It didn’t take long for cyber criminals to learn that it’s difficult to compromise banking institutions directly.

Instead, most of them target user’s devices with malware.

To get in, they use social engineering — SMS or email phishing. Or hide the malicious software behind legitimate-looking applications in the Google Store. And wait for the users to install them on their devices.

The most common type of malware that targets banks is a banking Trojan. Applications infected with banking Trojans might look like games, flashlights, or even legitimate banking applications.

What are some of the banking malware types that were detected in 2023?

Here, we share four types of banking malware identified this year and what banking institutions can learn from these evolving strains to better protect users with banking apps on their devices.

#1 Qakbot Trojan Victimizing Windows Computers

Qakbot is already a well-known banking Trojan that is designed to obtain banking credentials. Threat hackers have been developing this strain of malware since 2007.

In 2023, it was detected once again, now better equipped to hide itself from anti-malware solutions.

If the Quakbot infects a device, the attacker will either gain the user’s banking credentials or it will use the access to deploy the ransomware on the victim’s machine.

In June 2023, activity that is linked to the Qakbot Trojan peaked. The latest capabilities of this evolving cyber threat include taking control over the infected computer.

Cybercriminals who use this malware rely on phishing schemes to sneak the malware into the user’s devices in the first place.

Organizations have been advised to raise awareness of phishing for their workforce and protect their networks with multiple layers of security solutions.

#2 Xenomorph Android Banking Trojan

Xenomorph is the banking Trojan that affects Android devices. It impersonates financial institutions but is also known to go after crypto wallets. It was first detected in 2022.

In August 2023, this malware reappeared. Now, it is better at concealing its malicious activity from the user and it is more widespread since it targets users from other countries as well (e.g. it has been detected in Spain).

Users who reside in Canada or the US have been victimized by this strain of malware the most.

What makes it especially dangerous is that it can bypass two factor authentication and conceal itself once it gets into the victim’s Android phone. Then, it can collect information about the user, tamper with the security settings, and steal login data.

It gets on the user’s phones by mimicking Chrome updates that are in fact infected phishing pages.

#3 BBTok Banking Malware

BBTok has been used by threat actors since 2020. In 2023, the new version of this malware was detected by cybersecurity company CheckPoint. It targeted users in Latin America who use Windows.

What makes this type of malware especially dangerous is that it mimics bank interfaces. Therefore, it leads unsuspecting clients to a false login page and encourages them to type in their credentials.

Everything starts with a phishing link in an email. After the victim logs in using the two-factor authentication or enters payment details like credit card numbers, hackers steal this data to get access to their bank accounts.

This new strain of malware is difficult to detect. It conceals its activity from the antivirus and antimalware that users have on their machines.

To get on one’s device, the user has to visit the phishing site. Beware of any requests for password resets, change your passwords often, and never type in your credentials on sites that lead you to login pages via email.

#4 SpyNote Trojan and Spyware

SpyNote is a type of spyware known to researchers since 2022. This Trojan virus gains accessibility permissions to record video, track location, capture screenshots, record audio, and log keystrokes. Its primary objective is to gather information.

There was a spike in infected SpyNote phones in January 2023.

Hackers can use it to get the user’s credit card information when the user is shopping online, steal their credentials as they log into their social media or email, or obtain the login information needed for the banking app.

Unlike most banking malware, SpyNote is not hiding behind another trustworthy app that users can install via the Google Store.

Victims get it on their phones after clicking on a link in an SMS phishing message — masking itself as a request for an update.

As with most spyware, users are unaware they have SpyNote on their devices. Just like any other Trojan, it hides itself.

One way to check if you do have the SpyNote on your phone is by opening your Settings. Does it automatically close?

Spyware such as SpyNote are designed to close the general Settings since this prevents the user from removing spyware from their devices.

Known Malware Types Are Re-Emerging; What Can You Do?

Three patterns are common with this banking malicious software. They:

1. Predominantly target Android users.
2. Involve some kind of phishing scheme.
3. Are continually evolving to avoid detection.

Whether it’s a Trojan virus or spyware, the malware mentioned here has one target — a user’s bank account. The easiest way for a threat actor to gain entrance into otherwise protected devices is via phishing messages.

Known malware is constantly developed, and improved. Hackers use versions that are similar to their predecessors but try to steal the victim’s sensitive information and banking credentials without getting noticed.

New types of banking malware are designed to bypass antivirus — sneak into phones without being detected.

Another pattern that appears here is that banking malware seems to target Android users. IOS devices are perceived as generally safer, but there are still malware strains that target them. No device is 100% safe from hacking.

Banking app users who don’t have anti-malware solutions on their phones and lack awareness of the common phishing schemes are the most vulnerable to such malware attacks.