Android iPhone and iPad Security

How Does Malware Get Into Your Smartphone?

Gavin Phillips 18-07-2017

Malicious apps are a scourge to smartphone users. No matter your take on iOS versus Android, we can all agree that a malware-infected app guarantees a terrible day. And while the Google Play Store is undoubtedly drowning in malicious apps, the long-standing sanctity of the Apple App Store is no more How to Fix 5 Common iPhone & iPad Security Threats New security threats prove that Apple devices are no longer "bullet-proof". IPhone and iPad owners need to know which threats they could encounter, and how to fix them if the worst happens. Read More .


Why do malware purveyors want to infect your smartphone with an infected app? There are two simple reasons: money and data How Android Porn Malware Steals Your Data Malicious porn clicker Trojans are masquerading as duplicate apps, waiting to infect your Android device. How prevalent are they? What happens if you download one, and most importantly, how can you avoid them? Read More . There are countless apps out there that never arrive accompanied with a malicious sting. So how do they avoid infection, and how does malware get into an app in the first place?

Infected Apps Everywhere

Measuring the pervasiveness of malware infected mobile applications is difficult. In an already shifting marketplace, capturing a clear picture is difficult. One thing is clear: no single mobile operating system is free. Android users recently encountered HummingWhale, Judy, and Xavier attacks Has Xavier Malware Infected Apps on Your Android Device?  A new vulnerability, Xavier, has been discovered on Android -- and it has been exploited for some time. Are your devices affected? And what can you do about it? Read More , while iOS users had to contend with XcodeGhost.

infected code
Image Credit: Guitar photographer via Shutterstock

A study published in 2014 [PDF], as part of the ANDRUBIS project, examined one million Android apps (1,034,999 to be precise). The apps sampled came from a wide range of sources, including unofficial marketplaces, torrents and sites known to offer pirated apps (as well as the Google Play Store).

Of the 125,602 apps sampled from the Google Play Store, 1.6 percent were malicious (that’s 2,009).


Unfortunately, malicious app data for the App Store is rare. There are several well documented cases of malicious app activity on iOS devices. But — and this is a major iOS selling point — they are vastly minimized compared to their Android counterparts. Take these two contrasting figures. The Pulse Secure 2015 Mobile Threat Report estimated that 97 precent of all mobile malware is written for Android. The F-Secure State of Cyber Security 2017 [PDF] report raises that figure to 99 percent. Then consider that in 2013 the U.S. Department of Homeland Security estimated [PDF] just 0.7 percent of mobile malware was written for iOS.

Contrasting fortunes for the two-major mobile operating systems.

How Apps Get Infected

Who do you think infects an application? The developer? Criminal gangs? Malicious individuals? Perhaps even the government? Well, they’re all right, in some ways.

fake virus alert mobile malware
Image Credit: Georgejmclittle via Shutterstock


Most obvious is the rogue developer: an individual who designs apps with malicious capabilities, and publicizes them on the Play Store (or an equivalent). Luckily for you and me, there aren’t many of these individuals.

That is probably for one reason: the amount of effort required to develop, launch, and build a following for the app only to then turn it malicious is… well, too damn high. By the time the app became popular enough to truly profit from (be that via advertising clicker or data theft), the malicious developer might well be making more in advertising revenue.

Far more commonly we see malicious code inserted into an existing app, then republished. This process uses a number of different techniques.


Malvertising is a common scourge What Is Malvertising and How Can You Prevent It? Malvertising is on the rise! Learn more about what is it, why it's dangerous, and how can you stay safe from this online threat. Read More of the 21st Century. The premise is simple: you’re served a malicious advert through an official channel. You’re not expecting a malicious attack through a legitimate app, so they catch users by surprise What Is Malvertising and How Can You Prevent It? Malvertising is on the rise! Learn more about what is it, why it's dangerous, and how can you stay safe from this online threat. Read More .


The best Android malvertising example is the Svpeng banking Trojan Malware on Android: The 5 Types You Really Need to Know About Malware can affect mobile as well as desktop devices. But don't be afraid: a bit of knowledge and the right precautions can protect you from threats like ransomware and sextortion scams. Read More . The Trojan was primarily installed via infected Google AdSense ads targeting Google Chrome for Android users. Here’s the thing about malvertising: you don’t actually have to click on the advert to pick up an infection. Merely viewing the ad is enough.

Application Republishing

Legitimate apps downloaded from an official appstore are infected with malware. Then, they’re republished using their official name, to a litany of appstores (legal or otherwise).

A key feature of application republishing are slight variants in the app name. Instead of Microsoft Word (the official Microsoft release), it’ll be Micr0soft W0rd. Okay, that is a terrible example, but you get the gist.

Android ransomware, Charger, used this tactic, as did malvertising-malware, Skinner (amongst other tactics).


Sale of App

From time-to-time, a legitimate app developer will sell their valued app. Along with the app comes users. Furthermore, there is the chance to push trusted updates to the existing users.

As yet, there are no documented cases of this particular method of attack. However, it isn’t uncommon for popular app developers to receive acquisition requests. Similar occurrences take place regarding Chrome Extensions. A popular Chrome Extension, with permission to access user data, along with thousands of users, is a veritable goldmine. The developers of Honey, an auto-coupon extension, turned the malicious individual down.

Amit Agarwal had a completely different experience. He sold his Chrome Extension to an unknown individual, only to find the next app update (out of his hands) “incorporated advertising into the extension.” His work, which in his own words only took a hour to make, had become the vehicle for advertising injection.

Do Apple or Google Help?

