Products and Services PRODUCTS & SERVICES

What makes a mobile threat researcher tick?

We interviewed Senior Threat Researcher, Rowland Yu, to find out...

We sat down for a Question and Answer session with SophosLabs expert Rowland Yu, who specialises in researching and analysing mobile malware.

Here’s what he had to say…

Rowland, what’s your background, and how did you get into mobile threat research?

12 years ago, I finished my studies at the University of Wollongong in Australia, where I majored in computer security, after which I landed a job at Sophos as a spam analyst – that was how I got started in cybersecurity research as a career.

From spam analysis I moved into reverse engineering, taking malware apart in order to improve our ability both to detect and to remove it.

By 2012 we’d seen enough Android malware to realise that the threat was here to stay, and I started focusing on mobile threats, seeing Android as “the new Windows” for malware writers.

Now I’m a Senior Threat Researcher, leading the SophosLabs Android team in analysing malware and emerging threats.

Given that you think mobile malware is “here to stay”, do you even have a cellphone of your own?

Sure. I have a work phone running Android and a personal phone running iOS.

What precautions do you take to keep them secure?

I have Sophos mobile security software on both of them!

I’m also cautious about the apps I install – on Android I stick to Google Play, even though it’s not perfect when it comes to keeping malware out. I look for recommendations outside Google Play, because it can be hard to tell which reviews on the Play Store are genuine and which were posted by the maker of the app.

I also limit the permissions I grant to apps to what I’m willing to let them have, instead of just granting them all the permissions they ask for.

How do mobile threats differ between iOS and Android?

Apple makes iPhone and iPad users stick to the App Store, which greatly reduces your exposure to malware.

In 2017, for example, the iOS threats we analysed numbered in the single digits. In comparison, we processed more than 4 million malicious Android samples, many of them found in the wild.

Even on Google Play, 35 different threat families were reported in 2017, and Google itself took down 700,000 packages for violating Google Play policies.

That trend is continuing – 37 threat families have been seen on Google Play so far this year, 6 of which we discovered here at SophosLabs.

Are there any differences in the mobile threats faced by companies and consumers?

The main difference in risk is that home users on Android are more likely to “Allow unknown sources” for installing new apps – this gives them the freedom to go off-market and try out apps that aren’t available on Google Play, but exposes them to greater risk.

Many companies insist that their users stick to Google Play – as I said, it’s not perfect, but it’s much safer than many of the unregulated, “anything goes” markets out there.

The vast majority of those 4 million Android malware samples we classified last year came from outside Google’s walled garden.

Ransomware and cryptomining get a lot of headlines – are they a threat on mobile phones too?

Yes! In fact, ransomware was rampant on mobile devices even before it became a plague on desktop and laptop computers, although in the early days it didn’t scramble your files, but just tried to freeze you out of your phone.

This lock-screen ransomware kicked up a “pay page” as soon as you rebooted in the hope that you’d pay for an unlock code, but you could usually recover for free – the malware didn’t scramble your data, just interfered with the startup process.

More recently, file-scrambling malware has become more and more widespread on Android, though mobile ransomware doesn’t yet seem to be causing the same pain that it has on Windows computers.

As for cryptojacking, where crooks try to “borrow” your phone’s processor to mine for cryptocurrency, we saw more than 20,000 different variants of the Loapi cryptomining malware in the second half of 2017.

And earlier this year, we saw Coinhive based miners added to tampered copies of popular apps, like Netflix and Instagram, as well as soccer apps and other apps based on web frameworks such as Cordova.

Most of these were distributed through third party stores, but we did identify a number on Google Play.

Where can our readers get the Sophos Mobile Security products?

Just head to and choose from iOS or Android.

Leave a Reply

Your email address will not be published. Required fields are marked *