Woman using mobile banking app

Securing Modern Banking Applications – Do’s and Don’ts

It’s no secret that banking applications – both traditional and emerging fintech apps – still remain a prime target for financially-motivated cyberattacks. Cybercriminals are money-motivated, targeting the applications and institutions with the potential for the highest reward. Recent research found that traditional banking apps accounted for 61% of the apps targeted by 29 specific banking trojans last year, while the other 39% accounted for emerging fintech and trading apps. The legacy security mechanisms employed by traditional apps — such as Strong Passwords, Domain-Based Security, One-Time-Passwords (OTP), and Multi-Factor Authentication (MFA) aren’t making the cut. Banks and financial institutions offering modern apps and software – for both employees and customers – require the adoption of an on-device protection strategy, where threats are neutralized at the point of occurrence, all while maintaining a seamless user experience. To keep banking applications secure in the face of evolving threats, organizations need to be mindful of a few things.

What are banking applications up against?

Using advanced techniques, modern banking malware has outpaced and undermined traditional mobile app security measures. In 2023, the Zimperium’s zLabs team discovered 10 new active banking malware families targeting banking applications. The 19 adversaries who persisted from 2022 also revealed new capabilities that show a relentless pursuit of financial exploitation. These new capabilities all exhibit highly evasive characteristics, showing the ability to sneak past traditional security tooling. For example, these trojans exhibited a tactic called Automated Transfer System (ATS Module), allowing cybercriminals to automate fraud by extracting credentials and account balances, initiating unauthorized transactions, obtaining Multi-Factor Authentication (MFA) tokens, and authorizing fund transfers.

An example of a banking trojan using ATS Module is PixPirate, a new Android banking malware discovered by researchers at Cleafy. PixPirate belongs to the newest generation of trojans that is capable of making unauthorized money transfers via mobile banking apps using the Instant Payment platform Pix. GoatRat, PixBankBot and Xenomorph are other trojans utilizing this tactic.

So what makes trojans so successful in its attacks against mobile banking applications? Users are much more susceptible to mobile-based phishing attacks than phishing attacks distributed through other devices. Based on last year’s Global Mobile Threat Report data from Zimperium, as well as the Anti-Phishing Working Group (APWG), financial services is the most targeted sector, accounting for 23% of documented phishing attacks. Financial services firms have been targeted 60% more than the next most targeted sector, Social Media. There are also many trojan applications masquerading as legitimate applications in App Stores, so there is already preconceived trust among users.

Best practices for security leaders and consumers

To protect banking apps from this stream of constantly evolving threats, IT and security leaders at banking institutions need to ensure that their protection measures match the level of sophistication of threat actors. They need advanced code protection techniques to fight against  attackers able to bypass rudimentary code protections. Second, they need to enable runtime visibility across various threat vectors, including device, network, application, and phishing. This real-time insight allows for active identification and reporting of risks, threats, and attacks. And lastly, but just as importantly, it’s crucial for leaders to prioritize on-device protection mechanisms that enable apps to take immediate actions upon threat detection.

The consumer also plays a pivotal role in the security of their mobile banking. As the device user, consumers and/or employees need to beware of banking applications that ask for tons of accessibility permissions. Granting accessibility permissions without closely looking at what they are requesting can be risky because these permissions can give apps broad control over a device’s functionalities. Banking trojans will often ask for and then exploit accessibility features to automate transactions, capture sensitive data (such as passwords) or overlay fake login screens on legitimate banking apps. Just because the app is legit, consumers should still proceed with caution, knowing that trojans will often use this “preconceived trust” as a launching pad for their destructive attacks.

Consumers should also avoid downloading banking apps from unvetted sources, such as third-party app stores that lack the rigorous security controls that actual Apple or Android stores have. Lastly, beware of phishing emails, URLs or texts that look legitimate. Threat actors will often reverse-engineer banking apps to steal logos and other icons to imitate the actual app.

Banking applications are just the beginning. Fifty percent of the malware families analyzed by the zLabs team already target Payment, NeoBanks, and Crypto wallets, with the expectation that even more applications in these categories to be targeted in the future. A truly mobile-powered business needs a mobile-first security strategy – and banking institutions offering apps and software for their users should rethink their traditional security tooling so as to not fall victim to highly evasive mobile banking trojans.