Financial institutions have spent years hardening their backend infrastructure, strengthening authentication, improving transaction monitoring, and investing in fraud analytics. Those investments were right for the threat landscape that existed at the time.
The threat has changed.
Mobile banking is now the dominant channel. 54% of consumers cite it as their primary method for managing bank accounts, a figure that has more than doubled since 2017. As the channel shifted, so did the attack surface. Cybercriminals followed.
Zimperium just released the 2026 Mobile Banking Heist Report, which you can download here:
What the Research Found
Throughout 2025, Zimperium's zLabs tracked 34 active malware families targeting 1,243 financial brands across 90 countries — covering apps with more than three billion downloads worldwide. These weren't isolated incidents. They were industrialized campaigns, sophisticated and scalable, continuously evolving to bypass app security controls and exploit the institutions and customers that rely on them.
The scale is striking. Three malware families alone collectively target more than 60% of the banking and fintech apps analyzed. Perhaps the most alarming finding is where the attacks are coming from. Ukraine, Russia, and the United States are the top three countries hosting command-and-control infrastructure across the malware families analyzed. The servers directing attacks on American banks are, in part, operating on U.S. soil.
The Big Shift: Malware No Longer Stops at Credentials
This is the finding that changes everything. Modern banking trojans don't steal credentials and disappear. They take over the device — and stay.
They intercept authentication codes after login. They steal session cookies after authentication is complete. They execute fraudulent transactions inside the official banking app while the customer's screen appears frozen or off. To backend systems, everything looks normal. The fraud has already happened by the time anything flags.
Our capability analysis across the 34 families tells the full story:
- 85% have account and transaction takeover capabilities
- 73% have full remote device control
- 50% have financial extortion capabilities — including ransomware modules that encrypt device files and demand Bitcoin to restore access
- 38% engage in context hijacking — intercepting phone calls, reading encrypted messages, and conducting fraudulent voice calls to extract PII
Overlay attacks, session hijacking, and full device remote access are no longer advanced techniques. They are table stakes present across the majority of families analyzed and accessible to any threat actor.
AI Is Making it Worse
The threat isn't just growing. It's accelerating — and AI is the accelerant. Malware using AI-assisted attacks grew 400% year-over-year. What once required weeks of skilled reverse engineering now takes hours. Phishing lures are 5x more convincing. Variants are generated faster than detection can respond. Every stage of the attack chain is getting cheaper, faster, and harder to stop.
The DarkSword exploit chain, disclosed this week at RSA, is a live illustration of exactly this. No click. No app install. Just visit a website and the device is compromised. AI-assisted development is making these capabilities cheaper, faster, and more widely accessible than ever before.
76% of security teams report they cannot keep pace. The gap is widening with every AI cycle.
Three Controls That Must Adapt Now
The core conclusion is straightforward: mobile banking fraud no longer begins at the server, It begins on the device.
Three things need to change:
- Establish device trust before you authenticate. Strong authentication assumes the device is clean. Modern malware proves it isn't.
- Harden your app against reverse engineering. More than 60% of mobile banking apps lack basic code protection. If your app can be read, it can be exploited.
- Treat runtime protection as a fraud control. Detecting and stopping overlay attacks, session hijacking, and device compromise at runtime — before a transaction executes — is no longer a security add-on. It is core fraud prevention.
The 2026 Mobile Banking Heist Report documents 34 active malware families, 1,243 targeted financial brands across 90 countries, the regions being targeted, and the specific capabilities bypassing your enterprise defenses right now. This report will change how you think about your defenses. Download the report here.
