The top three mobile financial applications are frequent targets of trojan malware, accounting for over 200 million fraudulent donwloads a year, according to a new Zimperium zLabs report. Pictured: A woman wearing a face mask eyes her smartphone outside a store on Black Friday on Nov. 26, 2021, in The Hague, Netherlands. (Photo by Pierre Crom/Getty Images)

Just as more financial account access and payments activity are moving to mobile devices, so too are greedy scammers shifting their attacks here, especially mobile financial trojans, according to research released Thursday by Zimperium zLabs.

In fact, the top three mobile financial applications targeted by trojan malware are aimed at mobile payments and “alternative asset investments, like cryptocurrency and gold,” according to zLabs’ report, called “Mobile Banking Heists: The Global Economic Threat.” The three types of financial applications alone account for more than 200 million downloads globally every year.

“As of 2021, the U.S. has over 4,900 registered financial institutions, which is about 10 times the number of other countries,” said Richard Melick, director of threat reporting at Zimperium. “The sheer number of potential targeted financial institutions in this country gives threat actors more opportunities to target and steal from unsuspecting victims.

The problem is not just in the pervasiveness of these trojans, but in the barrage they can direct at particular financial institutions and their applications, beating down their defenses. Case in point: The most targeted mobile banking application in the world presently is BBVA Spain’s online banking application, which has been downloaded by more than 10 million users. This one basic banking application has been targeted by 6 of the 10 most prominent banking trojans, zLabs found.

Indeed, many large and high-profile financial institutions like BBVA were among the first to adopt mobile banking, turning customers’ mobile phone into a personal ATM and giving customers access to their money, credentials, and investments on the go.

“And malicious actors did not wait to start targeting these apps,” Melick said, “so the likes of top-tier multinational institutions with multiple banks under their umbrella have the most prominent target on their apps.”

U.S. financial institutions are the most frequently targeted by banking trojan attacks, according to Zimperium’s zLabs, with 121 mobile financial applications representing more than 286 million downloads having been attacked by bad actors last year. The prolific TeaBot banking trojan has been a popular weapon for cybercriminals, who have used this malware alone to attack 410 mobile banking applications researched by zLabs.

“If the likes of TeaBot are successfully targeting these apps with app-specific keylogging, a rudimentary feature compared to others,” Melick said, adding that sometimes the “simplest tricks still work for a reason.”

In its research, zLabs uncovered more than 600 applications among 10 banking trojan families, which all together target more than 1 billion financial application downloads, as attacks here are rapidly on the rise since 2020.

“The impact of many of these trojans against U.S. financial institutions and their customers is unknown,” Melick said, adding that breach reporting laws and regulations do not cover customer devices and installed applications, “so institutions are not required to report losses publicly. But I do expect that to change as more consumer-centric protections come to light through visibility into the threat.”

Researchers are constantly finding new variants of mobile banking trojans, with more than 100,000 types found last year according to reports from Kaspersky. Cybercriminals may aim to infiltrate the application store or the financial institution site itself with their malware. Recently, mobile banking trojans often masquerade as security or authentication applications to con well-intentioned mobile banking users who want to boost their financial security.

Top-rated investment apps like Binance and Crypto.com account for more than 285 million downloads and are “high on the target list for banking trojans,” Melick said. “While it’s not a surprise the unregulated market surrounding crypto exchanges appeals to modern bank robbers, to see these apps targeted the same way as other financial services surprised me.”

If financial institutions want to minimize the threat and impact of mobile trojan malware, Melick recommended that they embrace “the same security mindset as any other branch, office, or facility.”

“While they need to enable the customer with the tools and accessibility that are now standard, they also need to provide security against banking trojans and other threats,” Melick said. “From multifactor authentication to on-devices security monitoring, these organizations can take steps to stay ahead of the modern bank robbers.”