Global Mobile Banking Malware Surge Targets 1,243 Financial Brands Across 90 Countries
Zimperium zLabs reports a 56% increase in Android banking trojan attacks in 2025, with 1,243 financial brands targeted across 90 countries as malware families like TsarBot, CopyBara, and Hook dominate the threat landscape.
A global surge in mobile banking malware targeting 1,243 financial brands across 90 countries is reshaping the fraud landscape, with attacks now originating primarily on user devices, according to Zimperium zLabs. The firm's latest report examined 34 active malware families affecting apps with more than three billion downloads, revealing what analysts describe as industrialised, large-scale campaigns that are evolving faster than traditional banking defences.
Mobile banking is now the dominant channel for consumers, with 54% relying on apps to manage accounts. As usage has increased, so has exposure to risk. The report highlights a sharp rise in malicious activity, including a 56% increase in Android banking trojan attacks in 2025 and a 271% jump in unique malware packages to 255,090. Online fraud rose 21% between 2024 and 2025, while one in 20 verification attempts is now considered fraudulent. Overall, 80% of fraud occurs through online or mobile platforms.
Attackers are exploiting weak points in mobile applications. More than 60% of banking apps lack basic code protection, allowing criminals to reverse engineer systems and tailor attacks before targeting users. Modern malware has progressed beyond credential theft, enabling attackers to control devices and operate within legitimate banking sessions. As a result, fraudulent activity often appears indistinguishable from normal user behaviour.
Three malware families—TsarBot, CopyBara, and Hook—accounted for more than 60% of banking and fintech app targeting. New variants such as Sturnus and Crocodilus introduce advanced techniques, including 'blackout' modes that allow transactions to occur while a device appears inactive. 'Today's malware families don't just steal credentials, they intercept authentication codes, monitor live sessions, and convincingly mimic legitimate app behavior,' said Boris Cipot, senior security engineer at Black Duck.
The threat is global but unevenly distributed. The US has 162 targeted banking apps, the highest concentration worldwide, followed by the UK with 69, Spain with 65, and Italy with 52. Rapidly digitizing markets, including India (42), Vietnam (23), and Malaysia (17), are also heavily targeted. Artificial intelligence is accelerating attacks, enabling faster reverse engineering and the use of deepfakes to bypass identity checks.
'The frontline of financial fraud has migrated from backend infrastructure to the customer's mobile device,' said Jason Soroko, senior fellow at Sectigo. 'With threat actors deploying automated trojans to hijack legitimate banking sessions, traditional server-side fraud controls are rendered blind.' The researchers concluded that financial institutions must prioritise mobile app security to defend against such threats, as backend-focused defences alone are no longer sufficient.