Protecting against the mobile Trojan horse in your pocket

Scammers, and the criminal organisations they work for, will always look for and take advantage of flaws in mobile banking security.

With Singapore’s mobile banking booming, financial services have been revolutionised and provide unmatched convenience.

But this rapid digital shift has also made mobile banking apps top targets for fraudsters using ever-advanced banking trojans. These malicious programmes compromise personal and financial data, steal credentials, run illegal transactions, and infect devices.

Evolving threats in Singapore’s banking landscape
Scams and cybercrime remain a pressing concern in Singapore. According to the Singapore Police Force (SPF), the number of scam and cybercrime cases in 2024 increased by 10.8% to 55,810 cases, compared to 50,376 cases in 2023.

Notably, 2024 saw sharp increases in both the number of cases reported and the amount lost for phishing scams, investment scams, and government officials impersonation scams. Financial losses from all types of scams amounted to over $1.1b.

In response, the Singapore government has introduced further measures to reduce financial crime, most notably the Safe App Standard that was published by the Cyber Security Agency of Singapore.

In addition, banks have taken several initiatives to protect their customers from scams. Examples are DBS Digivault, UOB LockAway Account, and OCBC Money Lock. More recently, Standard Chartered introduced Digital Scam Protection Insurance.

Whilst these are laudable initiatives, banking Trojans and Account Takeover attacks remain a constant threat. Attackers keep evolving and utilise advanced On-Device Fraud (ODF) methods to bypass standard security controls by attacking legitimate user devices.

This expanding collaboration between banking Trojans and ODF poses a significant threat to banks and fintech organisations, demanding a more dynamic security approach.

Scammers, and the criminal organisations they work for, will always look for and take advantage of flaws in mobile banking security. Financial institutions must anticipate new tactics and implement modern, artificial intelligence (AI)-based security strategies that go beyond basic threat detection and reactive responses.

Why traditional security is no longer enough
The fast growth of banking Trojans such as BlankBot, ToxicPanda, and Godfather highlights the necessity for more advanced security strategies. Traditional signature-based defences are ineffective against modern Trojans, which constantly change their attack methods.

To secure mobile banking users, banks and fintech firms must adopt AI-driven, real-time security automation.

Social engineering scams are also a growing concern. Cybercriminals use deceptive messages to trick people into installing malware disguised as legitimate apps.

According to a survey, 32.7% of Singaporeans have personally encountered social engineering scams. This shows how urgently stronger user education and security measures are needed.

Comprehensive defence against banking Trojans and Account Takeover attacks
To effectively combat these threats, financial institutions in Singapore should implement a multi-layered mobile security approach that includes blocking Accessibility Services Malware, which prevents unauthorised access to accessibility features, closing a key attack vector for Trojans. It should also block all banking Trojans to prevent Trojans from attacking mobile banking apps and launching account takeover attacks.

Detecting and blocking social engineering attacks is also critical, as criminals often use tactics such as phishing, vishing, quishing and more to trick users into sharing login information, OTP (one-time passwords) or installing Trojans or other malware. 

Detecting and blocking on-device malware is essential to stop the use of tools such as Magisk, Frida, Hooking Frameworks and more, which are used to attack mobile banking apps.

Blocking overlay attacks helps detect and prevent dubious screen overlays that deceive users into disclosing confidential data. Blocking remote desktop control tools is also necessary, as criminals often try to use social engineering attacks to trick unsuspecting users into downloading malware that includes remote access tools that they can use to open mobile banking apps when the phone is not in use.

Mobile bot defence is needed to protect the network against API abuse and to prevent bots from attacking the banking servers and launching credential stuffing attacks. MitM (man in the middle) attack prevention encrypts in-app communications to protect sensitive user data from interception. Finally, keylogging prevention safeguards user inputs like credentials and PINs from being captured by malicious software.

Beyond these measures, behavioural analysis and AI-driven fraud detection can aid in detecting dangerous activity before it leads to financial losses. Banks can detect and mitigate Trojan activity in real time by continuously monitoring transaction patterns and user behaviours.

Future-proofing mobile banking security in Singapore
As mobile banking grows, financial institutions must stay ahead of evolving cyber threats.

AI-powered threat detection and real-time fraud prevention are critical for protecting both consumers and businesses. Strengthening app security, improving fraud detection, and working with regulators will ensure a secure digital banking environment.

Collaboration between banks, telecom providers, and government agencies is essential to tackling mobile banking fraud. Stricter security policies, harsher penalties for cybercriminals, and better victim support can help curb financial crimes.

To counter evolving banking Trojans, the industry must do more and adopt adaptive, AI-driven defences. A robust, multi-layered security approach is key to securing Singapore’s digital banking future.