Mobile banking Trojans are built to hack your bank account and steal your money

If you have a bank account, you probably use your phone to access it. Most people now do at least some of their banking on their phone and almost half of consumers do the majority of their banking on their mobile.

It’s quick and convenient. But it can be risky, because bank accounts are a rich target for hackers, who every year develop more—and more effective—ways to get at your money by infiltrating your phone and stealing your banking credentials. Almost 200,000 new mobile banking Trojans were identified at official and unofficial app stores in 2022, double the number in 2021.

“This drastic increase signifies that cybercriminals are targeting mobile users and are increasingly more interested in stealing financial data,” said Kaspersky Lab in its “Mobile Threats in 2022” report.

A lot of money is at stake. For instance, in early 2022, a malware campaign called Dark Herring targeted more than 100 million people around the world and stole hundreds of millions of dollars from them.

Trojans are built to deceive

A Trojan (named after the legendary Greek horse) is a malicious app that looks legitimate but does a lot of damage if installed on your phone. A banking Trojan is designed to steal money from your bank account. It fools users because it’s disguised as some other type of app, like a game, retail app or antivirus tool. If downloaded, it will ask for permission to access various phone functions, as normal apps do, and once permissions are granted and the Trojan is installed, it will enable hackers to remotely access your phone, get ahold of vital data like your mobile banking login and steal your money.

Cybercriminals spread their mobile banking Trojans at both unofficial and official app stores. Official stores have security measures in place to prevent Trojans from being uploaded but they’re not 100% effective. And when a mobile banking Trojan does successfully reach an official store, it may be downloaded by hundreds of thousands of unsuspecting users before it’s discovered and deleted.

Trojans are also disseminated via ads on social media and at third-party websites. There’s a Trojan called SpyNote in circulation now that is sent to users in a text message. Once installed, it can record your phone calls, record video, track your every tap and keystroke, and easily steal your banking username and password. It’s so hard to uninstall, users have to do a factory reset to get rid of it.

Trojans are often sent by email or social media message. These usually urge quick action, with a prompt along the lines of “Immediate response required.” They may claim that a delivery of yours has been delayed or canceled and include a link where you can learn more. Click the link and your device will be infected.

Banks and tech companies, of course, are constantly improving their defenses against mobile banking Trojans. But as fast as they move, hackers move just as quickly. This means you can’t ever be 100% protected against mobile banking Trojans but you can take commonsense precautions to keep your phone and your bank account safe from hackers.

Download apps only from official app stores

You should never download any app from a third-party app store, ever. If you want an app for your phone, get it only from the Google Play Store or the Apple App Store. It does happen that malicious apps sneak onto these official stores but it’s rare. To be as secure as possible, download your mobile banking app only from your bank’s website.

Review permissions requested by apps

When you install a new app, it will ask you to grant permissions so it can access various functions on your phone. A mobile banking app might request access to your location, camera, text messages and microphone.

The majority of the time, these requests are legitimate. The app needs them to do what it does. For example, it needs access to your camera so you can upload check images and it needs access to your text messages so it can send you one-time security codes.

But some of the permissions requested by apps are not reasonable. You can manage all the permissions granted to your apps and cancel any that seem odd or invasive. Here’s how.

Android

Open Settings and tap Apps. Tap the app you want to check on, then tap Permissions. Here you’ll see all the permissions granted to the app and you can change permissions by tapping Allow or Don’t allow.

iOS

Open Settings and tap Privacy & Security. You’ll see a list of phone features—Location Services, Contacts, Calendars and more. Tap the feature you want to check on and you’ll see a screen that shows all the apps that are accessing that feature. You can turn off permissions for specific apps.

Update your banking app regularly

App updates usually include patches for security holes and fixes for bugs, so keeping your banking app up to date will keep you more secure.

Consider a switch to CREDO Mobile

At CREDO Mobile, we care about your right to privacy. In fact, we care about all your rights—like your right to be whoever you want to be, your right to make your own health decisions and your right to a future not set on fire by fossil fuel companies.

That’s why we’ve donated over $95 million to nonprofit groups working for progressive causes like LGBTQ equality, reproductive choice and climate justice. These donations cost our customers nothing extra—but they mean everything to the nonprofits that rely on us.

Switch to CREDO Mobile and you’ll get the good feeling that comes with knowing you support the causes important to you, simply by using your phone. You’ll also get all you want from a phone company: competitive rates, great deals on new devices and nationwide coverage on the top-rated, most reliable network.