Emerging Mobile Threats and Security Gaps in Banking and Endpoint Protection
A newly identified Android banking trojan is exploiting weaknesses in traditional antivirus defenses by using SMS-based distribution and overlay tactics to steal credentials, highlighting the limitations of signature-based detection and the need for behavior-based mobile security. This threat, along with a documented cyber-espionage campaign where attackers used stolen credentials to hijack cloud-based device management tools and remotely wipe Android devices, demonstrates how mobile endpoints are increasingly being weaponized for both financial theft and sabotage. The sophistication of these attacks underscores the necessity for organizations to treat mobile devices as critical assets, implementing continuous monitoring, strict OS patching, and robust incident response protocols.
In response to the growing threat landscape, Google has expanded its Android in-call scam protection feature to major U.S. financial apps such as Cash App and JPMorgan Chase. This feature warns users when they may be targeted by social engineering scams during calls, aiming to disrupt attackers' manipulation tactics and prevent unauthorized access to banking information. As mobile devices become central to both personal and enterprise operations, the convergence of advanced malware, endpoint exploitation, and enhanced security features reflects the urgent need for comprehensive mobile security strategies.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
6 events from the most recent confirmed update back to the earliest known activity.
Researchers report new Android banking trojan using evasion and overlay attacks
A newly discovered Android banking trojan was reported as bypassing traditional antivirus tools through advanced evasion techniques. Distributed via SMS links and disguised as legitimate apps, it abuses permissions and overlay attacks to steal credentials.
Google expands Android scam protection to Chase and Cash App in the U.S.
Google expanded Android’s in-call scam protection to additional U.S. financial apps, including Cash App and JPMorganChase's mobile banking app. The warning system pauses risky actions during unknown calls to help prevent impersonation-driven fraud.
Google trials scam protection in the U.K., Brazil, and India
Before the U.S. rollout, Google tested the in-call scam protection capability in the U.K. and later piloted it in Brazil and India. These trials preceded broader availability for financial apps in the United States.
Google introduces scam protection with Android 16
Google introduced the in-call scam protection feature with Android 16, expanding Android defenses against social-engineering scams involving screen sharing and financial apps. The feature works on Android 11 and later devices.
Espionage campaign uses stolen credentials to remotely wipe Android devices
Researchers documented a cyber-espionage campaign in which attackers hijacked cloud-based Android device-management tools using stolen credentials. The attackers remotely factory-reset compromised phones to destroy forensic evidence and hinder investigations.
Google announces Android in-call scam protection
Google announced an Android feature in May that warns users when they open a financial app while screen-sharing during a call from an unknown number. The capability was designed to disrupt phone-based impersonation scams targeting banking users.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
4 references tracked. Mallory keeps watching after this page renders.
Banking Trojan Highlights Gaps in Mobile Protection
zimperium.com
Open sourceGoogle expands Android scam protection feature to Chase, Cash App in U.S.
bleepingcomputer.com
Open sourceMobile Gestalt Exploit Underscores Rising Mobile Endpoint Risks
zimperium.com
Open sourceMobile Endpoints Weaponized in Remote-Wipe Espionage Campaign
zimperium.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Surge in Mobile Malware and Banking Trojan Threats in 2025
Threat intelligence reports from multiple security vendors highlight a significant escalation in mobile malware activity and the evolution of attack strategies targeting mobile devices in 2025. Kaspersky's Q3 2025 statistics reveal that over 47 million attacks involving malware, adware, or unwanted mobile software were prevented, with trojans being the most prevalent threat. The Zscaler Threatlabz report, corroborated by Zimperium's research, documents a 67% year-over-year increase in Android malware and a 50% rise in trojan deployments, with 18% of sampled mobile devices found to be infected. These reports emphasize the growing adoption of a mobile-first attack strategy by threat actors, exploiting the expanded enterprise attack surface as remote and hybrid workforces rely more heavily on mobile devices. A notable trend is the persistence and evolution of mobile banking malware. Zimperium's analysis details the emergence of the Android/BankBot-YNRK trojan, which masquerades as legitimate apps, abuses accessibility services, and automates fraudulent transactions, reinforcing the risk to mobile banking users. The convergence of phishing techniques—such as smishing, vishing, and quishing—under the term "Mishing" further illustrates the sophistication of mobile-targeted social engineering. Collectively, these findings underscore the urgent need for organizations to strengthen mobile security controls and user awareness as mobile devices become a primary vector for credential theft, financial fraud, and enterprise compromise.
Mar 21, 2026
Android Banking Trojans and Financial Malware Targeting User Data and Payments
Multiple new Android malware campaigns have been identified targeting users' financial data and payment methods. Researchers uncovered advanced banking trojans such as BankBot-YNRK and DeliveryRAT, which harvest sensitive information from compromised devices and employ sophisticated evasion techniques, including emulator detection and device-specific targeting. These trojans often masquerade as legitimate apps, such as Indonesia's digital ID application, and can mute device notifications to avoid detection by victims. In addition, a next-generation Android banking trojan has been observed hiding within digital ID apps, automating the theft of cryptocurrency wallets and evading analysis environments. A separate large-scale scam involves over 760 malicious Android apps exploiting NFC and HCE technologies to steal payment card data globally. These apps facilitate unauthorized transactions by leveraging contactless payment features. The surge in Android-targeted financial malware highlights the growing risk to users' banking credentials, payment cards, and cryptocurrency assets, with attackers employing increasingly sophisticated methods to bypass security controls and evade user awareness.
Mar 21, 2026
Emergence of Advanced Android Malware Targeting App Stores and Banking Credentials
A new wave of Android malware is leveraging sophisticated techniques to evade detection and compromise user devices. The Cellik malware-as-a-service (MaaS) platform enables cybercriminals to create trojanized versions of legitimate Google Play Store apps, embedding malicious payloads while preserving the original app's interface and functionality. This approach allows attackers to bypass security controls such as Play Protect and remain undetected for extended periods. Cellik offers features including real-time screen streaming, notification interception, filesystem browsing, data exfiltration, and a hidden browser mode for session hijacking, all managed through an encrypted command-and-control channel. In parallel, other Android malware campaigns such as NexusRoute and FvncBot are targeting users by impersonating trusted government and banking applications. NexusRoute focuses on Indian citizens by distributing fake mParivahan and e-Challan apps through phishing sites and GitHub repositories, enabling credential theft, device surveillance, and unauthorized financial transactions. FvncBot, meanwhile, disguises itself as a banking-security app and exploits accessibility and VNC features to capture keystrokes, stream screens, and inject fraudulent transactions within genuine banking apps. These developments highlight the increasing sophistication and commercial availability of Android malware, posing significant risks to mobile users and financial institutions alike.
Mar 21, 2026