Mobile Banking Trojans Surge, Doubling in Volume

Mobile malware developers were busy bees in 2022, flooding the cybercrime landscape with twice the number of banking Trojans than the year before.

two hands holding a mobile phone
Source: hanohikirf via Alamy Stock Photo

Nearly 200,000 new mobile banking Trojans emerged in 2022 — a 100% increase from the year before and the biggest acceleration of mobile malware development seen in the last six years.

That's according to Kaspersky's "Mobile Threats in 2022" report, which also detailed that the firm detected 1.6 million installers for mobile malware within its telemetry during the year. That's actually a decline in threat activity (down from 3.5 million in 2021 and 5.7 million in 2020), even as malware creation surges ahead.

"This drastic increase [in banking Trojan development] signifies that cybercriminals are targeting mobile users and are increasingly more interested in stealing financial data and actively investing in the creation of new malware," according to the report, released today. It added, "The cybercriminal activity leveled off in 2022, with attack numbers remaining steady after a decrease in 2021. That said, cybercriminals are still working on improving both malware functionality and spread vectors."

Banking Trojans are built to steal mobile bank account credentials or e-payment details, but they can often be repurposed for other kinds of data theft or used to install additional malware. Infamous malware strains like Emotet and TrickBot, for instance, began life as banking Trojans and quickly evolved to become something much more all-purpose.

Kaspersky's report noted that while unofficial app stores of course pose the greatest potential for encountering a banking Trojan, Google Play has been repeatedly populated with "downloaders for banking trojan families, such as Sharkbot, Anatsa/Teaban, Octo/Coper, and Xenomorph, all disguised as utilities."

Sharkbot, for instance, was found masquerading as a file manager that seems benign (and can evade Google's vetting process) — until it's installed. At that point, it requests permission to install additional packages that will together carry out the malicious banking Trojan activity.

About the Author

Tara Seals, Managing Editor, News, Dark Reading

Tara Seals has 20+ years of experience as a journalist, analyst and editor in the cybersecurity, communications and technology space. Prior to Dark Reading, Tara was Editor in Chief at Threatpost, and prior to that, the North American news lead for Infosecurity Magazine. She also spent 13 years working for Informa (formerly Virgo Publishing), as executive editor and editor-in-chief at publications focused on both the service provider and the enterprise arenas. A Texas native, she holds a B.A. from Columbia University, lives in Western Massachusetts with her family and is on a never-ending quest for good Mexican food in the Northeast.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights