A DIGITAL LIFE E-GUIDE
in the Mobile Web
Mobile malware isn’t the only thing you have to worry
about every time you use your mobile device to go online.
Cybercriminals are stepping up the production and
sophistication of their mobile threats. They’re not stopping at
just creating malicious apps and putting them where you can
easily mistake them for legitimate ones. By using bad URLs
that execute malicious routines, cybercriminals also make
browsing the web on your mobile device more dangerous.
It Doesn’t Stop at
Malicious URLs come in different forms:
• Malicious domains use keywords related to anything
mobile (e.g. Android, mobile, etc.). These domains host
mobile malware in the form of .APK files, which are
recognized by Android as mobile app installation files.
Sometimes these files are advertised as free versions of
paid apps, or are automatically downloaded onto your
mobile device without your knowledge.
• Malware-tied websites are linked to a mobile malware’s
malicious routines. 16.88% of all the malicious and high-
risk apps we’ve detected so far connect to bad URLs.
These URLs can vary in function. They can serve as a
repository of stolen information, host configuration files
or malware components, or host malicious ads or adware.
• Mobile phishing websites spoof legitimate login pages.
Cybercriminals trick you into giving your login details by
relying on the inability of some smartphones to display
their phony web pages completely. Mobile phishing is not
a new phenomenon by any means, but there is a rise in
its incidences. For more information, read our e-guide,
Protecting Yourself Against Mobile Phishing.
Bad URL Types
Even the most careful mobile user may encounter bad URLs. Here
are some example scenarios:
• App installation: Installing apps can make you susceptible
to malicious URLs. A Trojanized version of the Bad Piggies
app discovered in late 2012 makes a home screen shortcut
to the malicious app’s source website upon installation.
Opening it leads you to download even more malware onto
your device. Candy Crush, a popular puzzle game app, was
also recently targeted. Packaged as a ‘cheating’ app for the
game itself, it actually pushes ad notifications that could be
used as points of entry for malicious URLs.
• App usage: Using fake or Trojanized apps can expose you
to malicious URLs. A malicious in-app advertisement or the
app itself can link you to a malicious URL. The malicious app
we detect as ANDROIDOS_KSAPP.A automatically connects
to certain URLs in order to send and receive information.
• Online activities: Making mistakes while typing your target
website’s URL on the mobile browser’s address bar could
lead you to a spoofed web page. The 2012 holiday season
saw banks and other organizations becoming mobile
phishing targets, with pages spoofing websites such as
Paypal and Amazon. Cybercriminals can also tailor their
pages with keywords so their malicious websites will show
up in your search results.
• SMS: Receiving and reading SMS messages on your mobile
device can make you susceptible to malicious URLs. 419
scams (Nigerian scams) have long been a desktop threat,
and its mobile equivalent, SMiShing, made its debut in
2006. Cybercriminals spam you with SMS messages that
offer free items such as coupons or gifts. The spam then
points you to a URL where you can supposedly find out how
to redeem the offered items. The URL may appear to be
of a legitimate website’s, but clicking it actually leads to a
malicious web page.
How You Encounter Them
Becoming a victim of bad URLs can turn your mobile browsing
experience awry. Here are some of the things cybercriminals can do:
• Information theft: Cybercriminals can violate your privacy
by posting or selling your personal details, SMS or call
information, and location.
• Account security compromise: Any online account you access
with your mobile device can be compromised. Cybercriminals
can use them for malicious purposes, such as draining your
bank accounts or leaving you with unexpected bills for
products or services you didn’t even purchase.
• Mobile malware infection: Your mobile device could end
up being infected with mobile malware hosted by malicious
• Mobile device security compromise: Some mobile malware
variants can actually take complete control of your mobile
device without your knowledge. Cybercriminals can make calls
or send SMS messages without your authorization, as well
as subscribe you to premium services. These could result in
more unforeseen charges.
What Can Happen
Mobile web threats prove that mobile malware protection isn’t
enough to be completely safe. Here are some safety practices you
should look into:
• Use only official apps. Only download from trusted sources,
such as the developer’s website or from Google Play. This
reduces the chances of you downloading a malicious app by
• Always check the permissions of each mobile app you
download and install. If the app is asking for your permission
to perform certain functions outside of its intended use,
uninstall it immediately. An example is a game app asking to
make calls or SMS messages in your behalf.
• Bookmark the websites you frequent. If you must use your
smartphone’s mobile browser, bookmark the sites you
frequent. This decreases the chances of you landing on a
• Get a mobile security solution. Powered by the Trend Micro™
Smart Protection Network™, Trend Micro Mobile Security
identifies and stops mobile threats before they reach you.
It provides a holistic approach to mobile security through
its Web Reputation Service engine, which comprehensively
classifies URLs and blocks those that are malicious.
What You Can Do
To Protect Yourself