Android banking trojans surge
Zimperium’s zLabs reported four active Android banking‑trojan campaigns that are targeting more than 800 apps, flagging a broad mobile threat vector for financial services. The research team urged immediate attention to mobile protections given the scale and persistence of the campaigns. (x.com)
Android banking malware is spreading through at least four active campaigns that Zimperium said are now targeting more than 800 apps. (zimperium.com) Zimperium’s zLabs team named the four Android banking trojan families as RecruitRat, SaferRat, Astrinox and Massiv in a report published April 16, 2026. The company said the campaigns target banking, cryptocurrency and social media apps, not just finance brands. (zimperium.com) A banking trojan is malicious software that lands on a phone, watches what the user does, and steals credentials or authorizes transactions. Zimperium said these families use command-and-control systems, anti-analysis tricks and Android package tampering to stay hard to detect with signature-based tools. (zimperium.com) The first step is usually social engineering, not a software flaw. Zimperium said the malware is delivered through phishing sites, text-message lures, fake system updates, bogus popular apps and promotional offers that push users to install apps from outside trusted stores. (zimperium.com) The new campaign report lands less than a month after Zimperium’s broader 2026 Banking Heist Report described mobile fraud as an on-device problem. That March 19 report said zLabs tracked 34 active malware families targeting 1,243 financial apps across 90 countries during 2025. (zimperium.com) That same March report said Android malware-driven financial transactions rose 67% year over year in 2025. It also said the United States had 162 banking apps under active targeting, up from 109 in 2023. (zimperium.com) Zimperium said modern banking malware no longer stops at password theft. Its March report said current families can intercept authentication codes and phone calls, hide from security tools and imitate a legitimate banking session while fraud is carried out on the device. (zimperium.com) The practical advice from the April 16 research is old-fashioned but specific: avoid sideloading Android apps from links in texts or websites, treat urgent installation prompts as suspicious, and assume a fake update screen can be part of the attack. The campaigns Zimperium described rely on getting malware onto the phone before a bank ever sees a suspicious login. (zimperium.com)
