Skip to main content
According to a new Zimperium zLabs report, the top three mobile financial apps are frequent targets of Trojans, accounting for more than 200 million fraudulent downloads per year. Pictured: A woman wearing a face mask looks at her smartphone outside a store on Black Friday on November 26, 2021 in The Hague, the Netherlands. (Photo by Pierre Crom/Getty Images)

Just as more financial account access and payment activity moves to mobile devices, greedy scammers are shifting their attacks here, especially mobile financial Trojans, according to research released Thursday by Zimperium zLabs. .

In fact, the top three mobile financial apps targeted by Trojans target mobile payments and “alternative investments in assets, such as cryptocurrency and gold”, according to zLabs’ report, titled “Mobile Banking Heists: The Global Economic Threat”. The three types of financial apps alone account for more than 200 million fraudulent downloads worldwide each year.

“In 2021, the United States had more than 4,900 registered financial institutions, about 10 times the number of other countries,” said Richard Melick, director of threat reporting at Zimperium. “The large number of potentially targeted financial institutions in this country gives threat actors more opportunities to target and rob unsuspecting victims.

The problem is not just the ubiquity of these Trojans, but the barrage they can direct at particular financial institutions and their apps, tearing down their defenses. Example: most target The mobile banking application in the world is currently the BBVA Spain online banking application, which has been downloaded by more than 10 million users. This basic banking application alone was targeted by 6 of the top 10 banking trojans, according to zLabs.

Indeed, many large and leading financial institutions like BBVA have been early adopters of mobile banking, turning customers’ mobile phones into personal ATMs and allowing customers to access their money, identification and their investments on the move.

“And malicious actors didn’t wait to start targeting these apps,” Melick said, “so top multinational institutions with multiple banks under their umbrella have the biggest target on their apps.”

US financial institutions are the most frequent targets of banking Trojan attacks, according to Zimperium’s zLabs, with 121 mobile financial apps representing more than 286 million downloads having been attacked by bad actors last year. The prolific TeaBot banking trojan is a popular weapon for cybercriminals, who have used this malware alone to attack 410 mobile banking apps studied by zLabs.

“If TeaBot successfully targets these apps with app-specific keylogging, a rudimentary feature compared to others,” Melick said, adding that sometimes the “simplest tricks always work for a reason.”

In its research, zLabs uncovered more than 600 apps among 10 families of banking Trojans, which together infect more than a billion downloads of financial apps, as attacks there have been increasing rapidly since 2020.

“The impact of many of these Trojans on U.S. financial institutions and their customers is unknown,” Melick said, adding that breach reporting laws and regulations do not cover customer devices and apps. installed,” institutions are therefore not required to report losses publicly. But I expect that to change as more consumer-centric protections emerge through threat visibility.

Researchers are constantly finding new variants of mobile banking Trojans, with more than 100,000 types found last year according to Kaspersky reports. Cybercriminals may aim to infiltrate the app store or the financial institution’s site itself with their malware. Recently, mobile banking trojans often impersonate security or authentication apps to defraud well-meaning mobile banking users who want to boost their financial security.

Top-rated investment apps like Binance and Crypto.com account for more than 285 million downloads and are “top of the list of banking Trojan targets,” Melick said. “While it’s no surprise the unregulated market surrounding crypto exchanges attracts modern bank robbers, to see these apps targeted in the same way as other financial services surprised me.”

If financial institutions want to minimize the threat and impact of mobile Trojan malware, Melick recommended they adopt “the same security mindset as any other branch, office, or facility.”

“While they should provide customer access to tools and accessibility that are now standard, they should also provide security against banking Trojans and other threats,” Melick said. “From multi-factor authentication to on-device security monitoring, these organizations can take steps to stay one step ahead of modern bank robbers.”