Mobile Malware and Threat Research Without Limits

Mobile Malware and Threat Research Without Limits

Mobile malware is an interesting area of study for security experts, as its threats can target a wide range of devices and applications, from enterprises to individual users. In recent years, mobile malware has seen a sharp uptick, as have the number of mobile devices with access to company data and systems. From 2021 to 2022, the share of Android devices with malware detected rose from one in 50 to one in 20, according to research from zLabs.

Attacks run the gamut from adware to more sophisticated malware strains that gain access to accessibility settings to completely take over a user’s device. SOVA and Xenomorph are just two examples of mobile malware that employ a combination of sophisticated social engineering, clever accessibility workarounds, and self-protection techniques.

Recently, the Corellium team played with live ransomware, spyware, and other types of information-stealers using the Corellium virtualization platform, which makes dynamic analysis of mobile malware possible, safer and more efficient than ever before. You can watch the webinar “Mobile Malware and Threat Research Without Limits” here. Below, you can see what it looks like to detonate SOVA on a Corellium device.

In this article, we’ll look at several types of mobile malware — of increasing sophistication — and discuss opportunities for research and analysis.

Types of Mobile Malware

Though mobile malware changes by the day, the four following types are a good representation of what’s out there, as well as examples of what researchers can sink their teeth into using Corellium.

Adware — A look at CamScanner

Mobile adware is a type of software that is designed to display advertisements on mobile devices. While it may not be as harmful as some other forms of malware, it can be quite annoying and intrusive for users. Adware is often bundled with legitimate apps or can be disguised as such. Its primary purpose is to generate revenue for the developers by delivering advertisements to users. These ads can appear in various forms, such as pop-up ads, banners, or even as full-screen ads, and they can disrupt the user's experience while using their mobile device.

An example of mobile adware is the "CamScanner" adware. Originally a legitimate app in the Google Play Store, the malicious version had more than 100 million downloads and installs. The malware would show users intrusive ads and sign them up for paid subscriptions to other services.

CamScanner is an older example, but you can use the Corellium platform to take a look at how CamScanner is running in the background of a mobile device, using Network Monitor to gather information about the communication an app is doing as its running and executing code.

Black Rose Lucy

Black Rose Lucy is a Malware-as-a-Service (MaaS) botnet and dropper for Android devices and is typically spread through social media links and messaging apps. Once a victim clicks on a malicious link, they are tricked into downloading and installing a seemingly harmless video player app that is actually infected with the Black Rose Lucy malware.

Once installed, Black Rose Lucy can perform a number of malicious activities, including:

  • Stealing sensitive information such as contact lists, SMS messages, and call logs
  • Installing other malware onto the victim's device
  • Using the victim's device to launch denial-of-service (DoS) attacks
  • Displaying ransomware messages demanding payment

In 2020, Black Rose Lucy was updated to include ransomware capabilities, giving it the ability to encrypt the victim's files and demand a ransom payment in order to decrypt them. Black Rose Lucy leverages Android’s accessibility services to install payloads without user interaction.

Using Corellium, mobile researchers can install Lucy and see the steps the malware takes to social engineer users and then take over the device after gaining access to accessibility services, including showing a false FBI pop up to get users to pay a ransom.

Trojan/Infostealer — SOVA   

SOVA is a sophisticated Android banking trojan that is designed to steal sensitive information from banking and financial apps and cryptocurrency wallets. Once installed, SOVA can perform a number of malicious activities, including:

  • Stealing login credentials for banking and financial apps
  • Intercepting two-factor authentication (2FA) codes
  • Stealing cookies and other session data
  • Recording keystrokes
  • Taking screenshots
  • Overlaying fake login screens on top of legitimate banking apps

Attackers can use this information to steal money, make unauthorized transactions, or even take over the victim's accounts.

SOVA is a dangerous malware because it is able to hide from antivirus programs and other security measures and is constantly being updated with new features. V5 of SOVA includes a ransomware module and new self-protection mechanisms.

After installing SOVA V5 on a Corellium virtual device, it’s possible to see exactly how SOVA takes over, giving itself permissions and using self-protection measures to prevent it from being uninstalled no matter what the user does.

RAT/Infostealer — Xenomorph

Xenomorph is a type of mobile malware first discovered in 2022. The threat actors are actively developing the malware, rolling out focused tests to expand its capabilities. Most recently, the newest version added the ability to perform Automated Transfer System (ATS) transactions.

Xenomorph is able to perform ATS transactions by using the Accessibility Services permissions to gain control of the victim's device, also giving it the ability to check account balances, initiate transactions, obtain MFA tokens, and finalize fund transfers without human interaction.

Xenomorph’s abilities allow it to target more than 400 banking and financial institutions, including crypto wallets. This kind of attack delivery method represents a complete paradigm shift from the old models, bypassing the “money for information” step altogether, and instead allowing the threat actor to manipulate app installations and settings without any user interaction whatsoever. 

By running Xenomorph on a Corellium virtual device, mobile security practitioners are again able to safely see how this emerging malware social engineers users to install a malicious Play Protect app and take over the device. When you’re done testing, you can use the restore snapshot feature to return back to a clean version of the device.

Virtual Devices Are Advancing Mobile Security Research and Testing

What type of mobile malware are you itching to test? With Corellium’s virtual hardware, you can obtain and research mobile malware samples and also get access to a controlled space to capture and analyze malware samples seamlessly. Virtual devices also give security teams a safe place to detonate a suspected malware sample. It’s threat research without the common testing challenges that slow down teams and cost time and money. 

For an in-depth exploration of these mobile malware types and the advanced techniques used in threat research, we invite you to check out our webinar: “Mobile Malware & Threat Research Without Limits.”