Regain Control, Change the Game and Show Business Value with Predictive and Preemptive Security
Gone are the days when phishing was restricted to domains and websites. With the rise of diverse platforms and mobile applications, consumer engagement has seen a drastic transition, and so have the avenues for cybercriminals to promote their scams, whether directly through malicious applications or by exploiting legitimate applications.
With mobile device ownership hitting a mark of 18.22 billion by 2025, many organizations have extended to application versions of their business that were previously confined to websites only. With that, there’s a rise in the amount of authentication, transaction, wallet, password, and other personal details stored in any mobile device, drawing the attention of cybercriminals. This in turn gives rise to the rapid distribution of mobile malware and fake applications.
A threat advisory issued by the Singapore Police warns that, since February 2025, at least 128 cases of mobile malware were reported, with total losses amounting to at least $2.4 million. A scam that starts from a Facebook or TikTok ad, would result in financial fraud through WhatsApp, under the pretext of a small membership fee. Then the scammers would push a fake APK, designed to remotely access the device, stealing SMS OTPs and credit card details to elaborate on the original fraud. In some cases, victims are even guided to disable Google Play Protect and download specific VPN apps from the Play Store, allowing scammers to bypass banking security and directly access their accounts.
This primary focus on leveraging the finance industry indicates an effort to obtain banking credentials of customers and employees, with different intentions to exploit. Some include features and services such as online banking, e-payment services, and credit card systems. This accentuates the financial services industry as the favorite target for mobile malware or fake app distribution campaigns.
Some organizations seek to secure their brand image by mitigating impersonation threats posing as mobile applications through traditional app-centric detection, in which the defenders respond after the damage has been caused. However, this approach can be ineffective due to the growth of GenAI models that create prompt applications and are intelligent enough to evade malicious app detection tools at scale. This underscores the urgent need for strong, infrastructure-based solutions that enable defenders to anticipate and stop threats before they cause harm.
This article is intended to inspire the reader to shift their focus from reactive, individual app-level detection to proactive, infrastructure-based intelligence and enforcement, emphasizing predictive detection and preemptive mitigation.
The Escalating Threat Landscape
Some interesting statistics from Worth Insurance highlights that nearly half (47%) of all free Android antivirus programs fail to detect any dangerous malware. Furthermore, a significant portion—8 out of the 21 most popular free apps—were completely unable to identify even the most basic malware threats or report them to users. That said, financial services organizations of all sizes and revenue are at a risk of being impersonated, leading to various fraudulent and criminal activities.
Credential theft is likely the primary aim for cybercriminals, leading to a rise in fake mobile app or malware distribution, as people prefer apps for their superior convenience over website operations. This tactic is achieved through different methods such as compromised banking logins, credit card details, or gaining unauthorized access to customer accounts. Beyond direct financial fraud, cybercriminals are often motivated to target the financial industry for money laundering, identity theft, account takeovers, or sell the data on the dark web, as well. The subsequent sale of user credentials on the dark web further fuels social engineering attacks or employee account compromise attempts to access internal files or deploy ransomware.
What is more, there is an intricate network of malicious applications present all over the Internet in different versions. On one hand, a fake application can be hosted either on legitimate app stores or on unregulated third party websites. In addition, “mod versions” of legitimate applications can be distributed through third party or phishing sites via social engineering lures such as “freemium” offers or enhanced features to extract sensitive financial or personal data. In any case, these mod apps or fakes present on legitimate platforms can provide either entire replicated applications or common banking features such as lower foreign transaction markup fees, fake loan apps, or investment scams, which are popular among consumers.
Beyond the consumer financial losses associated with fake mobile apps, these issues also erode customer trust in the financial institutions being targeted and lead to violations of data protection and consumer security regulations. The speed and scale of these attacks overwhelm traditional fraud detection systems designed for older threat vectors. That said, everyone involved in the defensive side loses when the cybercriminals win.
It gets worse. Examples such as the Gen AI “WormGPT”, that are capable of producing detection-evasive malware, new carding methods, and phishing instances highlight the increased complexity brought on by the evolution of technology. Cybercriminals are adding sophistication to their activities in ways that weren’t possible before, causing outdated fraud detection systems to be largely ineffective. While exploits are evolving, lack of adequate security upgrades and user awareness among those associated with the banking industry often gives the cybercriminals a winning hand.
The Limitations of App-Centric Detection
Financial services’ reactive posture in mitigating fake mobile applications
The financial services sector often finds itself in a reactive position when it comes to mitigating fake and malicious mobile applications replicating their business operations. However, despite having advanced security resources, financial organizations lack continuous monitoring of the vast number of rapidly emerging campaigns. This leads to fraud being detected only when an existing consumer complains through a support portal or social media.
Lets take an example of this X (formerly Twitter) post from May 17, 2025. A bank customer lost a significant amount of cash after being social engineered by criminals who redirected the victim to a fake banking domain through vishing. With full awareness of mobile applications features and asking for a one time password (OTP) in exchange, the victim ended up submitting card details, followed by the Know Your Customer (KYC) process to verify the transaction and avoid alerting the bank of suspicious withdrawals.
Rise in sophistication due to artificial intelligence:
Today, almost every major brand faces the risk of impersonation or malware disguised as legitimate applications targeting their users. Attackers have become sophisticated, leveraging AI and automation tools to proliferate malicious campaigns. Because building these campaigns has become easier and automated, the scale and scope of the threat goes far beyond what has ever been seen before.
