What Is Mobile Malware? Types and Defense

A bank fraud team sees a cluster of account takeovers that make no sense. The logins come from the customers' own phones, the right devices, the right locations, and they sail through the SMS one-time-password check. No stolen passwords show up on any breach dump. When investigators finally image one of the phones, they find it: an app the user sideloaded weeks earlier, sitting quietly with accessibility permissions, reading the screen, capturing the banking PIN as it was typed, and intercepting the very OTP texts meant to stop this. The phone was the breach. Nothing on the bank's servers was ever touched.

That is mobile malware. It is malicious software built specifically to run on smartphones and tablets, and it goes after the things a phone holds that a laptop usually does not: your banking apps, your text messages, your contacts, your camera and microphone, your location, and the second factor that protects every other account you own. This guide covers what mobile malware is, the main types, how Android and iOS differ in exposure, how infections actually reach a device, the signs of compromise, and how defenders detect and prevent it.

What is mobile malware?

Mobile malware is malicious software designed to target mobile devices, primarily smartphones and tablets, to steal data, commit fraud, spy on the user, or take control of the device. It is a category of malware defined by its target platform, not by a single behavior. The same goals that drive malware on a desktop, theft, extortion, surveillance, fraud, all show up on mobile, adapted to what a phone is and what it carries.

What makes the phone such a valuable target is concentration. A modern smartphone is a single device that holds banking and payment apps, the SMS and authenticator codes that protect every login, a camera and microphone, precise location, email, messaging, and a contact list an attacker can mine or impersonate. Compromise one phone and you potentially own the user's finances, their identity, and their second factor in one move.

The phone is also harder to inspect than a laptop. Mobile operating systems sandbox apps and hide the filesystem from the user, which protects the device but also means a victim cannot easily browse running processes, dump memory, or see what an app is doing. The same isolation that makes phones safer by default makes a successful infection harder for an ordinary user to spot.

Android vs. iOS: why the exposure differs

Mobile malware is not evenly distributed across platforms, and the reason is how each operating system lets software get installed.

Android is open. It permits sideloading, installing apps from outside the official store via APK files, and allows third-party app stores. That openness is a genuine feature, but it is also the single biggest reason the overwhelming majority of mobile malware targets Android: an attacker can convince a user to install an app without ever passing a store review. Google Play Protect screens apps, but anything installed from outside the store sidesteps that gate.

iOS is closed by comparison. Apps come only from the App Store and pass Apple's review, and the system blocks installation from arbitrary sources. This walled garden makes commodity malware far harder to deliver, which is why broad iOS malware campaigns are rare. It does not make iOS immune. Targeted attacks still reach iPhones through zero-click exploits in messaging and other apps, the kind used by commercial spyware such as NSO Group's Pegasus, which has been documented infecting fully patched iPhones with no user interaction. The lesson is not that one platform is safe, it is that the threat model differs: Android faces volume, iOS faces precision.

Jailbreaking or rooting flips the picture on either platform. Both remove the manufacturer's built-in restrictions to give the user full control, and in doing so they disable the sandboxing and code-signing protections that keep malware contained. A rooted or jailbroken device has thrown away the strongest defense the OS provides, which is exactly why mobile threat tooling treats a rooted state as a high-risk signal in its own right.

Types of mobile malware

Mobile malware is usually classified by what it does once it runs. These categories overlap, a single piece of malware often combines several, but they map cleanly to attacker goals.

Mobile banking trojans. The dominant and most lucrative category. These masquerade as legitimate apps and exist to steal financial credentials. The signature technique is the overlay attack: when the user opens a real banking app, the trojan draws a fake login screen on top of it, capturing the credentials the user types. Combined with the ability to read incoming SMS, the same malware intercepts the one-time passcodes meant to stop fraud, defeating SMS-based two-factor authentication. Anatsa is a current heavyweight, distributed through Google Play droppers and documented targeting more than 800 banking and crypto apps worldwide, while families like Hook and Octo descend from the leaked source code of the older Cerberus trojan and keep the same playbook alive.

Mobile spyware and stalkerware. Software that covertly monitors the user, location, messages, call logs, photos, microphone, and camera. This ranges from commercial-grade tooling like Pegasus used against journalists, dissidents, and officials, down to consumer stalkerware sold to monitor a partner or family member. Many Android banking trojans rely on the same surveillance capabilities, abusing the accessibility service to read the screen and log keystrokes.

Mobile ransomware. On phones, ransomware typically locks the screen and demands payment rather than encrypting files, since cloud backups make file encryption less effective than on a PC. It blocks access to the device behind a persistent demand screen.

Adware and click fraud. Aggressive ad software that floods the device with advertisements, and click-fraud malware that hijacks the phone to silently click ads and generate fraudulent revenue for the operator. Often the most visible nuisance category, and a common payload in malicious apps that slip into stores.

