From malware and botnets to the latest cybercriminal schemes, check out what today’s black hat hackers are up to.

Blog > Cybercrime > Current Trends in Mobile Threats Targeting Financial Services

Current Trends in Mobile Threats Targeting Financial Services


Key Findings

  • Malware targeting credentials and payment information remains a major threat to mobile users.
  • Call and SMS interception are in demand and support a variety of unauthorized retail and banking transactions.
  • Calls and SMS Telephony Denial of Service (TDoS) are in demand; however, due to the excessive cost of the technique, they are only available to the most experienced criminals.
  • Criminals mostly ignore Windows Mobile OS, while Apple iOS provides the best protection.
  • Android users remain the primary target of cybercriminals, which can be attributed to Android’s worldwide popularity and open platform.



Based on Flashpoint’s extensive coverage of the criminal underground and knowledge of current mobile threats, analysts assess that cybercriminals’ proficiency in using illegal techniques and methods will increase in the near future; however, malicious actors will utilize a similar scope of tools to perpetrate their crimes.

Malware Targeting Financial Services

The majority of mobile victims are being targeted in attempts to steal credentials in order to access financial accounts; payment information, such as credit and debit card data, is also targeted.

Despite ongoing improvements to the Android operating system, criminals have been able to refine their malicious products, to include those capable of infecting most versions of the system, including Marshmallow 6.x.x.

A wide range of banking malware is available for purchase within the Deep and Dark Web, including those supporting browser and application overlays.

Current Trends in Mobile Threats

Image 1: KNL Trojan C2 Panel and an example of a banking inject.

Image 1: KNL Trojan C2 Panel and an example of a banking inject.

Upon launching an application, a malicious fake will be displayed, closely resembling the legitimate software program, but intercepting login credentials, security questions, and session cookies. In some cases, malware will prompt a user to input their full credit card information, preventing them from proceeding until the form is completed entirely. Additional features of such software generally include SMS initiation and intercept, phone call initiation and intercept, access to the phone book and call history, access to pictures, and blocking of the device and its separate functions.

Image 2: Citelites Android Bot C2 Panel.

Image 2: Citelites Android Bot C2 Panel.

At the time of writing, the ongoing rental cost of such malware varies between $700 – $2,500 USD a month, while additional Android injects can be purchased for as little as $150 USD per single financial organization.

Calls and SMS Interception

Aside from utilizing infected mobile devices to steal financial credentials and information, criminals offer so-called “Call/SMS intercept” services, renting out a victim’s phone number to be used in an extensive list of fraudulent operations requiring two-factor authentication with SMS delivery. As many companies are becoming proficient at quickly identifying Voice Over Internet Protocol (VoIP) numbers, the demand for access to “real” phone numbers is surging, commanding prices upwards of $10 USD per call/SMS.

Image 3: SpyNote v2 Android Remote Access Trojan (RAT). Telephony Denial of Service (TDoS)

Image 3: SpyNote v2 Android Remote Access Trojan (RAT). Telephony Denial of Service (TDoS)

Telephony Denial of Service (TDoS), or SMS/Phone Flood services, are actively advertised by several known threat actors and are often used to prevent the delivery of a confirmation message sent by a financial institution or retailer immediately following the initiation of a fraudulent transaction.

It is important to highlight, however, that the technique is mostly used by only the most experienced criminals, primarily due to its prohibitive cost. The average market price for the “flooding” of a single phone number is $30 to $50 USD.

Mobile Ransomware

The popularity and offerings of Android ransomware have decreased significantly because criminals have migrated towards easier prey who use standard computers. However, a small number of actors continue to distribute Android cryptolockers across the criminal underground. The average monthly rental cost of such malware — including the ongoing obfuscation of a payload file — is $400 USD.

Image 4: Device infected by Loki Android Ransomware.

Image 4: Device infected by Loki Android Ransomware.

Due to the unpopularity of the Windows Mobile OS, the threat to its customers is almost non- existent. Further, the development and support of proprietary malware has become economically unfeasible. Apple iOS has proven to be the most secure environment, shielding its customers from the majority of known mobile threats.

Related Posts

About the author: Andrei Barysevich


Andrei Barysevich formerly was the Director of Eastern European Research and Analysis at Flashpoint. He is a native Russian speaker and has previously worked as an independent e-commerce fraud researcher, as well as a private consultant for the FBI's New York Cyber Crime field office. For the past 13 years, Andrei has been personally involved in multiple high-profile international cases resulting in successful convictions of members of crime syndicates operating global re-shipping, money laundering, and bank fraud schemes.