What is Mobile Malware? The Complete Guide for 2026

Categories of Mobile Malware

Banking trojans. The largest category by volume, targeting financial application credentials. Modern banking trojans overlay a fake UI on top of legitimate banking apps while capturing credentials. Anubis and Cerberus have been adapted from banking targets to credential theft for corporate applications including Microsoft 365 and Google Workspace.

Spyware and stalkerware. Designed for covert monitoring: call logs, SMS messages, location data, camera and microphone access. Commercial spyware tools like Pegasus represent the nation-state end — capable of zero-click compromise of fully patched iOS and Android devices.

SMS stealers and MFA interceptors. Malware specifically designed to intercept one-time passwords delivered via SMS. This class was used in documented SIM-swapping campaigns and in the Scattered Spider attacks against MGM and Caesars in 2023.

Credential-stealing trojans. Steal saved passwords, session cookies, and authentication tokens from mobile browsers and apps. Compromised session tokens allow attackers to bypass password and MFA requirements by impersonating an already-authenticated session.

Mobile RATs. Full-capability remote access implants: screenshot capture, keylogging, file access, camera and microphone activation, and network traffic inspection. AhMyth and SpyNote are documented mobile RATs active in 2025-2026.

How Mobile Malware Reaches Devices

Malicious apps and sideloading. Apps distributed outside official app stores bypass review processes. Criminal groups create apps that impersonate legitimate tools to achieve installation.

Phishing and smishing. SMS phishing and mobile browser phishing deliver malware or credential-harvesting pages optimized for mobile display. Mobile users are statistically more susceptible — smaller screens obscure URL details. Scattered Spider's campaigns heavily relied on smishing to harvest credentials and MFA codes.

Zero-click exploits. The highest-sophistication delivery mechanism requires no user interaction — the device is compromised through a vulnerability in the messaging stack, browser engine, or OS. Pegasus used zero-click iMessage exploits against iOS.

Enterprise Risk

The enterprise risk from mobile malware is about the corporate access those devices carry: corporate email giving attackers access to sensitive communications and deal information; MFA codes received via SMS allowing credential-based attacks to succeed even against accounts with MFA enabled; corporate VPN credentials and sessions providing network-level access to internal infrastructure; cloud application session tokens that bypass authentication entirely when stolen.

Defensive Controls

Mobile Device Management (MDM) and Mobile Application Management (MAM). MDM enforces device-level security policies: screen lock requirements, OS version minimums, app allow/block lists, remote wipe capability. MAM provides granular control over corporate apps — requiring corporate email only be accessible through managed apps.

Mobile Threat Defense (MTD). MTD solutions perform behavioral detection analogous to endpoint EDR — monitoring for malicious app behavior, network traffic anomalies, and OS-level indicators of compromise. Products like Lookout, Zimperium, and Microsoft Defender for Endpoint mobile integrate with MDM platforms and feed signals into SIEM and TDIR workflows.

Phishing-resistant MFA. Replacing SMS-based MFA with FIDO2 hardware keys, passkeys, or certificate-based authentication eliminates the SMS interception attack vector. This is the highest-impact single control for reducing mobile-enabled account compromise.

Conditional access policies. Configuring corporate applications to require managed, compliant devices for access — enforced through Microsoft Entra ID Conditional Access or Okta — ensures a compromised personal device cannot access corporate resources even if credentials are obtained.

Scattered Spider: Mobile-Enabled Corporate Compromise, 2023

The 2023 MGM Resorts and Caesars Entertainment breaches demonstrate how mobile social engineering converts to enterprise compromise at scale. Scattered Spider used smishing campaigns to harvest employee credentials and MFA codes, then authenticated to Okta and Microsoft 365 as legitimate users. The attacks did not require traditional malware on corporate systems — the mobile device was the attack surface. MGM's resulting disruption cost an estimated $100 million. Caesars paid a reported $15 million ransom. Both companies had endpoint security and documented security programs. Neither had eliminated SMS-based MFA as an attack vector for corporate identity systems.