Criminals targeting banking industry applications focus on some of their unique functionality that drives customer engagement, effectively mirroring legitimate characteristics to inject credibility into their fakes. Features with a large user base or requiring sensitive data such as loan applications, investment schemes, credit card offers, payment gateways, or account settings are at risk. The threat actors’ ability to clone even the smallest details, user interfaces, and workflows, make it easier to fool victims, making them believe that they are performing the legitimate action as they are accustomed. For financial industries combating these impersonations, these challenges make manual identification and takedown impossible to scale due to the sheer volume and sophistication of these fraudulent apps.
The sophistication delivered by artificially intelligent malware and generative AI makes copying the UI/UX of legitimate banking apps easier and faster than ever. Additionally, techniques such as code obfuscation, dynamic loading, and behavioral evasion used to bypass security scans in app stores, specifically for banking Trojans, are leveraged. The criminals’ ability to quickly rotate C2 servers, hosting providers, IP and domains through domain generating algorithms, forms a part of an infrastructure that doesn’t suit the traditional reactive mitigation measures, which remain focused on the applications rather than the entire infrastructure.
Predictive Detection: Seeing The Bigger Picture
Detection and mitigation of malicious mobile malware can take many forms such as identifying the root domain spreading the malware and investigation of DNS activity (see Figure 3). For instance, if a website is offering malicious third-party apps for download through a typosquatted domain, DNS monitoring could help to flag it. Additional steps might include identifying IP ranges, hosting providers, or autonomous system numbers (ASNs) frequently used by financial cyber criminals. This can reveal entire networks supporting fake banking apps or phishing sites. Infrastructural monitoring also includes social engineering campaigns (smishing/vishing kits) that direct users to download fake financial apps.
When considering the broader impact, mitigating mobile application threats involves more than just taking offending apps or domains down. Organizations need to focus on reduction in fraud losses, the prevention of account takeovers, preservation of customer trust, and assistance in meeting stringent regulatory requirements for fraud prevention.
While fake mobile apps present a clear and persistent problem for financial services organizations, there isn’t a consensus on how to deal with them. Traditionally, “detect and respond” fraud detection systems were adequate for identifying and remediating app-based fraud. However, with the rising scale and sophistication of fake mobile apps as mentioned above, conventional solutions seem to be falling short. So what makes the new threats difficult to mitigate and what is the solution?
Preemptive Mitigation: Stopping Them Before They Start
While the financial services industry is currently largely limited to reactive takedowns through traditional mitigation methods, the path forward clearly points towards preemptive mitigation. This involves leveraging artificially intelligent monitoring of threats to identify and neutralize them before they can inflict damage.
Preemptive mitigation starts after analyzing all the indicators of maliciousness, includes a comprehensive approach not limited to domains mimicking financial institutions’ branding or hosting fake app downloads. Another preemption measure is collaborating with app stores to flag and suspend developer accounts that show patterns consistent with the creation of financial fraud apps, even before they gain significant traction. It also signifies proactively scanning for and removing fake financial app listings on unofficial app stores, forums, and social media and sharing intelligence with network security teams to block IP addresses associated with known C2 servers for financial malware.
How is PreCrime™ Different?
Some financial companies often learn about fake versions of their apps after customers report fraudulent transactions. By then, the damage is already done, leading to complaints on social media, customer support requests, refunds, and investigations.
However, PreCrime goes beyond the traditional solutions by offering an added focus on behavioral indicators like permission abuse, where any suspicious request requested by a malicious app is flagged (e.g., a banking app requesting access to contacts or call logs). Other indicators include unusual network activity and repackaged and cloned (modded) apps, where typical embedded Trojan behaviors (e.g., a connection made to a command-and-control server already flagged as malicious).
PreCrime also leverages the ability to predict mobile threats, through advanced AI threat analysis models. This facilitates mitigation of malicious domains even before they begin distribution of the malware embedded application, which significantly benefits financial organizations by moving beyond traditional third-party monitoring app stores.
By continuously monitoring the internet to predict, disrupt, and take down malicious infrastructure before it can make a victim out of their customers, financial organizations can get an edge on these criminals. Relying on traditional “detection and response” models to navigate this increasingly complex threat environment leaves security teams and customers at a disadvantage. It’s time for financial organizations to embrace the future of predictive security to take the extra step of protecting their customers.
Common myths about mobile takedowns
Take a look at these common myths about mobile-centric mitigation. The truth is quite different!
Myth #1: "Once a fake banking app is removed from the official store, the problem is solved."
The Truth: Fake banking apps aren’t limited to official app stores. They are also prevalent on unofficial app stores, direct APK downloads (through smishing links), or Telegram channels. Removing them from one store doesn’t stop distribution elsewhere.
Myth #2: "App stores are solely responsible for takedowns of fake banking apps."
The Truth: Financial organizations must actively engage in solutions that offer protection against brand impersonation with preemptive mitigation. This directly or indirectly involves working with registrars, hosting providers, social media platforms, and law enforcement for the broader takedown of the infrastructure supporting the fraud, not just the app itself.
Myth #3: "Takedowns of fake banking apps are quick and easy."
The Truth: The legality and logistics of international takedowns can be complex, especially when dealing with foreign and non-cooperative registrars or hosts.
Myth #4: "Automated takedowns are sufficient for financial fraud apps."
The Truth: While automation is crucial for scale, the sophistication of financial criminals might require contextual analysis to disrupt the full scope of the attack, minimizing false positives that could impact legitimate financial apps.
