Global Mobile Banking Malware Surge Targets 1,200 Financial Brands

A global surge in mobile banking malware targeting 1,243 financial brands across 90 countries is reshaping the fraud landscape, with attacks now originating primarily on user devices. According to a new report by Zimperium zLabs, these operations have become industrialised, affecting apps with more than three billion downloads.

The analysis indicates that these large-scale campaigns are evolving faster than traditional banking defences, driven by widespread code sharing and low barriers to entry for attackers. The shift represents a fundamental change in how financial crime is conducted, moving the battleground from bank servers to consumers' pockets.

Background and Context

Mobile banking has established itself as the dominant channel for consumers, with Zimperium reporting that 54% of users now rely on apps to manage their accounts. As this usage has increased, exposure to risk has risen in tandem. The report highlights a 56% increase in Android banking trojan attacks in 2025 and a 271% jump in unique malware packages to 255,090.

Overall, online fraud rose 21% between 2024 and 2025, and one in 20 verification attempts is now considered fraudulent. Data suggests that 80% of fraud occurs through online or mobile platforms, yet security measures have not kept pace. Investigators found that more than 60% of banking apps lack basic code protection, allowing criminals to reverse engineer systems and tailor attacks before targeting users.

Key Figures and Entities

The malware ecosystem is dominated by a few prolific families. Three distinct threats—TsarBot, CopyBara, and Hook—accounted for more than 60% of targeting against banking and fintech applications in the period reviewed. Newer variants such as Sturnus and Crocodilus have introduced advanced techniques, including "blackout" modes that allow transactions to occur while a device appears inactive to the user.

Analysts point to the sophistication of these actors as a primary concern. "Mobile banking applications are absolutely a prime target," said Boris Cipot, senior security engineer at Black Duck. "As the research shows, more than 1200 financial apps are currently under active attack, and malware-driven fraud has increased 67% year over year."

Legal and Financial Mechanisms

The mechanics of modern malware have progressed significantly beyond simple credential theft. The report warns that attackers can now control devices and operate within legitimate banking sessions, making fraudulent activity often indistinguishable from normal user behaviour.

"Today's malware families don't just steal credentials, they intercept authentication codes, monitor live sessions, and convincingly mimic legitimate app behavior," Cipot noted. Jason Soroko, senior fellow at Sectigo, added that this capability renders traditional server-side fraud controls "blind" because the transactions technically originate from a genuine device with valid credentials. This exploitation of mobile app vulnerabilities allows criminals to bypass two-factor authentication and other standard security protocols.

International Implications and Policy Response

While the threat is global, its impact is unevenly distributed. The United States has the highest concentration of targeted banking apps at 162, followed by the United Kingdom with 69, Spain with 65, and Italy with 52. However, rapidly digitizing markets are also becoming focal points; India, Vietnam, and Malaysia reported 42, 23, and 17 targeted apps respectively.

Furthermore, the integration of artificial intelligence into these attacks is accelerating the threat. AI is enabling faster reverse engineering of apps and the use of deepfakes to bypass identity checks. The researchers concluded that financial institutions must prioritise mobile app security to defend against these threats, as backend-focused defences alone are no longer sufficient to protect customer assets.

Sources

This report draws on the latest analysis published by Zimperium zLabs, along with expert commentary from security professionals at Black Duck and Sectigo.