The widespread adoption of mobile banking has made things more convenient for consumers but at the cost of introducing myriad new "attack vectors" for malware attacks, particularly "trojan" programs that masquerade as legitimate applications, according to a recent report from
"Just as bank robbers of the past would hold up physical bank locations, the prolific access to users’ finances from the mobile device has opened up opportunities for greater reward and less physical risk. The malicious actors behind banking trojans are counting on mobile applications and endpoints lacking comprehensive security solutions to detect and prevent their actions. With the number of mobile financial applications available to users growing, there are new targets being added every day," said the report.
Many of these trojans — bearing names like Medusa, FluBot, Xenomorph and ExobotCompact.D/Octo—are capable of targeting multiple applications at a time, meaning a host of different infections may all come from one type of program. Hundreds of millions of people worldwide have already downloaded the apps these programs target, making users vulnerable to potential attack.
The most targeted mobile banking app in the world is BBVA Spain | Online Banking, which has been downloaded over 10 million times. This one application can be targeted by six different banking trojans. India’s PhonePe mobile application was named as having the largest attack surface for banking trojans to target, with over 100,000,000 downloads from the Google Play Store.
In the U.S., the most targeted application is Cash App, which over 50 million people have downloaded. However, the only trojan examined which specifically targets it is
The report noted that these trojans can cause serious problems if left unchecked. It can lead to data theft, regulatory problems (for the developers), loss of customer confidence and the use of stolen assets in further frauds. It was recommended that people make use of mobile security software to avoid accidentally downloading a trojan.
