Mobile Banking Under Siege: Malware Attacks Surge 3.6-Fold, Featuring 'Blackout' Modes to Hijack Sessions

Executive Summary

The security of mobile banking is under severe threat from a massive surge in sophisticated malware. A Kaspersky report indicates a 3.6-fold increase in users encountering mobile banking trojans in 2026, affecting over 247,900 users. These are not isolated incidents but large-scale, industrialized campaigns targeting 1,243 financial brands across 90 countries. Modern trojans have evolved far beyond simple credential theft. New variants like Sturnus and Crocodilus feature a "blackout" mode, a deeply concerning innovation that allows attackers to conduct fraudulent transactions while the phone's screen appears to be off, effectively hijacking a live, authenticated banking session without the user's knowledge. This trend marks a critical escalation, making the user's mobile device the primary battleground for financial fraud.

Threat Overview

The surge is driven by highly capable malware families designed to achieve full device takeover. Trojans such as TsarBot, CopyBara, and Hook (collectively accounting for over 60% of attacks on fintech apps) employ a range of techniques:

• Overlay Attacks: Displaying a fake login screen over the legitimate banking app to capture credentials (T1419).
• SMS Interception: Reading SMS messages to steal one-time passwords (OTPs) used for two-factor authentication.
• Abuse of Accessibility Services: Tricking the user into granting Accessibility Service permissions, which gives the malware the ability to read the screen, fill in fields, and click buttons on the user's behalf.

The most dangerous new development is the "blackout" mode. When a user opens their banking app, the malware uses its Accessibility Service privileges to show a black screen or a fake loading animation. While the user thinks the app is frozen or loading, the malware is actively navigating the real app in the background, initiating transfers and stealing funds. This technique is devastating because it operates within a legitimate, authenticated session, making the fraudulent activity extremely difficult for banks to distinguish from the user's own actions.

The most active trojan family in 2026 was Mamont, responsible for 36.7% of all detections. Its distribution methods are varied, ranging from simple scams to elaborate schemes involving fake online stores and package delivery tracking apps.

Technical Analysis

The typical attack chain for modern mobile banking trojans is as follows:

1. Initial Access: The malware is distributed through phishing messages (smishing), malicious ads, or trojanized apps downloaded from third-party app stores (T1475). The Mamont trojan, for example, uses fake delivery tracking apps.
2. Permission Abuse: Upon installation, the app aggressively requests dangerous permissions, particularly Accessibility Services. It uses social engineering to convince the user that these permissions are necessary for the app's advertised function.
3. Device Takeover: Once Accessibility Service permissions are granted (T1420), the malware has near-total control. It can read screen content, intercept notifications (including MFA codes), log keystrokes, and perform on-screen actions without user interaction.
4. Credential and Session Theft: When the user opens a targeted financial app, the malware either uses an overlay attack to steal credentials or waits for the user to log in legitimately.
5. Fraudulent Transactions (Blackout Mode): The malware initiates the blackout mode. It draws a black screen over the entire UI, making the device appear off. In the background, it uses its Accessibility privileges to programmatically navigate the banking app, add a new payee, and transfer funds to an account controlled by the attacker (T1415).

MITRE ATT&CK for Mobile Mapping

Impact Assessment

The financial and personal impact on victims is devastating. The blackout mode technique can lead to the draining of entire bank accounts in a single session. With 80% of all financial fraud now occurring online or via mobile, this trend poses an existential threat to trust in digital banking. For financial institutions, the surge results in massive fraud losses, increased operational costs for investigation and customer reimbursement, and severe damage to their brand reputation. The difficulty in distinguishing these fraudulent transactions from legitimate ones complicates liability and fraud detection, putting pressure on banks to adopt more advanced behavioral biometric and threat detection solutions.

IOCs — Directly from Articles

No specific file hashes, IP addresses, or domains were provided in the source articles.

Cyber Observables — Hunting Hints

For mobile security teams and financial institutions:

Detection & Response

For Users:

• Be Wary of Permissions: Be extremely cautious of any app that requests Accessibility Service permissions. Deny this permission unless you are 100% certain of the app's legitimacy and purpose.
• Stick to Official App Stores: Only download apps from the official Google Play Store or Apple App Store.
• Use Mobile Security: Install a reputable mobile antivirus solution.

For Financial Institutions:

• Advanced Fraud Detection: Implement behavioral analytics that can detect anomalies in-session, such as transaction speeds that are too fast for a human or navigation patterns that are programmatic.
• SDK Integration: Integrate a security SDK into your mobile banking app that can detect signs of compromise on the device, such as the presence of known malware, rooting/jailbreaking, or active screen overlays.
• Application Hardening (D3-AH): Employ runtime application self-protection (RASP) techniques to make it harder for malware to analyze and tamper with your app.

Mitigation

Strategic Mitigation:

• Assume Device Compromise: Banks should operate on a Zero Trust principle for mobile, assuming the device could be compromised and implementing in-app and server-side checks to verify transactions.
• Step-Up Authentication: For high-risk transactions, implement out-of-band, step-up authentication that cannot be intercepted on the same device (e.g., a call or a push notification to a different registered device).
• Educate Customers: Proactively educate customers about the dangers of mobile malware and the importance of scrutinizing app permissions.

Tactical Mitigation:

1. Restrict Sideloading: Users should ensure their Android settings disallow the installation of apps from unknown sources.
2. Review App Permissions: Regularly review the permissions granted to all installed apps and revoke any that are unnecessary.
3. Enable Google Play Protect: Ensure this built-in Android security feature is enabled and actively scanning apps.