Let us first agree on a couple of things before we start: One, Android is the most affordable platform for enterprises with a mobile-first/mobile-only workforce, and it has the smallest learning curve of any mobile OS. Two, due to its very open-source nature, Android is easy for malicious actors to prey on, with the Google Play Store being the breeding ground for many attacks. With more than a million apps in the Play Store and other third-party app stores, there’s little Google can do to vet every one of these apps despite its best efforts.

Last month, a flurry of malware strains were unleashed on unsuspecting Android users, with apps being the most common attack vector used. A few of these attacks, if exploited, can wreak havoc in enterprises.


Let’s take a look at some of these recent malware campaigns.

Joker malware

The timing couldn’t have been better, right? This malware, released close on the heels of its cinematic counterpart, was alleged to be one of the biggest malware campaigns in recent times. The Joker malware strain spreads via 24 compromised applications available on the Google Play Store, silently simulating interaction with advertisement websites and stealing victims’ SMS messages, contact list, and device info. The scary part is that these 24 applications have already seen nearly half a million installs.

The Joker malware infects only devices with SIM cards mapped to certain mobile country codes. There are 37 affected country codes include major EU and Asian countries such as Singapore, UAE, and the UK, leaving out the USA and Canada—most likely to avoid detection for as long as possible.

Provisioning message exploit

This attack is similar to the recent Simjacker exploit, but unlike the platform-agnostic Simjacker, the provisioning message exploit is privy to the Android devices of four different OEMs. This exploit uses provisioning messages, the ones shown by service providers, to gain unauthorized access to devices. It has the potential to affect half a million devices.


Cerberus is a banking Trojan that’s being sold on Twitter using an official page. The malware has been built from scratch, making it difficult to identify. Right now, it can mimic overlays for apps belonging to seven French banks, one Japanese bank, and seven banks from the US. Cerberus also targets 15 non-banking apps, using tactics like a Google Account sign-in phishing overlay and generic credit card grabbers.


This Japanese malware, developed by the creators of FakeSpy, masquerades as a legitimate application. It works by identifying a specific mobile service provider before passing on device information such as the IMEI, IMSI, list of contacts, and phone number. Unlike the more dangerous Cerberus, FunkyBot’s main capability is intercepting SMS messages; even so, it uses this strategy to devastating effect, since most banks use SMS as a means of two-factor authentication.

These are some of the most serious malware attacks launched in the past month, and we haven’t even talked about the many apps doubling as adware vectors. Recent victims include CamScanner, RB Music, and 85 other apps identified by TrendMicro. These 85 apps have had more than 8 million installs, leading to a large amount of ad click fraud.

So, what’s the solution?

No solution can provide complete protection against malware. However, a mobile device management (MDM) solution can help prevent malware from reaching devices in the first place. Let’s look at some of the solutions provided by an MDM solution.

  • Enable Google Play Protect: Google’s own security suite, Google Play Protect, manages the installation of harmful apps. It checks all apps before they’re downloaded from the Google Play Store or other sources, and automatically disables malicious apps until they’re uninstalled.
  • Restrict the installation of non-market apps: Organizations also need to keep an eye on apps downloaded from third-party stores. Once this restriction is applied, users cannot install apps from third-party stores such as 9Apps.
  • Prevent users from installing unapproved apps: This restriction ensures only apps pushed from the MDM solution can be installed, ensuring users can’t install unapproved apps.
  • Configure containerization: Personal devices can be containerized to isolate corporate and personal data, whereby the MDM solution controls the former and the user has control over the latter. Only apps that the enterprise approves can be present within the container, minimizing the chance of unauthorized data access.
  • Blacklist apps: Disabling all affected apps with app blacklisting ensures that malicious apps are removed from devices and can’t be subsequently installed by employees.
  • Identify rooted devices: Rooted devices are the most common type of devices used by malicious actors to access data in an unauthorized way. MDM solutions can identify rooted devices, automatically wipe corporate data from these devices, and remove the rooted devices from the enterprise network.
  • Automate OS updatesUpdating the device OS might be the only solution to protect against certain attacks, such as the provisioning message vulnerability. An MDM solution ensures an organization can deploy these updates immediately without any user intervention.

If you’re looking for an MDM solution with extensive mobile security capabilities, look no further: start your fully functional, 30-day free trial of Mobile Device Manager Plus today.