Mobile malware soared to record-high numbers last year amid the COVID-19 pandemic and resulting lockdown, according to McAfee’s Advanced Threat Research (ATR) team.

McAfee’s 2021 Mobile Threat Report found hackers are using fake apps, trojans and fraudulent messages to target consumers. At the end of 2020, total mobile malware detected by McAfee reached 43 million. And over 3 million of these detections were new.

Over the past year, the vaccine rollout has advanced at different rates across the globe. That has provided plenty of opportunities for hackers. They’re hiding malware and malicious links inside fake vaccination appointments and registration display ads. These have the potential to download malware onto a person’s device that displays unwanted ads. They can also activate accessibility features to give the hacker full device control. The hackers’ goal is stealing banking details and credentials.

According to the McAfee research, some of these campaigns started as early as last November before any vaccines had officially been approved. Others continue to appear as countries roll out their vaccination programs.

Hackers Succeeding

Raj Samani is McAfee fellow and chief scientist.

McAfee’s Raj Samani

“Hackers are often extremely successful,” he said. “Over the last year especially, they were able to prey upon fear, which often leaves people vulnerable to making hasty, uninformed decisions, to prompt consumers into accidentally clicking on malicious links or downloading malware. This is particularly true regarding the influx of COVID-related attacks.”

Another key finding is billing fraud malware that makes purchases behind the backs of consumers. Moreover, hackers are using banking trojans to target hundreds of financial institutions globally.

Most banking trojans are distributed via phishing and text messages to avoid Google’s screening process. One banking trojan repeatedly got onto the Google Play store. As a result, it tricked thousands of users into downloads.

“While COVID-19 related attacks should taper off with the new normal, many consumers still intend to conduct most daily activities online and via mobile device,” Samani said.

Fraudsters will continue to meet people where they are, he said. They’ll launch advanced threats that target sensitive personal and business information across email, text message, phone and other channels.

Difficult to Detect

Saryu Nayyar is CEO of Gurucul. It provides unified security and risk analytics.

Gurucul’s Saryu Nayyar

“Malware embedded as a trojan horse in mobile apps is becoming more prevalent as users take advantage of the convenience and utility of these apps,” she said. “Embedded malware is very difficult for the average user to detect, and can cause serious harm in the form of stolen funds and illicit purchases.”

Without specific digital signatures, malware can be very hard to detect in apps, Nayyar said.

“However, by setting a baseline for device and application behavior, and using machine learning algorithms to detect and analyze anomalous behaviors, it’s possible to provide an early warning of apps that have malicious intent,” she said.

Saumitra Das is CTO and co-founder of Blue Hexagon. It provides cloud-native artificial intelligence (AI) security.

Blue Hexagon’s Saumitra Das

“COVID-19 is a great opportunity for attackers to lure victims to click due to the urgency of the message and the common use of apps for appointment scheduling,” he said. ” Last year, similar techniques were being used with COVID-19 information lures. Mobile malware are targeting not just the user themselves, but their authentication information such as text and even authenticator apps for MFA. This allows attackers to harvest credentials either directly or via other related data breaches and then bypass MFA for connecting to a victim’s workplace assets. With a remote workforce and increasing cloud migration, this means attackers can move laterally from personal mobile devices to other corporate assets at those users’ workplaces.”