There’s been a surge in mobile malware attacks as cyber criminals ramp up their attempts to deliver malicious text messages and applications to users in order to steal sensitive information including passwords and bank details. 

Cybersecurity researchers at Proofpoint say they detected a 500% jump in attempted mobile malware attacks during the first few months of 2022, with significant peaks at the beginning and end of February. 

The main aim of a substantial proportion of mobile malware is to steal usernames and passwords for email or bank accounts, but many forms of mobile malware are also equipped with invasive snooping capabilities to record audio and video, track your location, or even wipe your content and data. As mobile malware evolves, more attacks are employing these advanced capabilities. 

SEE: Cybersecurity: Let’s get tactical (ZDNet special report)

Both Apple and Android smartphones are targets for cyber criminals, but researchers note that the more open nature of the Android marketplace and the ability to download apps from third-party app stores makes devices using Google’s operating system more vulnerable to being compromised. 

Users of both Apple and Android smartphones can also find themselves the victim of SMS phishing (smishing) attacks, which sees text messages sent to users containing links designed to trick them into entering their bank details or login credentials into a fake website for cyber criminals to see and steal. Common lures include fake missed delivery notifications and fake alerts related to the COVID-19 pandemic. 

One of the most notorious forms of mobile malware is FluBot, which has been active since November 2020 and is designed to steal usernames and passwords from banks and other sites the user visits.  

What makes FluBot so potent is that it’s also equipped with a worm-like ability to spread itself by accessing the infected user’s address book and sending SMS messages to their friends. It’s this ability to virtually spread itself which is why it’s been dubbed FluBot. 

Another form of mobile malware causing problems for smartphone users is TangleBot. Described as “powerful but elusive,” TangleBot first appeared in 2021 and is delivered mainly via fake package-delivery notifications. In addition to being able to steal sensitive information and control devices, TangleBot can overlay other mobile apps and intercept camera footage and audio recordings. 

Other mobile threats detailed by Proofpoint include Moghau, which is SMS-based malware that deploys multi-lingual attacks to target users around the world with fake landing pages based on their country and which is designed to trick victims into downloading trojan malware. Meanwhile, TianySpy is malware that infects both Apple and Android users by spreading via messages that claim to come from the victim’s mobile network operator. 

While the number of detected mobile attacks has declined since the surge last month, mobile malware is still a threat to users – but researchers warn that many people aren’t aware of the potential danger posed by phishing or malware attacks targeting smartphones. 

SEE: How Russia’s invasion of Ukraine threatens the IT industry

Researchers recommend that users should be wary of any unexpected or unrequested messages containing links or requests for data. 

“Consumers need to be very skeptical of mobile messages that come from unknown sources. And it’s important to never click on links in text messages, no matter how realistic they look. If you want to contact the purported vendor sending you a link, do so directly through their website and always manually enter the web address/URL,” said Jacinta Tobin, vice president of Cloudmark operations for Proofpoint. 

“It’s also vital that you don’t respond to strange texts or texts from unknown sources. Doing so will often confirm you’re a real person to future scammers,” she added. 

Advice from the National Cyber Security Centre says users who receive a suspected malicious text message shouldn’t click the link or install any apps if prompted. Instead, they’re urged to forward the message to 7726, a free spam-reporting service provided by phone operators – then to delete the message.