A new report from mobile security platform provider Zimperium Inc. finds that mobile banking heists continued to increase in 2023, with researchers uncovering 29 malware families that targeted 1,800 banking applications across 61 countries throughout the year.

The 2023 Mobile Banking Hesits Report details how banking trojans — a type of malicious software designed to infiltrate banking and financial applications to steal sensitive information such as login credentials and financial data — have continued to evolve and succeed thanks to their ability to persist, bypass security and evade detection on mobile devices. Added to the mix is increasing investment from threat actors, creating a situation where traditional security practices cannot keep up.

The report finds that U.S. banking institutions remain the favorite targets of financially motivated threat actors, with 109 U.S. banks targeted by banking malware in 2023. This dwarfs the U.K. in second place, with 48 banking institutions targeted, and Italy with 44. The report also notes that trojans are evolving beyond simple banking apps, targeting cryptocurrency, social media and messaging apps.

Key findings highlighting the threat of mobile banking malware include that traditional banking applications remain the prime target, with 1,103 compromised apps accounting for 61% of the 1,800 targets. Emerging FinTech and trading apps made up the remaining 39%.

Hook, Godfather and Teabot were found to be the leading banking malware families, measured by the number of banks targeted. Nineteen malware families detailed in the 2022 report were found to have evolved with new capabilities, and 10 new families have been identified as a threat in 2023.

A number of new capabilities were observed within banking malware this year. Among them is Automated Transfer System, a technique that facilitates unauthorized transfers of money. There’s also Telephone-based Attack Delivery, which involves a follow-up call to gain trust and download more malware. Hackers also used screen sharing to control a victim’s device remotely without having physical access to it.

And finally there was the emergence of banking trojans being offered on a malware-as-a-service basis. That’s a business model where cybercriminals rent or sell malware creation tools, allowing even those with limited technical skills to execute cyberattacks.

“Mobile banking security is currently in a high-stakes scenario, with numerous threat actors posing substantial risks,” said Zimperium Chief Scientist Nico Chiaraviglio. “We are seeing that they are finding ways to bypass traditional defenses, which is why it is critical that banking and financial organizations employ comprehensive, real-time, on-device mobile security to combat these intelligent adversaries.”

The report makes several recommendations on how to protect apps from malware. They include enhancing protection to match the sophistication of threats through advanced code protection techniques, implementing runtime visibility for comprehensive monitoring and modeling of potential threats across various vectors, and deploying on-device protection for immediate, autonomous threat response, independent of network or server connectivity.

Image: DALL-E 3