Mobile cryptomining malware. Hijacks the device's processor to mine cryptocurrency for the attacker. On a phone this shows up as a hot device, fast battery drain, and sluggish performance, since the small CPU is being pushed to its limit.

Remote access trojans (RATs). Give an attacker broad remote control of the device, applications, call history, contacts, browsing history, SMS, and often the camera and microphone. A RAT is less a single-purpose tool than a foothold that can do most of the above on demand.

How mobile malware spreads

Mobile malware rarely breaks in through a software flaw alone. The dominant delivery path is convincing the user to install it or hand over access, which is why mobile threats lean so heavily on social engineering.

• Mobile phishing and smishing. Phishing aimed at phones, delivered by SMS (smishing), messaging apps, social media, and email. The small screen hides full URLs and sender details, and users tap faster on a phone than at a desk, which is why mobile users click malicious links at far higher rates than desktop users. The link leads to a spoofed login page or a prompt to install a malicious app.
• Malicious apps and sideloading. The classic Android vector. A user is steered to download an APK from outside the official store, or installs an app from a third-party store, and the app is malicious or carries a hidden payload. Sideloading bypasses the store's review entirely.
• Trojanized apps in official stores. Even vetted stores are not airtight. Attackers slip malicious functionality past review, sometimes shipping a clean app first and pushing the malicious code later through an update, or hiding the payload behind a remote trigger. These are harder to spot because the app came from the store the user trusts.
• Fake updates and spoofed sites. A spoofed banking or service site prompts the user to install a security update or new app that is actually malware, trading on the trust of a familiar brand.
• Abuse of permissions and accessibility services. On Android especially, the payoff step is convincing the user to grant powerful permissions, above all the accessibility service, which lets an app read everything on screen and act on the user's behalf. That single grant is what powers overlay attacks, keylogging, and SMS interception.
• Exploits and zero-click attacks. Less common but most dangerous, malware that uses a software vulnerability to install with little or no user interaction. Zero-click exploits in messaging apps, used by high-end commercial spyware, need no tap at all and leave almost nothing for the user to notice.

The throughline: most mobile compromise is consent obtained by deception. The user installs the app or grants the permission, because the request looked legitimate.

Signs a mobile device is infected

Mobile malware tries to stay quiet, but the resources it consumes and the behavior it produces leak signals. None is proof on its own, but together they build a case.

• Fast battery drain and overheating. Spyware, RATs, and cryptominers run in the background continuously, which burns battery and heats the device even when it is idle.
• Unexplained data usage. Malware exfiltrating data or talking to a command server generates network traffic that shows up as a spike in mobile data with no matching user activity.
• Sluggish performance and crashes. A device that suddenly slows, freezes, or crashes apps may be carrying malware competing for resources.
• Pop-ups and unwanted ads. A flood of aggressive ads, especially outside any browser, is the calling card of adware.
• Unfamiliar apps or settings changes. Apps the user never installed, or settings and permissions that changed on their own, point to something operating without consent.
• Unexpected charges or account activity. Premium-SMS charges, unrecognized purchases, or fraud on a banking app can be the downstream result of a trojan.

On a managed fleet these same signals are far easier to see in aggregate than on a single phone, which is the case for centralized mobile security rather than relying on users to notice.

How to detect mobile malware

Detecting mobile malware is harder than on a desktop, because the OS hides the filesystem and process list from the user and there is no easy way to run a traditional scanner against everything. Detection therefore leans on telemetry, behavior, and device posture rather than file scanning.

Mobile Threat Defense (MTD) is the category of tooling built for this. An MTD agent runs on the device and watches for malicious or risky apps, network attacks such as malicious hotspots and man-in-the-middle interception, phishing links, and OS-level risks. It reports posture, including whether the device is rooted or jailbroken, to a central console.

The high-value detection signals on mobile are specific:

• Rooted or jailbroken state. A device with its OS protections removed is both a target and a warning sign. Detecting that state is one of the most important single checks, because it means the platform's own defenses are gone.
• Risky permission grants. An app holding the accessibility service, SMS read access, or device-admin rights without a clear reason is a red flag, since those permissions are exactly what banking trojans and spyware need.
• Malicious and known-bad apps. Comparing installed apps against threat intelligence, and analyzing app behavior, catches known families and trojanized apps.
• Network and phishing signals. Connections to known malicious infrastructure, suspicious certificates, and phishing URLs opened on the device are detectable at the network layer even when the malware itself is hidden.
• Device and OS telemetry. Out-of-date OS versions, abnormal settings, and changes to security configuration all feed a risk score.

