By Jan Sysmans
MOBILE BANKING is revolutionizing financial services in the Philippines, offering unmatched convenience and accessibility to millions of users. According to Statista, the banking market in the Philippines is projected to have reached a net interest income of $8.18 billion in 2024 amid a surge in digital banking services.
However, this rapid digital adoption brings significant risks as cybercriminals deploy increasingly sophisticated tactics to exploit vulnerabilities in mobile banking applications. The most dangerous among them are Trojans — malicious programs specifically designed to infiltrate devices, steal sensitive data, and commit fraud.
According to the National Privacy Commission, there were a total of 6.8 billion security incidents in the Philippines from 2018 to 2024, with Trojans cited as a one of the causes of data breaches.
Banking Trojans like Blankbot, Godfather, ToxicPanda, GoldPickAxe, and Sharkbot have emerged as powerful tools in the cyber criminal arsenal. This type of malware employs advanced tactics, such as overlay attacks, keylogging, and remote desktop exploits, to deceive users and compromise app security.
For instance, overlay attacks trick users into entering their credentials on fake interfaces that mimic legitimate banking apps, while keylogging records keystrokes to capture passwords and PINs. Trojans also exploit accessibility services to monitor screen activity and perform unauthorized actions, further escalating the threat.
The impact of banking Trojans can be profound in the Philippines, where mobile banking adoption is high. A 2023 report by the Bangko Sentral ng Pilipinas (BSP) on the status of digital payments in the Philippines found that the share of digital payment transactions to total monthly retail payments grew to more than 50% in 2023 from 42.1% in 2022. For consumers, the risks include drained accounts, identity theft, and loss of personal data. For banks, these attacks lead to fraud, reputational damage, and regulatory penalties.
The growing risk of banking fraud has even spurred the Philippine government to launch the Financial Services Cyber Resilience Plan, a framework to enhance cyber resilience in the sector by creating and promoting holistic cybersecurity best practices and standards, building a strong cybersecurity culture, and implementing incident response protocols.
A concerning trend in cybersecurity is the growing collaboration between banking Trojans and on-device fraud (ODF). Unlike traditional fraud tactics that rely on external systems, ODF uses compromised devices to execute fraudulent transactions directly. By bypassing traditional security measures, this partnership between Trojans and ODF creates an almost impenetrable threat, leaving software development kit-based and legacy mobile app security solutions ineffective.
COMPREHENSIVE DEFENSEIn order to effectively protect against banking trojans, banks and fintechs in the Philippines need to take a very different approach to mobile app defense. They need to leverage artificial intelligence- and machine learning-powered defense automation to protect their mobile banking apps against ever more sophisticated threats.
Key minimum protections required to offer a comprehensive defense against banking trojans include:
• RASP (runtime application self-protection) — ensures app operations remain tamper-proof, preventing Trojans from executing malicious actions during runtime;
• code obfuscation — shields app code from reverse engineering, protecting sensitive app logic from attackers;
• root detection — blocks apps from running on rooted or jailbroken devices, where security vulnerabilities are heightened;
• man-in-the-middle attack prevention — encrypts data in transit, safeguarding sensitive user information from interception;
• keylogging prevention — protects user inputs, such as credentials and PINs, from being captured by malicious programs;
• blocking overlay attacks — detects and prevents fake/malicious screen overlays from displaying on top of the app screen and concealing the legitimate app screen, which is used to trick users into revealing sensitive information or performing harmful actions inadvertently;
• blocking accessibility services malware — prevents unauthorized use of accessibility services, closing a critical attack vector for Trojans;
• preventing remote desktop exploits — secures apps against unauthorized remote access and manipulation;
• Google Play Store signature validation — ensures only authentic app versions can run, mitigating the risk of Trojan-laden impostor apps; and
• SMS, two-factor authentication, and one-time pin interception prevention — secures in-app communications and protects against the interception of authentication mechanisms.
Traditional defenses are rendered ineffective against the dynamic nature of modern banking Trojans. The Philippine banking sector needs to build a future-proof security model capable of addressing both existing and emerging threats to ensure comprehensive protection for both users and financial institutes in this ever-evolving threat landscape.
To do this, they need an advanced security platform such as Appdome that provides benefits across the board. For consumers, this means ensuring safe and fraud-free banking experiences by protecting their sensitive data and funds. For banks and fintechs, such a platform prevents account takeovers, unauthorized transactions, and large-scale fraud attempts, ultimately preserving customer trust and reducing operational risks.
As the Philippines’ mobile banking and fintech sector continues to expand, the sophistication of Trojans like Blankbot, ToxicPanda, and Godfather serves as a stark reminder of the evolving cyber threat landscape. Financial institutions need to stay ahead of these challenges, delivering the robust security needed to protect customers and their businesses.
Jan Sysmans is a mobile app security evangelist of Appdome.
