Banking Trojans

Banking trojans are malicious software programs that steal financial and sensitive data from mobile devices like smartphones and tablets.

Banking trojans are malicious software programs that steal financial and sensitive data from mobile devices like smartphones and tablets. Banking trojans often masquerade as legitimate apps or hide within seemingly innocuous programs, potentially endangering their security in multiple ways. 

2023 Global Mobile Threat Report

How Banking Trojans Can Compromise Mobile App Security

Infiltration and Concealment

  • Banking trojans can access user devices by downloading malicious applications from unofficial app stores clicking on malicious links, or email attachments.

  • Once on a user’s device, banking trojans hide themselves to avoid detection from security software and users. 


  • Banking trojans can record keystrokes when someone interacts with mobile banking apps on mobile phones – thus collecting sensitive information such as login credentials, PINs, and account numbers that they might see during this interaction.

  • This information is transmitted to an attacker, giving them unauthorized access to a user’s account.

Screen Overlay Attacks

  • Banking trojans may use false login screens that overlay your mobile banking app’s legitimate interface, and when users enter their credentials, they unknowingly provide them to attackers.

Stealing SMS Messages

  • Certain banking trojans can intercept SMS messages with one-time passwords (OTP) or authentication codes sent by your mobile banking app for two-factor authentication. This technique makes it extremely difficult for users to distinguish the fake login from the real one.

  • By intercepting these codes, attackers can bypass the second layer of security and gain entry to an individual’s account. 

Remote Control and Data Exfiltration

  • They also gain control of remote devices and data exfiltration devices, which provide access to these accounts. Banking trojans frequently connect to an attacker’s command and control (C2) server, allowing them to control an infected device remotely.

  • Banking trojans can remotely initiate transactions, change settings, or extract sensitive data such as personal and financial data from devices remotely.

Evading Detection

  • Banking trojans constantly adapt their code to avoid detection by security software and app store security checks.

  • Banking trojans employ various obfuscation and encryption techniques to disguise their malicious code, communicating directly with C2 servers without raising suspicions. 

What Are the Different Types of Banking Trojans?

Banking trojans come in various forms and may use different techniques to compromise mobile banking apps. Here are some common types of banking trojans:

Keylogger Trojans

  • Keyloggers are trojans that capture keystrokes made by the user on their mobile device. Keystroke logging can include usernames, passwords, PINs, and other sensitive information.
  • Keyloggers operate in the background, recording every keystroke and sending the collected data to the attacker.

Screen Scraper Trojans

  • Screen scrapers capture the contents of the device’s screen, allowing attackers to see what the user is doing on their device.
  • They are particularly dangerous when users are interacting with mobile banking apps, as they can capture account balances, transaction details, and even OTPs.

Overlay Trojans

  • Overlay trojans are known for their ability to create fake login screens that overlay legitimate apps, including mobile banking apps.
  • When users enter their login credentials, they unwittingly provide them to the attacker. Overlay trojans can be very convincing and challenging to detect.

SMS Intercept Trojans

  • These trojans intercept SMS messages sent to the user’s device, including one-time passwords (OTPs) or authentication codes.
  • By capturing these codes, attackers can bypass two-factor authentication and gain access to the user’s accounts.

Remote Access Trojans (RATs)

  • RATs provide attackers with remote control over the infected device, allowing them to perform various actions.
  • Attackers can initiate transactions, change settings, or exfiltrate sensitive data from the device.

Man-in-the-Browser (MitB) Trojans

  • MitB trojans infect the web browser on the user’s device and manipulate web transactions.
  • They can alter the content displayed in the browser, tricking users into authorizing fraudulent transactions.

Evolutionary Trojans

  • Banking trojans are continually evolving to evade detection and improve their capabilities.
  • They may incorporate advanced obfuscation techniques, anti-analysis methods, or even use legitimate app distribution channels to infect devices.

Proxy Trojans

  • Proxy trojans redirect the device’s internet traffic through a proxy controlled by the attacker.
  • This redirect allows attackers to intercept and manipulate data transmitted between the user’s device and banking servers, potentially altering transactions or capturing sensitive data.

SMS Spamming Trojans

  • Some banking trojans send SMS messages to premium-rate numbers, resulting in financial losses for the user.
  • They can also flood the device with spam SMS messages to distract and confuse users.

Camouflage Trojans

  • Camouflage trojans mimic legitimate apps, including mobile banking apps, to fool users into downloading and installing them.
  • They often use similar icons and names to appear genuine.

