BlackBerry Cylance Releases Mobile Malware Report

Mobile threats have been around nearly as long as the mobile phone, but they continue to increase in number and complexity as mobile devices become more embedded in, and critical to, our everyday lives. What started out as a somewhat limited attack surface more than a decade ago has grown into a vast landscape of devices utilising the iOS and Android operating systems.

These devices include mobile phones, tablets, televisions, medical devices, alarm systems, and point-of-sale credit card payment systems, among others.

BlackBerry today released a new mobile malware report, Mobile Malware and APT Espionage: Prolific, Pervasive, and Cross-Platform, which examines how advanced persistent threat (APT) groups have been leveraging mobile malware in combination with traditional desktop malware in ongoing surveillance and espionage campaigns.

In the report, BlackBerry researchers reveal what the focus on those groups has overshadowed: several governments with well-established cyber capabilities have long ago adapted to and exploited the mobile threat landscape for a decade or more. In this context, mobile malware is not a new or niche effort, but a longstanding part of a cross-platform strategy integrated with traditional desktop malware in diverse ways across the geopolitical sphere.

The report documents several previously unidentified APT attack campaigns and new malware families and fills gaps in other published research about mobile malware activity by known APT groups.

The researchers examined mobile and mobile/desktop campaigns by APT groups connected to China, Iran, North Korea and Vietnam, as well as two other unidentified but likely state-sponsored threat actors, all of whom were focused on foreign and/or domestic targets for economic and/or political objectives.

“This research demonstrates that mobile attacks are much more pervasive of a threat than previously estimated,” says Eric Cornelius, Chief Technology Officer at BlackBerry Cylance.

“It should come as a surprise to many to learn how coordinated and long-standing the campaigns targeting mobile users have been, as they have been easy targets for APT groups because of a historical deficit in effective security solutions for detecting and preventing mobile malware.”

Previously unidentified intelligence the report reveals includes:

  • A newly identified threat actor dubbed BBCY-TA2 is utilising a newly identified Android malware family dubbed PWNDROID3 in combination with a newly identified Windows malware family dubbed PWNWIN1 that is distributed via bogus mobile applications that mimic a popular bitcoin cashing application in a newly identified cross-platform campaign dubbed OPERATION DUALCRYPTOEX
  • A newly identified threat actor dubbed BBCY-TA3 engaged in economic espionage against targets that include a range of Western and South Asian commercial enterprises in the telecommunications space as well as nearly every chemical manufacturing company in the world outside of China and is sharing attack infrastructure with BBCY-TA2
  • A newly discovered cross-platform espionage campaign dubbed OPERATION OCEANMOBILE conducted by APT group OCEANLOTUS is employing a newly identified Android malware family dubbed PWNDROID1 that is being delivered via a sophisticated trio of fake mobile applications
  • A newly identified cross-platform espionage campaign dubbed OPERATION DUALPAK by APT group BITTER is targeting the Pakistani military leveraging a newly identified mobile malware family dubbed PWNDROID2 that is being distributed via fake applications, SMS, WhatsApp and other social media platforms
  • A second newly identified cross-platform espionage campaign leveraging interest in the recent Kashmir crisis, dubbed OPERATION DUALPAK2 and conducted by CONFUCIUS, is targeting the Pakistani government and military utilising a newly identified Windows malware family dubbed PWNWIN2 which was distributed by way of a JavaScript version of a chat application

As mobile devices grow in type and adoption, they provide a quick means to access sensitive data from select targets. This report highlights that mobile malware use by state or state-sponsored APT groups far exceeds what was previously estimated as a more limited attack vector.

The report also reveals that APT groups are actively using mobile malware in conjunction with traditional desktop malware campaigns, that threat actors with distinctly different target sets are sharing attack infrastructure, and that some APTs are pivoting focus from domestic to foreign targets.

“Both organisations and consumers should be very concerned about what this means for not only their information, but also the safety and security of the countries in which they reside,” says Brian Robison, Chief Evangelist at BlackBerry Cylance.

“It’s clear that the market for exploits targeting mobile devices has skyrocketed, and the sheer scale of what we found – mobile malware that is interwoven with desktop malware campaigns – shows definitively that several nation states are getting in on the mobile campaign action. It is essential that organisations utilise the utmost advanced technology to protect and secure the mobile landscape.” 

The full report can be read here.

Rapid Mobile

Rapid Mobile uses cookies, tokens, and other third party scripts to recognise visitors of our sites and services, remember your settings and privacy choices, and - depending on your settings and privacy choices - enable us and some key partners to collect information about you so that we can improve our services and deliver relevant ads.


By continuing to use our site or clicking I Accept, you agree that Rapid Mobile and our key partners may collect data and use cookies for personalised ads and other purposes, as described more fully in our privacy policy.


You can change your settings at any time by clicking Manage Settings or by visiting our Privacy Centre for more detailed information.


Privacy Settings saved!
Cookie Services

When you visit any website, it may store or retrieve information on your browser, mostly in the form of cookies.Because we respect your right to privacy, you can choose not to allow some types of cookies. Click on the different category headings to find out more and change our default settings. However, blocking some types of cookies may impact your experience of the site and the services we are able to offer.

These cookies allow us to count visits and traffic sources, so we can measure and improve the performance of our site.

We track anonymized user information to improve our website.
  • _ga
  • _gid
  • _gat

Decline all Services
Accept all Services