Covid vax skeptics’ concerns that Bill Gates was planting chips in mRNA jabs to track them were rebuffed on social media with memes noting that the real spy devices are the ubiquitous smartphones. Turns out that meme got a little more truth put to it during the first half of this year when, Malwarebytes reports, there was a 147% uptick in spyware on Android devices, with a significant spike in February and March.  

“Banking Trojans and spyware are now outpacing more traditional nuisances like adware and riskware, and what’s changed is the level of sophistication,” Malwarebytes researchers said in a blog post. Threat actors, they explained, “are actively distributing malware through both official and unofficial app channels, often cloaking malicious apps behind layers of legitimacy.” 

In general, malware aimed at Androids rose 151% in February and March but a whopping increase came with the 692% jump in SMS-based malware that occurred in April and May. 

Of course, subversion of mobile devices has piqued the interest of bad actors because they can “undermine weakly defended one-time password accounts and other sensitive information that can be compromised via SMS malware,” says Ken Dunham, cyber threat director at Qualys. Text messages, he points out, “increasingly contain a wealth of sensitive information that can be used for secure authentication as well as extortion of a victim.” 

Pairing SMS malware with identity access broker data makes for a “toxic cocktail or victims targeted by sophisticated adversaries,” he adds. 

The biggest problem is user behavior. “Our internal data shows that users are four times more likely to click on malicious emails when using mobile devices compared to desktops.,”  says Mika Aalto, cofounder and CEO at Hoxhunt.  

“What’s even more concerning is that mobile users tend to click on these malicious emails at an even greater rate late at night or very early in the morning, which suggests that people are more vulnerable to attacks on mobile when their defenses are down,” he says. Something that attackers clearly know and adjust to exploit. 

And users are often lulled into a false sense of security, wrongly believing that Keeper Security CISO Shane Barney says, “that if an app is available in an official store, it must be safe.” 

It is good practice to download from official sources, but he says that doesn’t guarantee a secure app.  “Attackers are getting smarter, using compromised or repurposed developer accounts and embedding phishing infrastructure in ways that can slip past casual scrutiny,” he says. 

Adam Brown, managing consultant at Black Duck, notes that device makers have overcome some of the architecture and code implementation weaknesses that plagued devices in the past. “While improved device resilience and security against malware these days is very positive, app producers and organizations that rely on mobile devices must understand the risk of the software architecture and code implementation on these devices and take action,” he says. 

That’s spot on because app design and development flaws make devices more dangerous. “Design and development flaws, along with insecure API practices and inconsistent security measures, result in vulnerabilities that can be exploited,” says Eric Schwake, director of cybersecurity strategy at Salt Security.  

“For mobile apps that significantly depend on APIs, it’s vital to incorporate security measures for APIs within the app itself,” says Schwake. “This encompasses API posture governance to guarantee secure API configurations and access control and behavioral threat protection to identify and thwart harmful API activities originating from the app.”