Developers must implement robust security measures, regular code audits, and user education to protect your mobile banking app and its users from these banking trojans. Stay informed about emerging threats and security best practices to keep your app secure in the constantly evolving landscape of mobile banking security.

Mobile Banking App Security Best Practices for Countering Banking Trojans

Safeguarding your mobile banking app and its users from banking trojans is paramount. Implementing cybersecurity best practices can help ensure the security and integrity of your application. Here are some critical best practices:

Secure Coding Practices:

  • Follow secure coding standards and best practices to prevent vulnerabilities in your mobile banking app’s code. Secure coding best practices include input validation, output encoding, and proper data encryption.

Regular Security Audits and Penetration Testing:

  • Developers should regularly conduct regular security audits and penetration testing to identify and address vulnerabilities. Security audit and penetration testing should be ongoing, not a one-time event.

App Hardening:

  • Implement app hardening techniques to make it more difficult for attackers to reverse engineer and tamper with your app’s code. App hardening can include code obfuscation and anti-tamper measures.

Two-Factor Authentication (2FA):

  • Encourage users to enable 2FA for their accounts. Implement robust 2FA methods that don’t rely solely on SMS messages, as banking trojans can intercept SMS messages.

Secure Data Storage and Transmission:

  • Ensure that sensitive data, such as user credentials and financial information, is securely stored on the device and transmitted over secure channels using encryption (e.g., TLS/SSL).

User Education:

  • Educate your users about safe mobile banking practices. Encourage them to download the official app from trusted sources, avoid clicking on suspicious links, and be cautious when granting app permissions.

Real-time Monitoring:

  • Implement real-time monitoring of user activities within your app and network traffic, which can help detect and respond to suspicious behavior promptly.

Secure APIs and Server-side Security:

  • Secure the APIs your mobile banking app uses to communicate with the server. Implement strong authentication and authorization mechanisms on the server side to prevent unauthorized access.

App Whitelisting and Code Signing:

  • Use code signing to ensure your app’s code has not been tampered with. Employ app whitelisting techniques only to allow trusted apps to run on a user’s device.

Regular Updates and Patch Management:

  • Keep your mobile banking app and its dependencies up-to-date with the latest security patches. Promptly address any security vulnerabilities that are discovered.

Third-party Library Review:

  • Carefully review and vet any third-party libraries or components used in your app for security vulnerabilities. Keep them updated as well.

Incident Response Plan:

  • Develop an incident response plan to handle security breaches or suspected compromises. Ensure that your team knows how to respond quickly and effectively.

Collaborate with Security Experts:

  • Work with cybersecurity experts and consider conducting security assessments and code reviews by external specialists to identify potential weaknesses in your app.

Compliance with Regulations:

  • Stay informed about and adhere to industry-specific regulations and mobile banking app security standards, such as PCI DSS and GDPR.

Regular Security Training:

  • Provide ongoing security training for your development and operations teams to keep them up-to-date with the latest threats and security best practices.

Security should remain a priority throughout the development lifecycle and beyond. By implementing these cybersecurity best practices, you can significantly enhance the security of your mobile banking app and protect your users from the risks posed by banking trojans and other malicious threats. 

What Are The Major Banking Trojan Families?

Some of the central banking trojan families have posed significant threats to mobile banking apps and their users. It’s essential to stay informed about these threats, their evolving tactics, and the security measures necessary to protect your app and users against them. Regularly updating your app and following security best practices can help mitigate these risks.

