Android malware-driven financial transactions have increased 67 percent year-on-year according to Zimperium zLabs which tracked 34 active malware families targeting 1,243 financial brands across 90 countries in 2025.
These were not isolated incidents but rather sophisticated, scalable campaigns, continuously evolving to bypass app security controls and exploit the institutions and customers that depend on them. Modern banking trojans are able to intercept authentication codes, monitor sessions, and impersonate legitimate app activity to allow them to conduct fraud undetected.
“Mobile banking malware has come a long way from simply stealing passwords. Today it can take full control of a customer’s device. What used to take highly skilled attackers weeks to build can now be put together and launched in days, and AI is making that even faster. The gap between what attackers can do and what defenders can keep up with has never been this wide. Mobile app security has to be where fraud prevention starts.” says Krishna Vishnubhotla, vice president of product strategy at Zimperium.
The report finds that the threat landscape has outpaced traditional defenses. The US has the highest concentration of targeted apps globally, with 162 banking applications under active targeting, up from 109 in 2023.
Three malware families — TsarBot, CopyBara, and Hook — dominate, collectively targeting more than 60 percent of the global banking and fintech apps analyzed. Nearly half of the malware families analyzed are found to have financial extortion capabilities including ransomware capabilities, allowing attackers to encrypt files on the device.
Commenting on the findings Boris Cipot, senior security engineer at Black Duck, says:
Today’s malware families don’t just steal credentials — they intercept authentication codes, monitor live sessions, and convincingly mimic legitimate app behavior. In many cases, attackers are effectively taking control of the device itself. It’s especially concerning that many of these campaigns now combine fraud with extortion, giving criminals multiple paths to monetize a single compromise.
This is why organizations can’t rely on application‑level security alone. You need visibility into the device. Detecting compromised phones, blocking malware abuse of accessibility features, and monitoring for suspicious behavior during an active session are all critical. Simply checking the login is no longer enough. Strong MFA and up‑to‑date mobile threat intelligence make a meaningful difference, but the broader mindset shift is essential: assume the device may already be hostile and build defenses that can adapt as quickly as these malware families do.
You can get the 2026 Banking Heist Report from the Zimperium site.
Image credit: bloomua/depositphotos.com
