Contact us

Our phones as double agents: Unmasking the mobile threats in our pockets

Mobile app security
Our phones as double agents: Unmasking the mobile threats in our pockets

We trust our phones with much of our daily activity: banking, shopping, messaging, and identity verification. This level of reliance introduces a critical question: what happens when the device itself is influenced by an attacker?

In our recent webinar with ThreatFabric “Our Phones as Double Agents: Unmasking the mobile threats in our pockets”, we explored how the mobile threat landscape has evolved. A key observation is that attacks are no longer limited to simple scams. Many are now automated, operate in real time, and are often not visible to the victim.

In this blog, we’ll unpack this key takeaway, exploring common mobile malware techniques that exploit the device itself to conduct their attacks.

Android: The proving grounds of mobile malware

The majority of mobile malware targets the Android OS, and its frequency is rising: the number of families and their capabilities increase year over year.

The majority of mobile malware targets the Android OS, and its frequency is rising

 

Mobile malware has existed almost as long as smartphones. Early variants primarily focused on collecting sensitive data such as login credentials or SMS-based one-time passwords, which were then used elsewhere.

Around 2017, the focus shifted. Instead of only extracting information, attackers began using the infected device itself to execute fraud. This changed the role of the mobile device from a source of data to an active component in the attack.

Modern Android malware is able to:

  • Interact directly with banking applications
  • Initiate and complete transactions in real time
  • Operate without obvious indicators to the user

This evolution is largely enabled by remote control capabilities. Malware typically connects to command-and-control (C2) infrastructure, allowing attackers to send instructions, modify behavior, and scale operations dynamically.

In many cases, malware does not exploit technical vulnerabilities in applications themselves. Instead, it abuses legitimate operating system features. Accessibility services are a primary example. These were designed to assist users but can also enable malware to:

  • Read screen content
  • Capture user input
  • Overlay content on top of legitimate applications
  • Interact with apps programmatically

At a more advanced level, some malware enables full device takeover (DTO). In such cases, an attacker can remotely operate the device, navigating apps and executing actions as if physically present, often without the user noticing.

Evolution of Android Mobile Malware

 

The role of AI in modern fraud and malware campaigns

Artificial intelligence is increasingly being used to support fraud and malware distribution at scale. One observed use case is the automated generation of fake social media profiles and content, which are then used to build credibility and distribute malicious links or applications.

Campaigns such as Datzbro demonstrate how these approaches can be targeted, for example focusing on specific demographics, like senior citizens, while originating from different regions. In parallel, traditional scam models, such as romance scams, are being combined with mobile malware deployment, blending social engineering with technical compromise.

There are also early indications that threat actors are experimenting with AI-assisted development (“vibe coding”), which may lower the barrier to entry and accelerate malware creation. While the effectiveness of these techniques varies, the overall impact is a broader pool of actors and faster iteration of attack campaigns.

Active senior trip

 

The distribution of Android malware is still largely dependent on user interaction. Most infections occur when users install applications from outside official app stores (sideloading), often disguised as legitimate tools or services. In other cases, applications initially appear benign but introduce malicious functionality in later updates.

Data theft as an enabler for future fraud

Not all malware is focused on immediate financial gain. In many cases, its primary function is to collect and extract data that can be used later in fraud and scam campaigns.

A recent example is the Perseus malware, which specifically looks for commonly used notes applications and exfiltrates stored information. This is effective because users often store sensitive data (passwords, recovery phrases, or personal details) in these apps. Once obtained, this information can be reused in later attacks, including account takeover, impersonation scams, or targeted social engineering. In this way, initial device compromise serves as a preparation stage for more effective and personalised fraud.

What about Apple iOS

Apple’s iOS ecosystem has historically had stricter controls compared to Android, including tighter app review processes and limited sideloading. This has reduced the prevalence of traditional mobile malware.

However, this does not eliminate risk.

Instead of relying on malware installation, many attacks on iOS focus on social engineering and abuse of platform features. One example is the use of web clips — home screen icons that resemble applications but open phishing websites. These can replicate banking or cryptocurrency interfaces and prompt users to enter sensitive information.

In addition, evolving platform features and regulatory changes (e.g. support for alternative app distribution models) may gradually expand the attack surface. While the technical barriers are higher, attackers adjust their methods accordingly, often targeting user behavior rather than the device itself.

NFC Threats

Near-field communication (NFC), commonly used for contactless payments, has introduced another attack vector.

NFC Relay and Carding

 

Attackers have developed methods to use compromised or controlled devices as relay tools. In these scenarios, victims are persuaded to interact with their payment card and mobile device in a way that enables the card data to be read. That information can then be transmitted in real time to another device.

This type of setup can be used to:

  • Perform contactless payments
  • Withdraw cash from ATMs (where supported)
  • Provision cards into digital wallets

There are indications that such operations can be organized and scaled, with devices configured to carry out repeated transactions using remotely supplied card data.

So… Are our phones Double Agents?

In practice, mobile threats increasingly rely on the device itself. Rather than bypassing security controls entirely, attackers operate within the context of legitimate devices, applications, and sessions.

This creates challenges for detection. Activity may appear consistent with normal user behavior, while in reality it is being influenced or controlled externally.

For financial institutions, this introduces a limitation: visibility often ends at the boundary of the banking application. However, that same application context also provides an opportunity to observe indicators that something is abnormal.

Staying Ahead
As mobile threats evolve, visibility into device and behavioral signals becomes more important.
Indicators can be identified before fraudulent transactions occur. These may include:

  • Unexpected interaction patterns within the app
  • Signs of remote control tools or automated behavior
  • Indicators of malware presence or device manipulation

Analyzing these signals allows earlier intervention, before funds are moved or accounts are compromised.

In this context, the key challenge is not only detecting fraudulent transactions, but understanding the conditions under which they are initiated.

Watch the full webinar here:

OneSpan Team
OneSpan

The OneSpan Team is dedicated to delivering the best content to help you secure tomorrow's potential. From blogs to white papers, ebooks, webinars, and more, our content will help you make informed decisions related to cybersecurity and digital agreements.

Sign up for OneSpan updates
Share