What Is Mobile Malware? Researching Mobile Threats with Virtual Devices

Mobile malware isn’t new. But the way it’s spreading, evolving, and evading detection in 2025 is. From zero-click spyware to surveillanceware buried in malicious SDKs, mobile threats are getting smarter, stealthier, and more targeted. And while detection and defense remain critical, so does dynamic research—especially in environments that mirror how malware actually behaves in the wild.

In this article, we’ll look at several types of mobile malware of increasing sophistication and discuss opportunities for research and analysis using Corellium’s virtual hardware platform.

Understanding Mobile Malware in 2025

Mobile malware has seen a sharp uptick in recent years, as has the number of mobile devices with access to company data and systems. In Q2 2024, Lookout reported more than 80,000 malicious apps detected on enterprise mobile devices—an all-time high. From 2021 to 2022 alone, the share of Android devices with malware detected increased from one in 50 to one in 20, according to research from zLabs.

Attacks now run the gamut from adware to more sophisticated malware strains that leverage social engineering, advanced accessibility exploits, and self-protection mechanisms. Key modern malware types include:

• Spyware and surveillanceware that exfiltrate location data, messages, photos, microphone feeds, and more—sometimes without any user interaction.
• Bankers and RATs such as SOVA and Xenomorph that overlay fake login screens, intercept 2FA, steal cookies, and automate fund transfers using Android accessibility services.
• Stalkerware that hides in consumer apps or third-party SDKs, granting full device access to bad actors without raising anti-virus (AV) alerts.

Delivery techniques have also evolved. Smishing and phishing remain popular, but we’re seeing growth in zero-click exploit chains and threats delivered via malicious SDKs, fake system updates, rogue Play Protect lookalikes, and compromised enterprise MDMs.

Sophisticated malware now blends traditional social engineering with technical exploitation, often avoiding detection entirely. These trends underscore the need for dynamic analysis and research environments that closely replicate real-world mobile conditions.

Mobile malware &
threat research without limits

The Corellium team plays with live ransomware, spyware, and other types of information-stealers using a virtualization platform.

Types of Mobile Malware

Though mobile malware changes by the day, the four following types are a good representation of what’s out there. They’re also examples of what researchers can sink their teeth into using Corellium.

Adware — A look at CamScanner

Mobile adware is a type of software that is designed to display advertisements on mobile devices. While it may not be as harmful as some other forms of malware, it can be quite annoying and intrusive for users. Adware is often bundled with legitimate apps or can be disguised as such. Its primary purpose is to generate revenue for the developers by delivering advertisements to users. These ads can appear in various forms, such as pop-up ads, banners, or even as full-screen ads, and they can disrupt the user's experience while using their mobile device.

An example of mobile adware is the "CamScanner" adware. Originally a legitimate app in the Google Play Store, the malicious version had more than 100 million downloads and installs. The malware would show users intrusive ads and sign them up for paid subscriptions to other services.

CamScanner is an older example, but you can use the Corellium platform to take a look at how CamScanner is running in the background of a mobile device, using Network Monitor to gather information about the communication an app is doing as its running and executing code.

Black Rose Lucy

Black Rose Lucy is a Malware-as-a-Service (MaaS) botnet and dropper for Android devices and is typically spread through social media links and messaging apps. Once a victim clicks on a malicious link, they are tricked into downloading and installing a seemingly harmless video player app that is actually infected with the Black Rose Lucy malware.

Once installed, Black Rose Lucy can perform a number of malicious activities, including:

• Stealing sensitive information such as contact lists, SMS messages, and call logs
• Installing other malware onto the victim's device
• Using the victim's device to launch denial-of-service (DoS) attacks
• Displaying ransomware messages demanding payment

In 2020, Black Rose Lucy was updated to include ransomware capabilities, giving it the ability to encrypt the victim's files and demand a ransom payment in order to decrypt them. Black Rose Lucy leverages Android’s accessibility services to install payloads without user interaction.

Using Corellium, mobile researchers can install Lucy and see the steps the malware takes to social engineer users and then take over the device after gaining access to accessibility services, including showing a false FBI pop up to get users to pay a ransom.