As the owners of the largest and most popular app repositories, the technology giants have a responsibility to protect their users. For the most part, they do. It is damaging to their users, as well as their reputations for malicious apps to infest their store. But one company is leading the way.


Apple are undoubtedly streets ahead when it comes to protecting iOS users from malicious apps. The process of creating and uploading an app to the App Store is more intricate, requiring multiple checks and sign-offs before hitting the storefront. In addition, an iOS app has a smaller range of devices, over a smaller range of operating system versions to cater for. As such, standards are generally higher than Android.


Google have had to work hard to decrease the number of malicious apps featured in the Play Store. With its reputation at risk, Google introduced Play Protect, a “security blanket for your mobile device.” Play Protect actively scans your device to search for malicious apps. Furthermore, Play Protect constantly scans the Play Store itself for malicious apps, suspending developers, and removing the offending material.

Evading Detection

While Google and Apple make concerted efforts to keep our devices malware free, malware authors attempt to evade detection. Irritating, but understandable.

There are a few common ways an attacker will conceal their malicious code:

  • Download the malicious code after installation.
  • Obfuscate the malicious code amongst “clean” code.
  • Time delay/instruct app to wait before downloading or deploying payload.
  • Rely on delivery via an external source (e.g. malvertising).
  • Conceal the malicious app within another medium.

As you can see, there are numerous methods to keep a malicious app, or malicious code within an app hidden from users (let alone the app store they’re downloaded from).

Steer Clear of Mobile Malware

As you’ve seen, there are a significant number of ways that malicious code can enter an app. Furthermore, malicious actors have several methods available for keeping malicious code out of view — until it’s deployed to your smartphone.

How can you steer clear of downloading a malicious app, then?

  1. Only download apps from official app stores…
  2. …and avoid third-party stores Why the Amazon App Store Is an Android Security Threat Third-party app stores can be enticing, but installing them can seriously compromise the security of your Android device. Read More .
  3. Check you’re downloading from an official or reputable app developer.
  4. Read app reviews. They’ll give you the information you need.
  5. Keep app verification tools switched on at all times.
  6. Don’t get fooled by offers of free apps.
  7. Keep your phone updated!

There are a lot of malicious apps out there, especially if you’re using an Android device. But by understanding the threats, and sticking to our quick tips, you and your device will remain in good health.

Have you experienced mobile malware? What variant did you encounter? What happened to your smartphone? Were you using an Android or an iOS device? Finally, let us know your mobile malware experiences in the comments below!

Image Credit: iluslab via Shutterstock

Affiliate Disclosure: By buying the products we recommend, you help keep the site alive. Read more.

Whatsapp Pinterest

Leave a Reply

Your email address will not be published. Required fields are marked *

  1. Doc
    July 19, 2017 at 8:18 pm

    "…and avoid third-party stores."
    Um, yeah. The Google Play Store still has plenty of malware, while I've never had a problem with also having the Amazon Appstore/Underground on my devices.
    Having a decent antivirus/antimalware (I use Avast) is a really good idea.

    • Gavin Phillips
      July 22, 2017 at 10:56 am

      Well, that is a subjective experience. I've never had anything from the Play Store, or the Amazon Store for that matter. Hence my other tips being focus on user reviews and developer ratings.

      I agree with antimalware. I have MBAM Mobile, works well and doesn't use too many resources in the process.

      What virus/malware did you get?

      • Doc
        July 23, 2017 at 4:55 am

        As I said, **I've never had a problem with apps from the Play Store or from Amazon.** No problems at all. Nor did I have problems with apps from F-Droid, Aptoide, or Getjar...just stick to reputable apps, and know the *real* developers of things that wind up getting "cloned" to put malware in the Play Store (like what happened to VLC and others on the Microsoft Store).
        Some weren't worth the download, but no malware.

        • Gavin Phillips
          July 23, 2017 at 10:10 am

          Sorry, Doc, I misread your comment.

        • yuri
          August 18, 2018 at 1:07 pm

          I find it humourous to say the least that Google the #1 major abuser of user data proliferation is now concerned with user security and privacy. Safe from who? All the other "bad guys" but Google is the good guy. Pathetic. The android OS developframework and the developer community are the problem. Recent studies from and USC Computers Science Dept found close to 40% of apps are poorly written and many vendors Apps you are forced to have are incorrectly permissioned. Google -Android and hardware vendors are poor inforcers of proper permissions used by apps Furthermore the APIs are implemented incorrectly leaving data leaks within the inter component level
          As long as the NSA and Google and all the rest refuse to allow Apps and systems to be properly locked down. All the antivirus and antimalware will not matter.not to mention the public will be lead to believe that all their problems will go away if they trust Google, As long as web sites like these use Google analytics so they will remain dangerously biased. We have paid dearly for our trust in companies like Google. These phones are frot with poorly permissioned apps right out of the store. Go to and search for inter component communication leaks at a .org or . edu website and read the research. These articles are horribly naive.

  2. BreadInCaptivity
    July 19, 2017 at 4:42 am

    I got the hummer virus or something similar in which adds popped up everywhere and porn apps were downloaded automatically. Phone became unusable. Tried resetting it but the virus came back within an hour by itself......
    I was using a Chinese android phone(no Google services of course) so I was forced to install from 3rd party stores. I then changed my phone. Curse these malware makers.....

    • Gavin Phillips
      July 19, 2017 at 1:44 pm

      That is one of the major downsides to buying a phone that doesn't come with native Google Play services. I know Android and privacy buffs can make do without, but it presents a major security issue for others. What phone was it?