of mobile malware is creating an increasingly dangerous mobile threat landscape. Advancements introduced and developed by state-level actors are consequently being adopted and mimicked by ordinary malware.

How can Mobliciti Help?

Mobliciti specialises in cloud and mobile endpoint security, ensuring that data is kept safe and secure. We offer a range of the very latest cybersecurity solutions which can protect against the installation, spread, and exploitation of malicious malware.

Find out more about our services or get in touch.