4 Common types of Malware and What’s the Difference (Trojan, Spyware, Viruses, Ransomware)

Share this blog

Malware is malicious code that threat actors use to compromise data collected, stored, processed, or transmitted by mobile devices, computers, servers, or any other internet-connected device or application. As part of an organization’s security and data protection program, it should have a plan in place that, at minimum, mitigates risk to systems and networks arising from four common types of malicious software: trojans, spyware, viruses, and ransomware.

1. Trojan

What is a Trojan?

Named after the Greek story of the wooden horse used to infiltrate Troy, a trojan is a software that disguises itself as legitimate, tricking users into downloading it. When users click on the executable file (.exe), the program installs on the device, enabling attackers to use it to complete additional objectives, like:

  • Creating backdoor access to the device
  • Keylogging
  • Installing viruses or worms
  • Stealing, modifying, blocking, or deleting data

Unlike other types of malware, trojans are not self-replicating, meaning that the user has to take action and actively click on the file for the malicious software, or payload, to execute. In addition, malicious actors often use social engineering tactics to convince users to engage in risky behavior. For example, trojans can infect mobile devices and smartphones, enabling threat actors to use them as part of a Distributed Denial of Service (DDoS) attack by controlling them as part of a botnet.

There are several ways trojans can be hidden:

  • In mobile apps
  • In emails and their attachments
  • In video games and mobile games

What are the Different Types of Trojans?

While threat actors use trojans across all industries, attackers have increasingly targeted financial services over the last few years. Some examples of trojans seen between 2017 and 2021 include:

  • Exobot (2017)
  • BianLian (2018)
  • EventBot (2020)
  • Medusa (2020)
  • Cabassous (2021)
  • Coper (2021)
  • FlyTrap (2021)
  • FluBot (2021)
  • Sharkbot (2021)
  • Teabot (2021)
  • Xenomorph (2022)

How to Recognize a Trojan

A device infected with a trojan may:

  • Run slowly or crash more frequently
  • Run programs automatically or execute unexplained processes
  • Interrupt use with pop-ups and email spam

2. Spyware

What is Spyware?

Spyware is the Jason Bourne of the malware world. When executed on a computer or mobile device, spyware gathers information about people or organizations by monitoring user activity and reporting back to the attacker. However, unlike other malware variants, spyware may not interrupt the device’s operations.

This malicious code focuses on violating the end user’s privacy and can compromise:

  • Usernames
  • Passwords
  • PIN numbers
  • Payment information
  • Unstructured messages
  • Keyboard strokes
  • Web browsing history

Traditionally distributed to computers using freeware or shareware, spyware can infect mobile devices via:

  • Unsecured free wi-fi
  • Operating system (OS) flaws
  • Malicious apps

In addition to compromising data, mobile device spyware can also steal information like:

  • Incoming/outgoing SMS messages
  • Incoming/outgoing call logs
  • Contacts
  • Emails
  • Browser history
  • Photos
  • Keystrokes

Beyond that, a mobile device spyware could also use:

  • Microphone to record audio
  • Take pictures
  • Track location with GPS

What are the Different Types of Spyware?

Spyware can be classified as:

  • Adware: sending activity data to advertisers or malicious actors
  • Infostealer: Scanning devices for specific data and instant message conversations
  • Keylogger: recording keystrokes a user makes on the device
  • Red shell: tracking online activity, usually installed through a PC game

Some specific mobile spyware variants are:

  • PhoneSpy: installed in Android apps to steal login credentials, messages, location, and images
  • Pegasus: used to target activists, journalists, politicians, and executives

How to Recognize Spyware

Although some antivirus tools may be able to detect a spyware signature, this is not true for all types, especially mobile device spyware.

A device infected with spyware may:

  • Run slowly
  • Interrupt with popups
  • Install new toolbars, search engines, and internet homepages
  • Drain battery more rapidly
  • Fail to login to secure sites
  • Show increased data and bandwidth use
  • Disable anti-virus or other safety software

3. Virus

What is a Virus?

