Mobile banking malware attacks nearly tripled in 2024, yet the trojans hiding in app stores look increasingly indistinguishable from legitimate software.
There was a time when avoiding malware on mobile devices followed a simple rule: stick to official app stores. Apple’s App Store and Google Play implemented review processes, scanned for malicious code, and removed offending applications. Users who avoided sideloading from unknown sources could feel reasonably protected.
That assurance has eroded considerably. Mobile banking trojan attacks surged 196% in 2024, reaching 1.24 million incidents compared to 420,000 the previous year. The number of users encountering mobile banking malware increased 3.6-fold, from approximately 69,000 in 2023 to nearly 248,000 in 2024. These aren’t infections from dubious third-party app stores. Many arrive through applications that passed official review processes and sat in legitimate marketplaces for weeks or months before detection.
SharkBot, first discovered in October 2021, exemplifies how sophisticated these threats have become. Four years later, the trojan remains active, continuously evolving its evasion techniques while targeting financial institutions across the United States, United Kingdom, and Italy.
How SharkBot operates
SharkBot’s primary innovation is its Automatic Transfer System (ATS), which initiates fraudulent wire transfers directly from compromised devices without requiring the attacker to manually interact with the victim’s banking application. This represents a significant advancement over earlier banking trojans that relied on credential theft alone.
The malware accomplishes its goals through multiple attack vectors working in concert. Keylogging captures everything typed on the device, including passwords and security codes. SMS manipulation intercepts and forwards text messages, defeating two-factor authentication that relies on codes sent to the phone. Overlay attacks display fake login screens that perfectly mimic legitimate banking apps, harvesting credentials when users attempt to access their accounts.
What makes SharkBot particularly dangerous is its modular architecture. The malicious application that passes app store review doesn’t contain the most dangerous code. Instead, it downloads additional modules from command-and-control servers after installation, effectively smuggling the payload past security scanners. The malware also employs emulator detection to identify when it’s running in a security researcher’s sandbox environment, lying dormant until installed on a real device.
SharkBot currently targets approximately 27 financial applications, including 22 banks in Italy and the United Kingdom and five cryptocurrency applications in the United States. For organizations concerned about how attackers exploit mobile channels, our analysis of mobile app fraud provides additional context on the broader threat landscape.
The app store security gap
The Anatsa banking trojan demonstrated just how porous app store defenses can be. In mid-2025, security researchers discovered Anatsa hiding inside a fake PDF reader application on Google Play that had been downloaded over 90,000 times before removal. The application functioned as advertised, opening and managing PDF files while simultaneously harvesting banking credentials in the background.
This pattern repeats across the mobile threat landscape. Applications present legitimate functionality that passes review, then activate malicious capabilities after installation through delayed payload delivery, remote configuration updates, or conditional triggers that activate only under specific circumstances. Security scanners examining the initial application see nothing alarming because the malware hasn’t revealed itself yet.
Google blocked 2.36 million malicious Android applications throughout 2024, a number that reflects both improved detection and the sheer volume of attempts. Yet 68,730 banking trojan installation packages still slipped through during the year. The math suggests a cat-and-mouse game where defenders are catching most threats but nowhere near all of them.
Regional targeting adds another layer of complexity. The Mamont Trojan family, which accounted for 36.7% of mobile banking malware incidents in 2024, concentrated its operations on Russia and Commonwealth of Independent States countries. ToxicPanda shifted from Southeast Asia to target Portugal and Spain. These geographic pivots make global coordination difficult and allow threat actors to exploit regulatory and language barriers.
Why traditional brand protection falls short
Organizations monitoring for brand impersonation typically focus on websites, domains, and social media profiles. Mobile applications represent a blind spot in many digital risk protection strategies.
The challenge is multifaceted. Legitimate app stores host millions of applications, making comprehensive monitoring resource-intensive. Malicious apps may use subtle variations of brand names, making them difficult to discover through simple keyword searches. The trojanized applications often target multiple financial institutions simultaneously, meaning any individual bank sees only a fraction of the threat.
