"It's been around for PCs for a while, and it's now out there in the wild for Android phones, as well," he says. The most common source of the infection, he adds, is from manually downloading software that claims to be a video player from a website other than the Google Play App Store.
2. Using an infected mobile device to infiltrate nearby devices
When working inside a company to identify vulnerabilities, pentester and mobile security expert Georgia Weidman recently asked herself from a hacker's perspective, "wouldn't it be nice if we could just walk into the network with a compromised phone and have direct network access" by way of a client side attack or social engineering. She concluded that in many cases you can.
"An infected mobile device allows you to breach an organization's perimeter and directly attack the devices on the network instead of having to break in some other way, you've already got direct network access," Weidman says.
Consider a simple scenario. An Android device has been infected with the Smartphone-Pentest-Framework, or SPF Agent. The unsuspecting user thinks it's an official news app, for instance, and thinks nothing of it, but it is also communicating with an SPF console that's giving thieves access to mobile device data. That device is sharing WiFi with the laptop sitting nearby, and the thief is also able to breach the laptop, which contains company information or access to corporate systems.
"If I have control of their mobile devices, I can go the traditional route like stealing their contacts or sending text messages to a premium number, but also if the device is connected to a WiFi network I can attack additional systems on that network from the infected phone," she explains. "Whether I'm connected to my home WiFi, work WiFi or Starbucks WiFi, if there are any devices with vulnerabilities on that network, I can potentially exploit them directly from the infected mobile device."
3. Cross-platform banking attacks
Gangs are also using malware on PCs to infiltrate mobile phones in hybrid attacks on user's banking accounts, according to John Shier, security advisor at Sophos. A piece of malware dropped on the user's laptop can detect when the user is surfing his banking website. Dubbed a "man in the browser" attack — the spying is all done in browser memory "so they can intercept your banking credentials before they get encrypted and sent across the wire," he explains. Adding to the scam, thieves put up a warning message, such as "for increased security, download this app," and they ask for the user's phone number and email address to send an SMS to their phone or to download a link.
Sign up for CIO Asia eNewsletters.