Trojan/Infostealer — SOVA   

SOVA is a sophisticated Android banking trojan that is designed to steal sensitive information from banking and financial apps and cryptocurrency wallets. Once installed, SOVA can perform a number of malicious activities, including:

• Stealing login credentials for banking and financial apps
• Intercepting two-factor authentication (2FA) codes
• Stealing cookies and other session data
• Recording keystrokes
• Taking screenshots
• Overlaying fake login screens on top of legitimate banking apps

Attackers can use this information to steal money, make unauthorized transactions, or even take over the victim's accounts.

SOVA is a dangerous malware because it is able to hide from antivirus programs and other security measures and is constantly being updated with new features. V5 of SOVA includes a ransomware module and new self-protection mechanisms.

After installing SOVA V5 on a Corellium virtual device, it’s possible to see exactly how SOVA takes over, giving itself permissions and using self-protection measures to prevent it from being uninstalled no matter what the user does.

RAT/Infostealer — Xenomorph

Xenomorph is a type of mobile malware first discovered in 2022. The threat actors are actively developing the malware, rolling out focused tests to expand its capabilities. Most recently, the newest version added the ability to perform Automated Transfer System (ATS) transactions.

Xenomorph is able to perform ATS transactions by using the Accessibility Services permissions to gain control of the victim's device, also giving it the ability to check account balances, initiate transactions, obtain MFA tokens, and finalize fund transfers without human interaction.

Xenomorph’s abilities allow it to target more than 400 banking and financial institutions, including crypto wallets. This kind of attack delivery method represents a complete paradigm shift from the old models, bypassing the “money for information” step altogether, and instead allowing the threat actor to manipulate app installations and settings without any user interaction whatsoever. 

By running Xenomorph on a Corellium virtual device, mobile security practitioners are again able to safely see how this emerging malware social engineers users to install a malicious Play Protect app and take over the device. When you’re done testing, you can use the restore snapshot feature to return back to a clean version of the device.

These are just a few examples—Corellium enables malware research that’s both deeper and safer.

Virtual Devices Are Advancing Mobile Security Research and Testing

What type of mobile malware are you itching to test? With Corellium’s virtual hardware, you can obtain and research mobile malware samples and also get low-level access to a controlled space to capture and analyze malware samples seamlessly. Corellium’s platform gives security teams a safe place to detonate a suspected malware sample. It’s threat research without the common testing challenges that slow down teams and cost time and money.

Simulating Attacker Conditions with Virtual Devices

Modern malware often adjusts its behavior based on context. With Corellium, researchers can simulate attacker-relevant conditions to fully observe malware activation:

• GPS spoofing to trigger location-specific payloads
• System setting manipulation (build ID, battery state, device model) to bypass anti-analysis checks
• Network routing and proxy configurations to analyze malicious communications over real or controlled network paths

These techniques help researchers understand how malware behaves "in the wild"—without relying on physical device farms. For a deeper look at detection tactics, check out our post on Mobile Malware Detection Tools, Tactics, and Procedures.

Integrating Corellium into Mobile Malware Analysis Pipelines

Corellium fits into automated research and testing workflows with flexible integration options:

• Command-line tools and REST API support scripting of full device lifecycle: creation, configuration, malware deployment, test execution, teardown
• Run large-scale malware analysis across different device types, OS versions, and configurations in parallel
• Seamless integration with popular tools like Frida, IDA Pro, Wireshark, and Burp Suite
• CI/CD support for embedding malware behavior tests into release pipelines or threat intel programs

Whether running a single controlled experiment or hundreds of parallel test cases, Corellium adapts to the pace and complexity of your research.

How Corellium Accelerates Malware Research

Corellium removes these barriers by offering system-level access to virtual iOS and Android devices that behave like real phones—because they run the actual OS on virtualized ARM hardware.

Using Corellium, mobile researchers can:

• Detonate real malware samples safely, without risk to networks or physical infrastructure
• Gain runtime visibility into system-level behavior using CoreTrace for syscall tracing and execution monitoring
• Strip TLS and intercept encrypted traffic with integrated network tooling for observing C2 communications
• Track file system artifacts, permission escalations, background processes, and persistence mechanisms in a clean, repeatable environment
• Use snapshot and restore to roll back devices instantly and retest multiple infection paths—no reflashing required

These capabilities not only make testing safer and faster—they make it dramatically more comprehensive. Book a meeting today to explore how our platform can optimize mobile security research and malware analysis.