Report: 29 malware families target 1,800 banking apps worldwide

According to a recent study by Zimperium, 29 malware families have targeted 1,800 banking apps in 61 countries in 2023. This is nearly 3 times more than in 2022 when 10 malware families targeted 600 banking apps. The development and convenience of online banking apps are clear, but they also come with inherent risks to cybersecurity and financial fraud.

Carbanak banking malware source code

Banking Trojans continue to target mobile devices.

Banking trojans continue to evolve thanks to their ability to bypass security layers and evade detection on mobile devices. Conventional security solutions won’t be able to keep up with the growing number of threat actors and their increasingly complex techniques. The study also revealed that to date, US banking institutions remain the most targeted by financially motivated threat actors.

109 US banks were targeted by banking trojans in 2023, among the other most targeted countries were the United Kingdom (48 organizations/banks) and Italy (44 organizations/banks). The report additionally pointed out that trojans are evolving beyond basic banking apps, aiming at cryptocurrency, social media, and messaging apps.

Nico Chiaraviglio, Head of Scientific Research at Zimperium said: “Mobile banking security is in a heightened state of alert, with many threat actors posing significant risks.” The Zimperium research report shows the complexity, adaptability, and scalability of banking trojans as well as their major impact on global mobile apps.

Nico Chiaraviglio also stated: “Cybercriminals are trying to overcome traditional defensive measures, which is why financial and banking organizations need to use comprehensive, real-time mobile security on devices to combat increasingly sophisticated and stealthy cybercriminal attacks.”

Traditional banking apps remain the top target, with 1,103 apps attacked, representing 61% of the 1,800 targets, while FinTech apps and emerging trading apps account for the remaining 39%.

Hook, Godfather, and Teabot rank as the top families of banking malware by the number of targeted banks. According to the research, 19 malware families identified in the 2022 report have evolved with new capabilities and 10 new malware families have been identified as threats in 2023.

New capabilities

New capabilities of banking malware include:

  • Automatic Transfer Systems (ATS): A technique that facilitates illegal money transfers.
  • Telephony Oriented Attacks and Distributions (TOAD): A form of social engineering involving calling victims using information previously gathered from phishing sites to trick users into downloading malware.
  • Screen sharing: Can remotely control a victim’s device without physical access.
  • Malware as a Service (MaaS): An online business model that provides malware creation tools for rent or sale, facilitating easy execution of cyberattacks.

This paints a concerning picture of the future threat landscape for increasingly pervasive and far-reaching mobile apps, requiring a mobile-first security strategy, a comprehensive, autonomous approach continuously focused on combating mobile banking trojans. Organizations need to proactively grasp cyber attack trends and protect against threats in real-time, eliminating outdated, ineffective forms of protection and employing preventative measures to address potential risks before an attack occurs.

Jon Paterson, CTO at Zimperium said: “By monitoring millions of devices, Zimperium has identified alarming figures showing the global prevalence and evolution of mobile banking malware. Cybercriminals continue to target traditional banking, FinTech, and Trading apps because many still rely on outdated security techniques and lack advanced protections.”

Protecting apps from malware

To combat these growing threats, organizations and businesses should take the following steps:

  • Ensure protection capabilities match threat complexity: Advanced protection techniques will improve security posture and suit organizational capabilities, avoiding over-investment beyond what attackers can achieve.
  • Deploy real-time visibility to monitor and model comprehensive threats: Leaders must enable real-time visibility into diverse threats including network, application, and fraud. This real-time detail enables proactive risk and threat identification and reporting.
  • Deploy on-device protections to address threats in real-time: Mobile application security leaders should prioritize promoting on-device protections that enable applications to take immediate action when threats are detected. This capability must be autonomous, not relying on network connectivity or communication with ancillary servers.