When Allure Security identified a SharkBot-infected application impersonating a partner’s banking app, it wasn’t through standard malware analysis. The discovery came through mobile application monitoring that scans app stores for unauthorized versions of protected brands. The malware detection was incidental to the primary mission of identifying fake mobile applications that abuse brand identity.
This highlights a critical insight: stopping mobile banking trojans from reaching your customers requires finding the distribution mechanism before the malware becomes relevant. By the time security vendors add a new trojan variant to their signature databases, thousands of devices may already be compromised.
The emerging threats
The mobile banking trojan landscape continues evolving. Albiriox, a new Malware-as-a-Service platform discovered in September 2025, sells turnkey mobile banking trojan capabilities to less technical criminals. This commoditization follows the same pattern seen in phishing-as-a-service and other attack-for-hire ecosystems, lowering barriers to entry while increasing attack volume.
Artificial intelligence is accelerating both offense and defense. Threat actors reportedly used AI to develop new Android malware variants, including AsyncRAT packages identified in late 2024. Meanwhile, detection systems increasingly rely on machine learning to identify suspicious application behavior that evades signature-based scanning.
The intersection of mobile threats with other attack vectors creates additional risk. Banking trojans harvest credentials that feed into credential stuffing attacks against web applications. Overlay attacks create opportunities for session hijacking. Compromised devices become platforms for voice phishing calls that appear to originate from legitimate numbers.
What security leaders should consider
Protecting customers from mobile banking trojans requires extending brand protection beyond traditional channels. Several approaches merit consideration:
Mobile app store monitoring identifies unauthorized applications using your brand name, logo, or visual identity before they accumulate significant download counts. Early detection enables faster removal through app store abuse reporting processes.
Customer education remains valuable despite its limitations. Guidance about downloading only from official sources, scrutinizing permission requests, and recognizing the signs of a compromised device helps security-conscious users. However, education alone cannot address trojans that pass app store review and request only expected permissions.
Behavioral analytics on the banking application side can detect when transactions originate from potentially compromised devices, flagging activity patterns consistent with ATS-based fraud for additional verification.
Coordinated threat intelligence sharing between financial institutions helps identify emerging campaigns before they reach full scale. The threat actors operate across borders and target multiple institutions; defenders benefit from similar coordination.
The Bottom Line
Mobile banking trojans have matured from crude credential stealers into sophisticated platforms that can initiate fraudulent transactions automatically while evading detection at multiple levels. The 196% increase in attacks during 2024 signals that these techniques are working well enough to attract continued investment from threat actors.
For financial institutions, the implication is clear: mobile channels require the same external threat monitoring applied to web properties and email. The applications your customers trust are only as secure as the ecosystem that distributes them, and that ecosystem has proven more porous than its gatekeepers acknowledge.
Key Takeaways
Mobile banking trojan attacks surged 196% in 2024, reaching 1.24 million incidents compared to 420,000 in 2023. The number of users encountering these threats increased 3.6-fold to approximately 248,000 globally.
SharkBot’s ATS capability initiates fraudulent wire transfers directly from compromised devices without requiring attackers to manually interact with the victim’s banking application. This allows automated theft once the malware is installed.
Malicious applications pass initial review by presenting legitimate functionality, then download additional malicious modules from command-and-control servers after installation. The Anatsa trojan, for example, functioned as a real PDF reader while secretly harvesting banking credentials.
Google blocked 2.36 million malicious Android applications in 2024. Despite this, 68,730 banking trojan installation packages still reached users during the year, demonstrating the scale of the ongoing threat.
SharkBot currently targets approximately 27 financial applications, including 22 banks in Italy and the United Kingdom and five cryptocurrency applications in the United States. The malware continues to evolve and expand its target list.
