Download the PDF version

How Banking Trojans hit your customers' account


We know it. Cybersecurity and online fraud sometimes can become very complicated to understand. 

Some key concepts are still unknown or misconceived by a wide range of people inside organizations, making it difficult to define the best way to protect digital eco-systems and avoid exposing customers to cyber-threats

For example, everybody knows what malware are, but only a few know how they actually work and how they threaten security systems, potentially causing great financial and reputational damage. 

In this article we share some useful insights about what banking trojans are and how they hit your customers’ accounts, so as to help you recognize some critical patterns and avoid being hit. 

What are Banking Trojans

Banking Trojans are a particular type of malware used by cybercriminals to take control of a device, or steal sensitive information from it, to perpetrate online fraud

As all Trojan horses, they are usually disguised as legitimate applications but, once installed on the targeted device, whether mobile or computer, they are able to carry on several malicious activities, such as intercepting 2FA and OTP codes, swapping IBAN, monitoring the device screen, stealing credentials and eventually finalising fraudolent transactions. 

As banking and financial institutions’ systems became harder to attack, cybercriminals developed banking malware to target individuals directly. They get to the end-users’ devices via phishing emails, advertising, drive-by-downloads, or social engineering techniques. Moreover, our researches highlight specific patterns: banking malware attack mainly via mobile devices in the retail industry (as people finalise more banking operations via smartphones), and via workstation in the corporate industry (where people use mainly laptops and computers).  

In the past 20 years, criminals released a wide variety of Banking Trojans’ families, characterised by specific capabilities and moves. The first to appear were Zeus and SpyEye, but today many others populate the cybersecurity world, such as Emotet, Dridex, Gozi, and Tinba.

Moreover, over the past couple of years, the Cleafy Threat Intelligence Team discovered new banking malware families, such as SharkBot, Revive, and TeaBot.

Banking trojans discovered by Cleafy
Do you want to know more about the latest cyber-threats? Read our Threat Intelligence Team’s detailed reports and analysis on our Cleafy Labs section.

How do they threaten your customers’ accounts

Banking Trojans have the ability to attack online banking in different ways, such as downloading and sending files remotely, stealing information from a clipboard, running executable files,  collecting cookies and passwords, or redirecting website traffic to malicious ones.   

Since their first appearance on the web, banking malware became more and more advanced. 

Account Takeover

Fraudsters usually attempt an Account Takeover, which means taking over an online account to steal information or money. This is done either by using social engineering techniques or by installing a malware, or Banking Trojan, on the victim’s device. Advanced fraud attacks involve both of them.

Focusing on malware infections, there are many types of threats and capabilities that can hit digital devices, but the most frequent are overlays and SMS stealer (or sniffer), or other advanced attacks like key-logging and screen recording.

Overlays over-impose a layer on top of specific pages of the app (or web app) to intercept private information as the user enters them; while SMS Sniffers capture SMS messages to steal personal data or read OTP to bypass Multi-factor Authentication procedures.  

In the past few years, Cleafy’s Threat Intelligence team has analyzed examples of advanced malware that perform ATO at scale: TeaBot, BRATA, and Gozi, that can also attack via Automatic Transfer System.

Automatic Transfer Systems

Unlike Account Takeover, attacks through the Automatic Transfer System don't require taking over the victims’ accounts. The fraud occurs while the user actively operates on the target application by tampering with the genuine operation without the user noticing it.

ATS attacks on mobile are performed by gaining control over Accessibility Services, a suite of Android services provided by Google to make Android devices more accessible to users with disabilities. 

An additional way in which banking malware can hit customers’ banking accounts is via web injection, meaning by injecting malicious content into a web page before it is redirected to a legitimate banking website. 

This happens because the cybercriminals’ technology can intercept and modify the traffic between a Web server and a user browser without the victim’s noticing it.

So, getting practical, cybercriminals use web injects to perpetrate fraud in two ways:

  • By intercepting credentials and OTPs and attempt an Account Takeover.
  • By initiating wire money transfers via Automatic Transfer System techniques. This is possible only for the most advanced versions of web injects.

As for banking trojans attacking through ATO, Cleafy’s Threat Intelligence team has discovered an example of banking malware that performs ATS at scale: SharkBot.

Banking Trojans: some real-life examples

In the past few years, the Cleafy Threat Intelligence and Response Team has stopped specific types of banking trojans that targeted banks and financial institutions around Europe and beyond.

Critical insights have been discovered about Gozi and Sharkbot, two of the most dangerous banking trojans of the past few years. 

For a deeper understanding of these two banking trojans, visit our Cleafy Labs section. 


Known for being the most widely spread and longest-standing banking trojan with more than 14 years of activity, Gozi is used to finalise banking and e-commerce fraud, POS devices compromise and ransomware. 

Since its source code was leaked in 2015, many variants under distinct names spread in the cyberworld. Gozi today refer mainly to the family name of a specific type of banking trojan. 

Through Gozi, criminals deliver a specific web inject family (which we dubbed as RATBANK, but it is also known as ‘delsrc’), used to discriminate interesting bots and to perform Account Takeover (ATO) fraud only on valid ones.

The cybercriminals behind this pattern has a deep knowledge of how those targeted corporate banking environments work, which steps are needed to authorize a bank transfer, and how different two-factor authentication mechanisms can be bypassed, by identifying specific weaknesses in their implementation. Moreover, they have access to native-speaking operators who perform vishing attacks in an attempt to elicit victims during the execution of an ATO scenario and to try to isolate all the communication between victims and their banks with social engineering tricks.

The TA has access to a significant and well-structured set of money mule accounts, in multiple SEPA (Single Euro Payment Area) and NON-SEPA countries, which are typically discriminated against by the amount of the unauthorized transaction.

In the last 2 years, we identified hundreds of bank accounts controlled by this group, with the largest amount being 1.5M Euro, handled in a single bank transfer during a targeted Account Takeover fraud.

Digital banking fraud: how the Gozi malware works


At the end of October 2021, a new Android banking trojan was discovered and analyzed by the Cleafy TIR team. It was dubbed SharkBot. 

The main goal of SharkBot is to initiate money transfers from the compromised devices via Automatic Transfer Systems (ATS) technique bypassing multi-factor authentication mechanisms. 

Once SharkBot is successfully installed in the victim's device, attackers can obtain sensitive banking information through the abuse of Accessibility Services, such as credentials, personal information, current balance, etc., but also to perform gestures on the infected device.

Moreover, SharkBot implements overlay attacks to steal login credentials and credit card information and it also has capabilities to intercept legitimate banking communications sent through SMS.

Differently from malware like TeaBot and Oscorp/UBEL, where a live operator is required to insert and authorize a money transfer, with ATS technique Threat Actors can scale up their operations with minimum user intervention.

SharkBot belongs to a new generation of mobile malware, that can bypass also strong behavioral biometrics control put in place by many banks to protect their customers’ digital accounts.  

Sharkbot: a new generation of Android Trojans targeting banks in Europe

Fighting Banking Trojan to prevent online fraud

As digitalization gets embedded in more and more services, and technologies improve, cybercriminals have at their disposal increasing opportunities to attack people and complete online fraud. 

Advanced banking trojan are not so easy to identify and stop before they hit, but with the right fraud management tools and skilled fraud hunters, the job gets easier. 

The Cleafy technology uses an advanced patented technologies and extended expertise that are able to detect any type of manipulation triggered by a banking malware, ensuring the best protection to all customers. 

Get a free consultation

Read more articles