These days, it’s normal to carry your smartphone everywhere. Social life is built around messaging platforms. Essential services, such as banking, have moved online. Even basic tasks, like paying for parking, can require you to download a mobile app.
As a result, your phone probably now stores more sensitive information than many desktop computers, especially if you use it for work. Cybercriminals are aware of this and are targeting mobile devices to steal data.
The shift to mobile-first attacks
There is a belief that mobile devices are inherently more secure than desktop operating systems, and especially Microsoft Windows. This idea has its origins in an earlier era.
When the first Windows and Mac operating systems were developed, the world was much less connected. Computers were mostly standalone, and only a small elite of scientists and academics were aware of the Internet. Cybersecurity was a low priority, and the earliest desktop operating systems weren’t designed with it in mind.
By contrast, mobile operating systems such as Android and iOS are products of the internet age. As a result, they were designed to be secure from the outset. Their developers drew upon the lessons learned from retrofitting security features into desktop systems as the need for them became clear.
However, now that mobile devices handle more than 60% of global internet traffic, cybercriminals are following the data and pivoting towards mobile-first attacks.
Platform-specific attack vectors
Mobile devices often lack the layered security protections found on desktop systems. Compounding the problem, users often download apps from unofficial sources, ignore software updates, and grant excessive permissions to applications.
Android malware
Android’s open ecosystem creates security challenges. Malicious apps sometimes bypass Google Play’s security checks, and generous access permissions in Android apps can create opportunities for attackers.
iOS malware
Another common cybersecurity myth is that viruses and malware aren’t a problem on Apple devices. However, Apple’s ecosystem isn’t impregnable.
In 2025, Apple has published several threat notifications about spyware attacks on iOS devices. The targets have been high-profile individuals, such as journalists, activists, politicians, and business leaders.
These attacks have used sophisticated techniques. They’ve exploited zero-day (previously unknown) vulnerabilities, and they’ve been zero-click, meaning that the malware is installed and run without requiring any action from the user.
Types of mobile malware
Mobile devices are now at risk of infection from various types of malware. Recent examples include the trojans Anatsa and Xenomorph, which target banking apps on Android devices.
The Anatsa trojan
Anatsa is spread via malicious apps in the Google Play Store. It uses keylogging and overlays, mimicking the user interface of a legitimate app to capture the victim’s login details.
The attackers can then hijack the device and perform transactions from the victim’s bank account, circumventing conventional fraud-detection systems. In early 2023, more than 30,000 devices were reported to be infected.
The Xenomorph trojan
Spread via spoofed websites and fake apps, Xenomorph allows the attackers to take control of the victim’s bank accounts and perform transactions. It was detected in various European countries in 2022 before spreading to the United States, where it has targeted customers of more than 35 banks.
The threat from mobile infostealers
Infostealers are one of the most alarming threats in cybersecurity today. They’re a type of malware designed to steal files and data and send them back to a server managed by the attackers. They can steal various types of information and files, such as:
- Login credentials and passwords
- Cookies and browser history data
- Autofill data, such as names, addresses, or phone numbers
- Credit card and payment details
- Cryptocurrency wallet keys
Infostealers are spread in various ways, including phishing emails and fake apps, and conventional cybersecurity measures can’t stop them. They’re designed to work undetected and delete themselves when they’ve finished. Your personal data can be for sale on the dark web before you know you’ve been infected.
There are now families of infostealers designed to target mobile devices.
TriaStealer
TriaStealer steals message content from email and messaging apps, such as Outlook, Gmail, and WhatsApp. This can include one-time passwords (OTPs) and transaction authorisation codes (TACs), which allow attackers to bypass multi-factor authentication (MFA) and access the victim’s accounts.
Crucially, TriaStealer works by asking the victim to grant it various advanced permissions on the device. For example, permission to read SMS messages.
TrickMo
TricMo is a sophisticated multipurpose stealer that targets services including Google, Dropbox, Zendesk, and Zoom. It can steal credentials and OTP. The methods it uses include screen recording, deploying overlays that mimic lock screens, and remotely controlling the device.
AppLite
AppLite is spread by mobile phishing campaigns, where it masquerades as legitimate apps such as Chrome and TikTok. It steals login details and data from a range of payment apps, including Venmo, PayPal, and Google Wallet by displaying a fake lock screen.
Triada
Triada comes preinstalled on maliciously distributed Android devices. It hijacks the crucial Zygote process, which Android uses to start apps and system processes. This gives the attackers control over a range of apps, including WhatsApp, Instagram, TikTok, SMS tools, and Chrome.
SMS Stealer
Spread via malicious downloads, SMS Stealer extracts OTPs from SMS messages on Android devices, allowing attackers to bypass multifactor authentication (MFA) on the victim’s accounts.
Protecting your organisation from mobile threats
To protect your organisation against the threat from mobile malware:
- Educate and train your employees about security risks: Ensure they are always suspicious of unexpected emails and can recognise potential phishing or spear phishing attacks.
- Keep software and devices updated: Updates patch known vulnerabilities. Ensure everyone installs them promptly. If possible, automate them, or provide automated notifications.
- Only procure devices from trustworthy suppliers: As we’ve seen, some mobile malware comes preinstalled on devices. Always buy from legitimate suppliers, and beware of bargain deals online.
- Only download official, authorised apps: Even apps in the Google and Apple stores can be risky. Only install apps authorised by your organisation on their business mobiles.
- Think carefully before granting app permissions: Does an app really need to access your photos, messages, or location? Only grant apps the permissions they genuinely need to function and review your settings regularly.
- Deploy mobile device management (MDM) solutions: MDM solutions let you monitor, update, troubleshoot the mobile devices that your employees use for business. This helps you to keep them safe and secure..
- Use a cyber threat intelligence (CTI) and credential monitoring solution: Solutions such as Cybercheck continuously monitor for exposed credentials and personal data. If cybercriminals are trading information about you or your organisation, we alert you immediately. That means you can take proactive steps like changing passwords or blocking cards and shut out the attackers before they make you their next victim.
