Skip to main content

Mobile threats on the rise: What's to blame?

Although most consumers and businesses have some level of awareness surrounding the risk of mobile infections, many may be unaware of the rapid increase of these infection rates. For example, by the end of 2016, a report from our Threat Intelligence Lab revealed an 83 per cent increase in the smartphone infection rate in the second half of the year. Additionally, mobile device malware infection rates increased steadily in 2016, reaching an all-time high. 

Given these rapidly increasing infection rates, we’re seeing an urgent need for improved IoT device security and we must become more aware of the current trends with regard to mobile threats and device vulnerabilities. Nokia’s Threat Intelligence Lab works to uncover these key trends in part by monitoring and analysing the behaviour of malware network communications. 

Our latest findings include the following:  

  • Mobile infections increased 83 per cent in the second half of 2016.
  • Smart phone infections accounted for 85 per cent of infections detected in the mobile network
  • The infection rate in mobile networks rose steadily throughout 2016, reaching a new high of 1.35 per cent of devices in the month of October
  • Windows/PC systems connected to the mobile network using dongles or tethered through phones accounted for 15 per cent of infections
  • Android continues to be the main mobile platform targeted, but iOS-based devices were also targeted, particularly in the form of Spyphone applications
  • Mobile IoT devices were compromised by the Mirai botnet and participated in the massive Mirai DDoS attacks in September and October.
  • Security researchers discovered that some brands of mobile phones, whose firmware updates were being managed by Shanghai ADUPS Technology Co. Ltd , were sending private information and the content of SMS text messages to ADUPS operated servers

Figure 1. Monthly infection rate on mobile networks since January 2013

Figure 1. Monthly infection rate on mobile networks since January 2013

This chart provides a look into the significant increase in mobile malware infections in 2016. Most of this growth can be attributed to smart phone infections. 

2016 - The year in review

As we consider what’s next for mobile and IoT security, it’s important to review key events in 2016 that most heavily impacted the mobile security landscape. 

Key mobile security milestones for 2016 included the following:


The biggest network security event of 2016 was certainly the Mirai botnet and the DDoS attacks associated with it. Mirai was unique in that it recruited an army of IoT bots using a simple password guessing attack and then used these to launch three of the largest DDoS attacks in history. 

The first reported attack was a 600Gbit/sec attack on Brian Kreb’s website in late September. This was followed a few weeks later with a 1.1Tbit/sec attack on OVH, a French web hosting company. The Mirai source code was released to the hacker community on October 14. A week later, on October 21, there was a massive DNS flooding attack launched against DynDNS. This took out several high-profile web services that used DynDNS as their DNS provider, including Twitter, SoundCloud, Spotify and Shopify.   

In late November, a subsequent attack, which was attributed to a modified version of Mirai using the TR-069 remote management protocol, disabled over 900,000 home routers in Deutsche Telecom’s fixed residential network, disrupting internet service for the affected users.  

Figure 2: Mirai telnet login attempts

Figure 2: Mirai telnet login attempts

This activity was detected by Nokia NetGuard Endpoint Security solution prior to the DDoS attacks, enabling us to warn our customers and identify any devices compromised by Mirai. 

iPhone - Trident & Pegasus 

In August, Citizen Labs and Lookout did an expose on Pegasus. This is a professional spyware application from NSO Group Technologies that sells for $25,000 on the dark web. The spyware uses a combination of phishing and three iPhone vulnerabilities (known as Trident), to exploit the phone remotely and launch a cyber-espionage attack against high profile individuals. The key lesson to be learned here is that, despite the measures taken to secure the Apple iPhone app ecosystem, the iPhone is still vulnerable to exploits and once jailbroken, is wide open to attack.    

ADUPS Spyware

On November 16, it was revealed that approximately 120,000 Blu Inc. phones distributed in the United States had accidentally been loaded with a “Firmware Over The Air” (FOTA) update service from the Chinese firm Shanghai ADUPS Technology Co. Ltd. This firmware sent private user information, including copies of received text messages, to a server in China. 

This raised concerns with mobile operators about the liability of providing their customers with phones that come pre-loaded with Spyware. The incident also highlights a sinister trend that has hit the smart phone market, which is that there are several brands of inexpensive phones whose cost is being subsidised by adware that comes pre-installed on the phone. 

Pokémon Go & DroidJack

Another notable event in 2016 was the release of the Pokémon Go game in July. This provided an unprecedented opportunity for hackers, and it was only a matter of hours before the Nokia Threat Intelligence Lab found copies of the game that had been injected with malware and made available for download from third-party app stores and web sites. 

We found samples of Pokémon Go infected with a Remote Access Trojan (RAT) called “DroidJack” that allows the attacker to track the phone’s location, record calls, take pictures and steal information and files from the phone. 

Where we go from here 

As a result of these key milestones in 2016, it’s become abundantly clear that cybercrime in the mobile space is on the rise and smart phones are the target of choice. Most notably, Mirai demonstrated the vulnerability of the Internet of Things, where hundreds of thousands of unsecured devices were recruited to launch some of the biggest DDoS attacks on record. 

As a result, the industry must rethink IoT deployment strategies to ensure that these devices are securely configured, securely managed and monitored. We expect this to be a major trend and topic of discussion amongst industry leaders in 2017 and it will be critical for us to work together to uncover long-term solutions to combat the increases in vulnerabilities and attacks. 

Kevin McNamee, Director, Nokia’s Threat Intelligence Lab
Image Credit: Carballo / Shutterstock

Kevin McNamee
Kevin McNamee is the Director of Nokia’s Threat Intelligence Lab.