Mobile banking malware infections surged dramatically in 2024, affecting approximately 248,000 users globally, representing a 3.6-fold rise compared to the 69,000 users impacted in the previous year. The increase follows a concerning pattern of increasingly sophisticated mobile threats, including the recent Anatsa banking trojan campaign that infected over 220,000 Android users through a seemingly legitimate file manager application.
Analysis of the threat landscape revealed the Mamont Trojan family as the predominant threat vector, accounting for 36.7 percent of mobile banking malware incidents. The malware variant concentrated its operations primarily in Russia and Commonwealth of Independent States (CIS) countries, following a similar regional targeting pattern to the recently discovered FinStealer malware that emerged in neighboring regions.
Geographic distribution data indicated Turkey as the most severely affected region, where 5.68 percent of mobile security users encountered financial threats, reflecting a 2.7 percentage point increase year-over-year. Indonesia and India ranked second and third, with 2.71 percent and 2.42 percent of users affected respectively. The high infection rate in India is particularly concerning given the country’s recent push toward digital banking adoption, including the implementation of biometric authentication systems for financial services.
The infection methodology typically begins with social engineering approaches that persuade users to install applications masquerading as legitimate software. These malicious applications are distributed through unofficial app stores or direct downloads from phishing websites, similar to the recent PlayPraetor trojan campaign that used counterfeit Google Play Store pages to distribute malware.
The malware’s functionality depends on obtaining extensive device permissions, including access to SMS messages, notifications, and accessibility services, which enable the interception of authentication codes and the overlay of legitimate banking applications with fraudulent interfaces. The abuse of accessibility services has become increasingly common, as demonstrated by the sophisticated “ghost tapping” malware scam that recently targeted mobile banking users.
The malware operators employ various deception strategies, ranging from basic social media lures to elaborate schemes involving fake e-commerce platforms and counterfeit package tracking applications. These tactics have evolved alongside the broader trend of increasingly sophisticated mobile phishing attacks, as documented in recent Zimperium research on mobile-specific phishing campaigns.
The latter half of 2024 witnessed a notable intensification in malicious activities, with an expanding variety of malware families indicating continuous development of new attack methodologies by threat actors. The trend corresponds with Google’s enhanced security measures that blocked 2.36 million malicious Android apps throughout the year.
Security professionals recommend implementing protective measures including exclusive use of official app stores, careful scrutiny of permission requests, deployment of security solutions, and activation of multi-factor authentication for financial services. Regular verification of financial communications and awareness of suspicious messages serve as additional protective measures. These recommendations match recent moves by major platforms to strengthen authentication security, such as Google’s transition away from SMS-based authentication toward more secure verification methods.
Sources: Cybersecurity News, GBHackers, GBHackers
Follow Us