Another Kind of Infection is Rapidly Spreading in 2022

Mobile malware is malicious software that’s specifically designed to target mobile devices, like smartphones and tablets. Mobile malware isn’t new, and it’s not as prevalent as malware that attacks the traditional computer, but it is increasing at a very alarming rate. In fact, Proofpoint recently reported there has been a 500% jump in mobile malware attempts in Europe since early February of this year. This trend will likely continue throughout the world.

The ultimate goal of mobile malware is typically to get access to usernames and passwords for email and bank accounts. But today’s mobile malware also has more advanced and invasive capabilities, like recording audio and video without your knowledge or consent, tracking your location, or destroying and wiping your content and data.

Why are we seeing such an increase?

The short answer is there are more opportunities for cybercriminals than there used to be, making it worth their effort to develop malware for mobile devices. For example, 83.7% of the world’s population now owns a smartphone when just six years ago only 49% owned one. Many are unaware of the potential dangers and generally have less protection on their phones than on their computers, and more people are using their mobile phones to access a wide variety of services, like banking and shopping applications. Opportunity.

Android vs. Apple

Of the two biggest mobile smartphone platforms, Android and Apple iOS, Android smartphones are a far more popular target for cybercriminals. Android systems allow users to get content from multiple app stores, and users can easily sideload apps from anywhere on the internet. Sideloading means installing an app through a website or third-party app store or downloading it directly to the device from a link. This feature makes the platform a popular choice for users who like more control over what they download. It’s also what makes the platform so attractive to cybercriminals who know Android phones can be compromised in just a few steps.

On the other hand, Apple’s app store has strict quality controls and iOS doesn’t allow for sideloading of apps – to do so would require jailbreaking the device (removing restrictions imposed by the manufacturer), which the average user isn’t likely to do.

Smishing is on the rise

Over the last year, there has been an increase in smishing attacks that deliver mobile malware. Smishing is basically phishing over SMS (Short Message Service, also known as texting). In a smishing attack, cybercriminals send text messages designed to lure the victim into clicking a link or downloading a file. Since most of us don’t expect to be attacked that way, a smishing text has a better chance of being opened and acted on than a normal phishing campaign on a computer.

What can I do to prevent mobile threats?

The mobile malware threat landscape is changing every day with new players and new dangers. But, there are some things you can do to protect yourself from malware threats:

1. Update your device and apps. Cybercriminals find vulnerabilities in smartphone and app security, and they exploit them. Smartphone manufacturer’s regularly release updates to fix vulnerabilities that would allow a cybercriminal to gain access. When that pop-up reminder comes up to update your device, don’t ignore it. Install it right away.
2. Don’t click any links from unknown sources. If you don’t know who sent you the message, don’t click on any links contained within it. Don’t let your curiosity get the better of you – remember, curiosity killed the cat, and it can do the same thing to your brand-new Samsung Galaxy S22 Ultra. Just delete it and move on with your life.
3. Install security apps. Just as with desktops and laptops, install some type of mobile device security app from a reputable and trusted source. Take care not to download and install a free security or antivirus app you’ve never heard of. Malicious mobile apps often disguise themselves as a legitimate tool, something good or beneficial to users, like some type of security scanner or antivirus tool, but they have a far more sinister hidden purpose. Keep your security app up-to-date and set up regular automatic scanning.
4. Never download third-party apps. If you’re using an iPhone, you don’t have much choice. But, if you’re using an Android device, you should only download apps from the Google Play Store. If you do decide to use third-party apps, do your research to be sure you’re not getting a malicious one. Read reviews, and if the app asks for access to too much personal data up front, don’t download it.
5. Check permissions when installing any app. Applications should only request permissions to access those features on your device that it needs to function properly. When downloading a new app, take a few moments to review the permissions its requesting and deny any that seem unnecessary, especially for accessibility services and SMS (text messaging) access. Be especially suspicious of any app that asks for permission to handle SMS. Almost no application really needs this feature in order to function properly, but it can be used for banking trojans to bypass two-factor authentication that uses SMS (text message) to verify identity; like when you enter your password on a website, and it sends you a text message to verify it’s you. If an app seems to need more permissions than it should, just don’t download it.
6. Beware of immediate updates. An application downloaded from the Google Play Store is supposed to be the latest version. If you download an app and it asks to update on the first run, be very suspicious. It could be malware trying to download more functionalities.
7. Use a password manager. Most trojans, especially banking trojans, can log keystrokes – meaning it can log anything you type on your device, including usernames and passwords. Using a password manager to automatically fill in passwords allows you to avoid typing in credentials, essentially rendering a keystroke logger useless.

How can I help the person(s) I support to use their mobile devices safely?

If someone you support regularly uses at least one mobile device, but they don’t use social media or texting, they don’t go online for any reason, and they only use apps that are already downloaded, then they are already using the device safely because they’re not engaging in any activities that could put them at risk. However, if they do use social media, texting, and/or they go online for any reason, it is very important to learn how to use the device safely.

While we certainly don’t want to take on the role of monitoring their online activity, we can take every opportunity to teach someone about the risks and help them take an interest in online safety education. Here are some ways you can help:

1. Take an interest. Learn about the device or the applications they use, including any potential risks involved with using them. I’m not suggesting you read the user manual cover-to-cover (yawn!) or become an expert user, but by familiarizing yourself with the basics, you can be a very helpful resource for the person you support.
2. Ask about their experiences on the internet. If someone uses social media, chances are they’ve had some sort of negative experience online. Ask them to tell you about those experiences and what they may have learned from them. Then, if necessary, you can use that opportunity to talk about how to prevent a similar situation from happening in the future.
3. Protect their privacy. Privacy settings are controls available on many websites and applications to limit who can access your information (profile data) and what information they can see. Many social media and shopping applications offer privacy protections, but they are not turned on by default. And, people often don’t know protection is available, let alone how to turn it on. Offer to help with privacy settings on their device and on the apps they use.
4. Use hobbies or interests. If the person you support is passionate about a particular hobby or interest, try to find opportunities to use those to explain more complex concepts.  Analogies can help people build conceptual bridges between what is familiar and what is new. Take care to keep any analogies simple and concrete so its easy for people to make the connection.
5. Meet them in the moment. Sure, you can have a conversation about unwanted text messages at the dinner table, but it might have more impact if you talk about it in a relatable way when they’re using their device. For example, if you see someone texting a friend, you can start a conversation by asking if they ever get text messages from people they don’t know and what they do with them when they get them. Using that as an opportunity to talk about what we should do with an unwanted text message can make a lesson applicable and interesting, providing a way for the person to immediately understand what they are learning.
6. Get everyone involved. Teaching mobile and online safety/cybersecurity to a person with an intellectual disability shouldn’t be the responsibility of just one person. Collaborate with your team and others in the person’s life to teach them about cybersecurity, and regularly reinforce concepts, so you can infuse that learning into their daily lives.

Mobile devices can connect us to goods, services, and each other, which has been very useful throughout the COVID-19 pandemic. But it’s important to remember they can be infected with malware just as easily as a computer can. Taking steps to mitigate the risk will help ensure you and your mobile device have a long and happy life together, and help the people you support to browse, chat and text safely.