How Mobile Banking Trojans Work: Pocket-Sized Threats Explained

By Ava McKinneyOnline Safety

Pocket Trojans: How Mobile Banking Malware Works

One sunny April morning, my breakfast was interrupted by a call from a friend—an entrepreneur in the freight business. With a trembling voice, he told me that two million rubles had mysteriously vanished from his bank account. The bank’s support team simply shrugged and told him to file a police report, since the transfers were made through the mobile app and confirmed via SMS, making them appear as legitimate transactions. “You’re a programmer,” my friend groaned, “what should I do?” Unfortunately, it was already too late. The theft was carried out by a banking trojan that had been lurking on his smartphone long before the incident. The only way to prevent such losses is to understand how these malicious programs work and how to fight them—which is exactly what we’ll do now.

The Early Days: Android Banking Trojans

The first full-fledged banking trojans for Android appeared back in 2011. Before that, there were already malicious programs capable of forwarding incoming SMS messages—including mTAN codes (transaction authentication numbers)—to attackers. Some trojans could even use USSD commands to transfer money from a card linked to the phone or check account balances. However, these early threats were limited in functionality compared to their desktop counterparts.

Everything changed with the arrival of Android.SpyEye. This trojan worked in tandem with the SpyEye malware for Windows, allowing it to bypass two-factor authentication. Here’s how it worked:

  • When a user with an infected Windows PC visited their bank’s website, the trojan injected a piece of HTML code into the page. Since the injection happened on the client side, the URL and HTTPS connection looked legitimate, so victims suspected nothing.
  • The injected message claimed the bank had changed its security policy and required users to install a small mobile app (about 30 KB) for security reasons. This app was, of course, the Android.SpyEye trojan.
  • The trojan created no icons and could only be found in the running processes list as “System.” Its main job was to intercept all incoming SMS messages and forward them to a command server.

When the victim entered their login and password on the bank’s website, the Windows trojan captured and sent them to the attackers. The criminals could then log in to the bank’s system, but the bank would send a verification code via SMS. The mobile trojan intercepted this code and sent it to the attackers, allowing them to drain the account.

The main challenge for this scheme was synchronizing the desktop and mobile components, but malware authors soon solved this. SpyEye caused havoc among banking users for several months until antivirus companies caught up and its activity faded.

Mobile Bankers: The Next Generation

As banks moved their client services from desktops to Android apps, malware authors shifted their focus entirely to mobile banking trojans. For them, an Android smartphone with a banking app is a walking wallet.

Like other Android malware, banking trojans often masquerade as useful apps—such as “universal video codecs” or Flash players—and sometimes even make it into the official Google Play store. Their malicious features are hidden and may only activate after an update or a delay. In some cases, trojans were embedded in modified versions of real banking apps and distributed via fake bank websites, luring victims through phishing emails.

Another common infection method is phishing SMS messages. For example, users of classified ad sites might receive a message offering a trade, addressed by name to lower suspicion. The link in the SMS leads to a page that detects the user’s device and mobile carrier, then redirects to a fake MMS notification page styled to match the carrier. Clicking the button downloads the trojan.

Early mobile bankers were simple. If they needed admin rights, they would repeatedly display a window demanding them until the user gave in. Some trojans used tricks to fool users—for example, Android.BankBot.29 disguised its admin rights request as a Google Play update prompt. Tapping “Yes” would actually grant the trojan admin privileges. Others requested Accessibility Service permissions, then enabled admin rights themselves.

Once installed, the trojan would sit in memory, waiting for the banking app to launch. When it did, the trojan would overlay a fake login form, capturing credentials and sending them to the command server. The trojan’s configuration could include dozens of fake forms mimicking popular banks. It would also intercept and forward SMS one-time passwords, hiding incoming messages from the victim to avoid suspicion.

It’s hard to estimate how much money has been stolen this way, but the sums are likely in the six-figure range. Even if the trojan couldn’t access the bank account, it often stole card details using fake Google Play card-linking windows. While it’s hard to buy expensive goods with stolen card info, attackers can easily pay for online games or music, as these services rarely check payment details thoroughly.

Bankbots: The Evolution of Mobile Bankers

Bankbots are an offshoot of mobile banking trojans. While regular banking trojans work more or less autonomously, bankbots can receive and execute commands on the infected device.

Commands can be sent via HTTP (often in JSON format), SMS, or even through special Telegram channels. Most bankbots can enable or disable SMS interception, hide certain messages, mute the phone, send messages to specified numbers, or execute USSD commands. Attackers can also change the command server address or the phone number used for data exfiltration.

Many bankbots can download and install APK files specified by the attacker, infecting the device with additional malware. Some can display custom activities on the phone, enabling advanced phishing and fraud schemes. Nearly all can steal contacts, SMS conversations, and other confidential data, and even forward incoming calls to a specified number. Some trojans have self-defense features, monitoring running processes and attempting to kill antivirus apps using admin rights.

Almost all bankbots use a web-based admin panel, giving attackers detailed statistics on infected devices and stolen data.

The Underground Industry

As Android devices became widespread, the production of trojans for this platform turned into a full-blown underground industry, especially for banking malware. In the dark web, ads began to appear offering Android banking trojans for rent, complete with admin panels and technical support. Builders also became available, allowing anyone—even without programming skills—to create a banking trojan disguised as any app or banking system.

As a result, the number of banking trojans has grown significantly since around 2017, and the risk for Android users has increased. Since most of these trojans operate with admin privileges, removing them is difficult: at best, you’ll need to boot into safe mode; at worst, you’ll have to reset your device to factory settings, losing all data.

How to Protect Yourself

It’s a proven fact: even disabling installation of apps from unknown sources doesn’t always protect you from banking trojans. Many cases have been reported where such malware was downloaded from the official Google Play store, as app screening is still imperfect.

Android also has numerous vulnerabilities that malware authors can exploit. Antivirus apps can help protect your device, but whether to install one is up to each user. At the very least, after his experience, my entrepreneur friend decided not to take any more chances and installed an antivirus on his phone—better safe than sorry.

Leave a Reply