Quick Hits

Mobile Banking Trojans Surge, Doubling in Volume

Mobile malware developers were busy bees in 2022, flooding the cybercrime landscape with twice the number of banking Trojans than the year before.

Nearly 200,000 new mobile banking Trojans emerged in 2022 — a 100% increase from the year before and the biggest acceleration of mobile malware development seen in the last six years.

That's according to Kaspersky's "Mobile Threats in 2022" report, which also detailed that the firm detected 1.6 million installers for mobile malware within its telemetry during the year. That's actually a decline in threat activity (down from 3.5 million in 2021 and 5.7 million in 2020), even as malware creation surges ahead.

"This drastic increase [in banking Trojan development] signifies that cybercriminals are targeting mobile users and are increasingly more interested in stealing financial data and actively investing in the creation of new malware," according to the report, released today. It added, "The cybercriminal activity leveled off in 2022, with attack numbers remaining steady after a decrease in 2021. That said, cybercriminals are still working on improving both malware functionality and spread vectors."

Banking Trojans are built to steal mobile bank account credentials or e-payment details, but they can often be repurposed for other kinds of data theft or used to install additional malware. Infamous malware strains like Emotet and TrickBot, for instance, began life as banking Trojans and quickly evolved to become something much more all-purpose.

Kaspersky's report noted that while unofficial app stores of course pose the greatest potential for encountering a banking Trojan, Google Play has been repeatedly populated with "downloaders for banking trojan families, such as Sharkbot, Anatsa/Teaban, Octo/Coper, and Xenomorph, all disguised as utilities."

Sharkbot, for instance, was found masquerading as a file manager that seems benign (and can evade Google's vetting process) — until it's installed. At that point, it requests permission to install additional packages that will together carry out the malicious banking Trojan activity.