Zimperium released its annual Mobile Banking Heists Report, which highlights the continued evolution and success of mobile banking trojans around the globe. In particular, the research uncovered that 29 malware families targeted 1,800 banking applications across 61 countries last year. In comparison, last year's report uncovered 10 prolific malware families targeting 600 banking apps.
Banking trojans continue to evolve and succeed due to their ability to persist, bypass security, and evade detection on mobile devices. As investment from fast-moving threat actors continues to increase, traditional security practices are unable to keep up.
The research also revealed that United States banking institutions remain by far the most targeted by financially motivated threat actors. There were 109 U.S. banks targeted by banking malware in 2023, compared to the next most targeted countries which were the U.K. (48 banking institutions) and Italy (44). The report also noted that trojans are evolving beyond simple banking apps, targeting cryptocurrency, social media and messaging apps.
Other key report highlights
- Traditional banking applications remain the prime target, with 1,103 compromised apps — accounting for 61% of the 1,800 targets — while the emerging FinTech and Trading apps make up the remaining 39%.
- Hook, Godfather and Teabot are the top banking malware families, measured by the number of banks targeted.
- The 19 malware families from last year's report have evolved with new capabilities, and 10 new families have been identified as a threat in 2023.
- New capabilities observed within banking malware this year include:
- Automated Transfer System (ATS): A technique that facilitates unauthorized transfers of money.
- Telephone-based Attack Delivery (TOAD): Involves a follow-up call to gain trust and download more malware.
- Screen sharing: Being able to remotely control a victim's device without having physical access to it.
- Malware-as-a-Service (MaaS): An online business model offering malware creation tools for rent or sale, facilitating easy execution of cyberattacks.