For organizations, MTD usually integrates with Mobile Device Management (MDM) and the broader security stack, so a risky device can be flagged, quarantined from corporate resources, or wiped. This is the same behavioral logic that endpoint detection and response (EDR) applies to laptops and servers, adapted to the constraints of a phone: you cannot freely scan the disk, so you watch posture, permissions, behavior, and network.

How to prevent mobile malware

Prevention on mobile is mostly about cutting off the install path and limiting what a compromised app can reach.

• Install only from official stores, and avoid sideloading. The single most effective control on Android. Disable installation from unknown sources, and do not install APKs from links or third-party stores. On iOS, do not jailbreak.
• Do not root or jailbreak devices. It strips the OS protections that contain malware. On managed devices, detect and block rooted or jailbroken states outright.
• Scrutinize app permissions. Be suspicious of any app requesting the accessibility service, SMS access, or device-admin rights without an obvious need. Review and revoke permissions that do not fit the app's purpose.
• Keep the OS and apps patched. Updates close the vulnerabilities that exploit-based and zero-click malware rely on. An up-to-date device is a much harder target.
• Treat unsolicited links and attachments as hostile. Most mobile compromise starts with a phishing message. Do not tap links or install apps from unsolicited SMS, messaging, or email, even when the sender looks familiar.
• Move off SMS-based two-factor authentication. Because trojans intercept SMS, prefer an authenticator app or a hardware security key for high-value accounts.
• Deploy MTD and MDM on managed fleets. For organizations, centralized mobile threat defense and device management provide the visibility, posture checks, and response that individual users cannot.

Layered, these controls attack mobile malware where it is weakest: the moment of installation and the grant of permission. Close the sideload path, deny the dangerous permission, and patch the exploit, and most of the threat never reaches the data it came for.

Frequently Asked Questions

What is mobile malware?

Mobile malware is malicious software designed specifically to target mobile devices such as smartphones and tablets. Its goals are the same as malware elsewhere, stealing data, committing fraud, spying on the user, or taking control of the device, but it is adapted to what a phone holds: banking apps, text messages, two-factor codes, contacts, location, and the camera and microphone.

Can iPhones get malware, or is it only an Android problem?

Both can be infected, but the risk profiles differ. The large majority of mobile malware targets Android because it allows sideloading and third-party app stores, which let attackers deliver apps without store review. iOS is far more locked down, so broad campaigns are rare, but iPhones are still hit by targeted attacks, including zero-click exploits used by commercial spyware like Pegasus that can compromise a fully patched device with no user interaction.

How does mobile malware get onto a phone?

Most often by convincing the user to install it. Common paths are phishing and smishing messages with malicious links, sideloaded apps and APKs from outside the official store, trojanized apps that slip past store review, fake update prompts, and abuse of permissions such as the Android accessibility service. Less common but most dangerous are exploit-based and zero-click attacks that need little or no user interaction.

What are the signs my phone has malware?

Common signs include fast battery drain and overheating when the device is idle, unexplained spikes in data usage, sudden sluggishness or app crashes, a flood of pop-up ads, apps or settings you did not change, and unexpected charges or account activity. No single sign is proof, but several together are a strong indicator of compromise.

How do mobile banking trojans steal money if I use two-factor authentication?

Banking trojans use an overlay attack, drawing a fake login screen over the real banking app to capture the credentials you type. Crucially, the same malware reads incoming SMS, so it intercepts the one-time passcode sent for two-factor authentication and completes the fraud. This is why SMS-based 2FA is weak against mobile malware, and why an authenticator app or hardware security key is safer for high-value accounts.

How do organizations detect and stop mobile malware?

Through Mobile Threat Defense (MTD) and Mobile Device Management (MDM). MTD agents watch for malicious apps, risky permissions, network attacks, phishing, and whether a device is rooted or jailbroken, then report a risk posture to a central console. Integrated with MDM, a risky device can be flagged, cut off from corporate resources, or wiped. The approach mirrors endpoint detection and response on laptops, adapted to a platform where you cannot freely scan the disk.

The bottom line

Mobile malware is malware aimed at the device that holds the most concentrated value a person owns: their money, their identity, and the second factor that guards everything else. Android takes the volume because it allows sideloading, while iOS faces rarer but precise targeted attacks. The dominant goal is financial, banking trojans using overlay screens and SMS interception to drain accounts and beat two-factor authentication, alongside spyware, ransomware, adware, cryptominers, and remote access trojans.

For a defender the leverage points are clear. Most infections require the user to install an app or grant a permission, so the install path and the permission prompt are where prevention pays off: official stores only, no rooting, no dangerous grants, patched systems, and a hard move away from SMS-based 2FA. On managed fleets, mobile threat defense gives the visibility a single phone cannot. The phone is now the endpoint that matters most, and it deserves the same scrutiny as any server on the network.