Mobile banking is a rapidly growing market that’s projected to hit a value of US$7 billion by 2032. However, this surge is being accompanied by a dramatic growth in mobile banking malware, as threat actors increasingly turn their focus on mobile banking applications for illicit financial gain, a new report by mobile security company Zimperium says.
The 2023 Mobile Banking Heists Report, released in December 2023, provides an overview of the risks to mobile financial applications, highlighting the continued evolution and success of mobile banking malware and mobile banking fraud around the globe.
The 2023 study, which analyzed malware targeting banking apps, uncovered that 29 malware families targeted 1,800 banking applications across 61 countries last year. That’s 10 more malware families than in 2022 during which the study identified 19 banking malware families targeting 1,400 mobile apps.
This growth suggests that threat actors continued to invest in new methods to target mobile banking apps, developing new tools and techniques to execute fraudulent transactions, steal funds and commit identity theft, the report says.
Hook as the most prolific mobile banking malware
In 2023, Hook was the most prolific malware family, targeting a staggering 468 banking apps. Hook is a type of malicious software specifically designed to target mobile banking apps. It typically operates by infecting a user’s device through various means, such as phishing emails, fake apps, or compromised websites.
Once installed on a mobile device, the Hook malware remains hidden, often disguising itself as a legitimate application or running in the background without the user’s knowledge. It then waits for the user to launch a legitimate banking app, after which it springs into action, overlaying a fake user interface (UI) on top of the legitimate banking app and making it appear as though the user is interacting with the genuine application.
However, behind the scenes, the malware captures the user’s login credentials, account information, and other sensitive data entered into the fake UI. The captured information is then sent to a remote server controlled by cybercriminals.
Threat actors expand capabilities
Looking more broadly at mobile banking malware, the study found that threat actors added new capabilities to response to evolving cybersecurity defenses but also to broaden their scope and increase effectiveness.
New capabilities observed within banking malware in 2023 include:
- Automated transfer system (ATS): A framework that allows cybercriminals to automate fraud by extracting credentials and account balances, initiating unauthorized transactions, obtaining multi-factor authentication (MFA) tokens, and authorizing fund transfers;
- Telephone-based attack delivery (TOAD): An attack that involves cybercriminals posing as call center representatives and sweet-talking targets into downloading “security” software that is actually a banking trojan;
- Screen sharing: A capability that enables threat actors to remotely interact with and manipulate a device, even without physical access; and
- Malware-as-a-Service (MaaS): An online business model offering a range of features optimized for malware authors, including pre-coded attack vectors, customizable trojan templates, and evasion techniques like code obfuscation.
US banking institutions are the most targeted
A sectoral analysis revealed that the traditional banking apps remained the prime target last year, representing 61% of all the targets of mobile banking malware, or a total of 1,103 apps. Fintech and trading apps made up the remaining 39% with 704 app targeted.
USA banks were the most targeted by mobile banking malware with 109 institutions, followed by the UK with 48, and Italy with 44.
Findings of the Zimperium research corroborate with those of new survey conducted by EY and the Institute of International Finance. The study, which polled 85 banks across 30 countries, found that cybersecurity risks continue to be considered among the most pressing issues by chief risk officers (CROs), identified by 73% of the respondents as the top year-ahead risk.
Additionally, data and technology concerns are gaining prominence as emerging risks, with more than a third (39%) of CRO respondents highlighting industry disruption from new technologies as crucial for risk management in the next five years. Artificial intelligence (AI) and machine learning risks are also surging among CROs, cited by 38% of respondents as one of the most important risk for banking organizations over the next five years, up from 13% last year.
Preference for mobile banking has risen consistently over the past years to now standing as the preferred channel for banking customers in most markets.
Results of a 2023 survey conducted by Statista show that South Korea, South Africa and Sweden are the world’s biggest adopters of mobile banking, with 82%, 78% and 75% of respondents in these respective markets indicating using mobile channels to process their banking matters. At the end of the spectrum, Japan, Germany and Italy recorded the lowest rates at 28%, 50% and 51%, respectively.
Featured image credit: edited from freepik