Malware News

5 Active Smartphone Threats that are dangerous for Enterprise Mobile Device Management ( MDM )


Lookout recently researched five families of malware doing just that: spoofing real enterprise apps to lure people to download their malware. Our dataset of mobile code shows that these five, active mobile malware families often impersonate enterprise apps by ripping off the legitimate app’s name and package name. These apps include Cisco’s Business Class Email app, ADP, Dropbox, FedEx Mobile, Zendesk, VMWare’s Horizon Client, Blackboard’s Mobile Learn app, and others.


Shuanet automatically roots a device, installs itself on the system partition (which makes it very difficult to remove), and then installs further applications at will. These applications could be malicious or could be benign apps, pushed to the phone as part of a scheme to get more downloads. Shuanet may also push very aggressive and intrusive advertising to the device.

What is the risk to an enterprise? A threat that can root a device and install further applications is particularly concerning because of a few factors. First, rooted devices are devices in an altered state of security. Oftentimes people will root a device to customize it, but they may not know how to properly configure security on the device post-root and also may not receive regular software updates. Secondly, malware like Shuanet not only roots the device, it then installs itself in the system partition, making it very difficult to remove. Even factory resetting a device infected with malware like Shuanet does not remove the threat. Lastly, malware that installs applications could drop further malicious apps onto the device, putting the device and its data at risk.

Is it live? Yes, this threat is currently active.

Apps which get effected : ADP Mobile Solutions, CamCard Free, Cisco Business Class Email (BCE), Duo Mobile, Google Authenticator, VMWare Horizon Client, Zendesk, Okta Verify


Originally developed as a university project to create a “remote administration tool,” AndroRAT allows a third party to control the device and collect information such as contacts, call logs, text messages, device location, and audio from the microphone. It is now used maliciously by other actors.

What is the risk to the enterprise? Hidden remote access software allows an attacker to easily exfiltrate data, corporate and personal, from the mobile device. Also, having continued remote access to a mobile device allows an attacker to infiltrate corporate wifi networks and VPNs that the infected device connects to.

Is it live? Yes, this threat is currently active.

Apps which get effected : Dropbox, Skype, Business Calendar


UnsafeControl can collect contact information and download it to a third-party’s server. It also has the ability to spam that contact list or send SMS messages to phone numbers specified by its command and control (CNC) servers. The message content is also specified by the CNC.

What is the risk to the enterprise? Malware like UnsafeControl steals contact information, which can be considered very sensitive information to many enterprises. For example, the contacts within a Chief or VP of Sales’ device might be a competitive advantage for a company.

Is it live? Yes, this threat is currently active.

Apps which get effected : FedEx Mobile, Google Keep, Remote VNC Pro, Sky Drive, PocketCloud, Skype


PJApps may collect and leak the victim’s phone number, mobile device unique identifier (IMEI), and location. In order to make money, it may send messages to premium SMS numbers. PJApps also has the ability to download further applications to the device.

What is the risk to the enterprise? Malware like PJApps is generally using its functionality for monetary gain, but the technology itself is concerning. Threats that collects location information is generally concerning, but especially when considering executives’ devices. This could mean revealing information about a business’ plans. As discussed, the ability to download further applications to a device also opens the device up to new types of malicious software.

Is it live? Yes, this threat is currently active.

Apps which get effected: CamScanner


This application contains an advertising network which may push ads to your notification bar, create pop-up ads, place shortcuts on your home screen and download large files without asking. It may not be clear that this application is displaying these ads.

What’s the risk to the enterprise? The risk might be simpler than you think there. If the device an employee performs her job on suddenly starts interrupting her work, that employee is going to send helpdesk tickets to the company’s IT department. Time is money.

Is it live? Yes, this threat is currently active.

Apps which get effected : Mobile Learn from Blackboard, Evernote, PocketCloud, Remote Desktop, Adobe Reader, aCalendar


About the author

Profile photo of Rakesh Bhatia

Rakesh Bhatia

Leave a Comment

Powered by keepvid themefull earn money