Viruses are self-replicating malicious code that can infect other programs and spread across systems. While a trojan requires a user to take action that downloads and executes the malware, a virus inserts itself into an application. Like a parasite, the virus relies on the host application to propagate, execute, and reproduce only while the infected application is running. Once executed, data and files may be:

  • Encrypted
  • Corrupted
  • Deleted
  • Moved
  • Exfiltrated

Attackers can use any of the following to spread the virus:

  • Website
  • File sharing
  • Email attachment downloads

While any file is at risk, some are more likely to get infected, like:

  • .doc/.docx
  • .ex
  • .html
  • .xls/.xlsx
  • .zip

A virus typically spreads when an infected software or document is transferred from one computer to another. Viruses can spread quickly across networks, file shares, or email attachments in internet-connected ecosystems.

What are the Different Types of Viruses?

Viruses can be categorized as:

  • File infectors: attaching to program files so that when the user loads the program, the virus loads as well
  • Macro viruses: targeting macros in applications like Microsoft Word
  • Overwrite viruses: destroying files or application data by overwriting them with malicious code
  • Polymorphic viruses: changing or applying updates to underlying code to evade detection
  • Resident viruses: embedding in a system’s memory so it can be reactivated if the original virus is deleted
  • Rootkit viruses: installing an unauthorized rootkit so that attackers can gainful system control to modify or disable functions and programs
  • System or boot sector viruses: impacting executable code n the disk OS boot sector on diskettes, USB thumb drives, or master boot records on hard disks

How to Recognize a Virus

A device infected with a virus may:

  • Run slowly or take a long time to start up
  • Crash frequently
  • Shutdown unprompted
  • Show error messages
  • Behave abnormally, like not responding to clicks or opening files without being prompted
  • Show a storage reduction
  • Experience abnormal hard drive activity, like constant spinning or noise
  • Show email corruption

4. Ransomware

What is Ransomware?

Ransomware is malware that encrypts files or devices, only decrypting them once the company makes the requested ransom payment. In recent years, these attacks have evolved to include “double extortion,” where malicious actors encrypt and exfiltrate sensitive data in an attempt to overcome risk mitigation strategies like data backups.

To spread ransomware, an attacker can use malicious:

  • Email attachments
  • Ads
  • Links
  • Websites

Ransomware has become more prevalent due to the Ransomware-as-a-Service (RaaS) business model. Cybercriminals sell access to the malware by charging a subscription fee or a percentage of the ransom. Without having to create the code, less sophisticated actors can deploy a ransomware attack which means more people are able to engage in criminal activity.

Increasingly, threat actors target mobile device operating systems like iOS or Android. Mobile ransomware works slightly differently from traditional ransomware. Instead of encrypting the device, which can easily be restored from a cloud sync backup, these ransomware variants focus on locking access to the mobile device, preventing use.

What are the Different Types of Ransomware?

Some famous ransomware variants include:

  • Conti
  • DarkSide
  • Egregor
  • Ryuk
  • MAZE
  • HoneyBee

Security researchers have also detected mobile device ransomware variants like:

  • AndroidOS.MalLocker.B
  • DoubleLocker
  • CovidLock
  • LeakerLocker
  • WannaLocker

How to Recognize Ransomware

Even before attackers send a ransom request, a device infected with ransomware may experience:

  • Abnormal file system activity, like failed file modifications
  • Increased CPU and disk activity
  • Lack of access to files
  • Abnormal network communication
  • Reduced battery charge

Zimperium zIPS: Mobile Threat Detection to Protect Against Malware

While organizations may have anti-virus protection to protect traditional devices like laptops, attackers increasingly seek to exploit the inherent security and privacy risks of mobile devices to deploy attacks. In addition, mobile devices lack the crucial advanced security layer to protect against sophisticated attacks, leaving systems, networks, and sensitive data at risk.

Zimperium zIPS detects both known and unknown threats, including zero-day, phishing, and network attacks, by analyzing slight deviations to a mobile device’s various system parameters. Once deployed on a mobile device, Zimperium zIPS begins protecting the device against all primary attack vectors, even when the device is not connected to a network.

With Zimperium zIPS, organizations gain continuous protection for mobile devices, providing the risk intelligence and forensic data necessary for security administrators to raise their mobile security confidence. As the mobile attack surface expands and evolves, so does Zimperium’s on-device, machine learning-powered detection.

Richard Melick
Mobile Threat Intelligence. View the author's experience and accomplishments on LinkedIn.

Get started with Zimperium today