Why is Mobile Spyware Hard to Detect?

Nov 13, 2023


Rocky Cole

In an era where our lives are intricately interwoven with smartphones, the emergence of mobile malware poses a significant risk to our security and privacy. However, despite the pervasive nature of mobile malware, its detection remains a persistent challenge. This inherent difficulty stems from several factors embedded within the architecture of mobile devices and the evolving tactics employed by malware developers.

Walled Gardens

For starters, modern mobile ecosystems are increasingly "walled gardens." Hardware designers and platforms restrict the applications and activities allowed on the devices, and while this strategy offers a layer of protection against mass attacks, it also hinders security teams' ability to deploy tools behind the garden's walls that may aid in detecting malicious activity. The sandboxing of applications, a cornerstone of mobile security, further complicates malware detection. Sandboxing isolates each app within its own confined environment, preventing it from directly interacting with other apps or the system itself. This isolation limits the potential damage caused by malicious apps, but also makes them more challenging to detect.

Malware Developers

Another hurdle in detecting mobile malware is that malware developers take great pains to avoid detection. For example, unlike traditional malware that persistently resides on disk, sophisticated mobile malware can operate solely in memory, leaving minimal forensic traces. To top it all off, malware developers often employ anti-forensics techniques, actively obstructing detection efforts – such as tampering with system logs – making it virtually impossible to find definitive evidence of an attack.

‍Put simply, when it comes to mobile security, it’s hard to get over the garden’s tall walls, but when malicious actors get through the primary defenses, there’s no one to catch them. And the malicious actors that routinely breach defenses tend to be savvy. 

Indicators of Compromise

The iVerify app utilizes various methods to detect malware. We look for example for specific artifacts, Indicators of Compromise (IoCs), to identify the presence of known malware. These IoCs are shared within the community and we develop our own. While we can identify known malware in this fashion, we don’t have a complete picture of the device because we are bound to the same sandbox restrictions as any other app. 

‍Organizations need additional tools if they are to go toe-to-toe with the savviest malware developers; specifically, an approach that combines deep visibility of system behavior, forensic artifact reconstruction, and continuous monitoring for suspicious activities. As mobile malware evolves, security teams must adapt their techniques and develop innovative strategies to keep pace. iVerify is building the first mobile threat hunting company focused on tackling the most advanced mobile threats, and in the coming days, we will announce the launch of a suite of tools designed to scale the end-to-end process of mobile forensics.

Stay tuned!

Jelmer de Hen, Head of Android R&D

Rocky Cole, COO and Co-Founder