  • BianLianBianLian is a sophisticated and evolving banking trojan that primarily targets Android devices. First observed in 2018, BianLian is known for its complex and constantly evolving nature, making it a significant challenge for mobile security experts. BianLiann employs many common techniques, including SMS interception, the ability to lock the device, and overlay attacks to steal credentials. 
  • Cabassous: Cabassous is a modular banking trojan that can be customized to target specific banks and financial institutions. It is typically distributed through SMS phishing messages that contain a malicious link. Once the link is clicked, the trojan is installed on the victim’s device. The trojan attempts to prompt users to enter their login credentials using the overlay attack technique.
  • CoperCoper is a modular banking trojan that can be customized to target specific banks and financial institutions. It is typically distributed through SMS phishing messages that contain a malicious link. Once this malware is installed on the user’s device, it leverages social engineering and the accessibility services feature to disable Google Play Protect and install additional malicious apps. 
  • EventBotEventBot is a sophisticated Android trojan that targets financial apps, including mobile banking apps. It is known for its advanced capabilities and ability to steal sensitive information from infected devices. EventBot’s primary goal is to harvest financial data and credentials to carry out fraudulent transactions and illicit activities.
  • ExobotCompact.DExobotCompact.D is a banking trojan that steals sensitive information from mobile banking apps. ExobotCompact.D is also known as Octo. It is a modular malware that can be customized to target specific banks and financial institutions. ExobotCompact.d is typically distributed through SMS phishing messages containing malicious links.
  • Octo: Octo is a banking trojan that steals sensitive data from mobile banking applications. Octo can also be called ExobotCompact.D. It is a modular malware that can be tailored to target specific financial institutions and banks.
  • FluBot: FluBot is a sophisticated Android banking trojan that spreads via SMS phishing, enticing users to click on malicious links. FluBot first emerged in late 2020 and focuses on stealing sensitive information, particularly banking credentials and personal data.
  • Medusa Trojan: The Medusa trojan is a banking trojan that spreads via SMS phishing, enticing users to click on malicious links. Once this trojan is installed, the device user is asked to grant it accessibility services permission, which is used to grant the application more permissions. The trojan features manycapabilities, including keylogging, stealing data from clipboards, screencasting, and sending event logs to a command-and-control server. 
  • SharkBot: SharkBot is a banking trojan that primarily targets money transfers, attempting to exploit the Automatic Transfer Systems (ATS technique that bypasses a bank’s multi-factor authentication mechanisms.) When a user tries to transfer funds to another bank account, the malware changes the International Bank Account Number (IBAN entered into the attacker’s account.)
  • TeaBot: TeaBot is an Android banking trojan targeting the largest number of mobile financial institutions with more standard features. Once on a victim’s device, the trojan checks which applications are installed, and once a targeted banking app is discovered, it downloads a payload specifically for that app. TeaBot typically spreads through malicious apps or phishing campaigns.
  • Xenomorph: Xenomorph is a banking trojan that was distributed on the Google Play app store, billed as a “Fast Cleaner” app. More than 50,000 users downloaded Xenomorph. Xenomorph employs many common trojan tactics, such as stealing SMS messages, intercepting notifications, bypassing two-factor authentication, and using overlay attacks to steal credentials. 
  • Zbot: Zbot, also known as Zeus, is one of the most notorious banking trojans. It primarily targets Windows devices but has variants that affect mobile platforms. It is known for its sophisticated capabilities, including keystroke logging, form grabbing (capturing data entered into web forms), and man-in-the-browser attacks. Zbot variants often use social engineering techniques to trick users into downloading malicious files or clicking on malicious links.
  • Svpeng: Svpeng is a banking trojan that primarily targets Android devices. It uses overlay attacks to display fake login screens on top of legitimate apps, including mobile banking apps, to steal user credentials. Svpeng is also known for its ransomware capabilities, locking the device and demanding a ransom from the victim.
  • Marcher: Marcher is another Android-focused banking trojan active for several years. It primarily spreads through malicious apps or phishing campaigns and can intercept SMS messages containing OTPs. Marcher has a wide range of targets, including banks in multiple countries.
  • Anubis: Anubis is an Android banking trojan known for its ability to perform sophisticated financial data theft. It can capture screenshots, record keystrokes, and steal SMS messages, making it highly effective at stealing sensitive banking information. Anubis often masquerades as legitimate apps to trick users.
  • Ginp: Ginp is an Android banking trojan that initially started as a simple SMS stealer but evolved into a more potent threat. It specializes in stealing credit card information by intercepting SMS messages containing card details. Ginp also uses overlay attacks to steal login credentials from banking apps.
  • Cerberus Trojan: Cerberus is an Android banking trojan available for rent on underground forums. It has features such as keylogging, screen recording, and the ability to control the infected device remotely. Cerberus is constantly updated to evade detection and improve its capabilities.
  • BankBot: BankBot is an Android banking trojan that spreads through fake apps in third-party app stores. It uses overlay attacks to steal login credentials and intercept SMS messages containing OTPs. BankBot has been a persistent threat in the Android ecosystem.
  • Emotet (formerly a banking trojan): Emotet was initially a banking trojan but has evolved into a multifunctional malware platform. It is primarily distributed through malicious email attachments and has been involved in spreading other malware, including ransomware. Emotet’s primary goal is to establish a foothold in a system, which can later be used to deliver other malware payloads, including banking trojans.

Related Content

Receive Zimperium proprietary research notes and vulnerability bulletins in your inbox

Get started with Zimperium today