New Android banking trojans are targeting one-time codes, not passwords

Cybercriminals are shifting their focus from stealing passwords to intercepting one-time codes on mobile phones, and Android banking trojans are at the center of this change. Recent campaigns show that attackers increasingly aim at notification access, SMS inboxes and on-device authenticator apps to bypass multi-factor authentication used by banks and fintech services.

This trend is reshaping how financial institutions and users need to think about protection. Strong passwords and biometric logins still matter, but they are no longer enough when malicious apps can quietly read push notifications and overlay fake login screens on top of legitimate banking apps.

How modern Android banking trojans work

Banking trojans on Android have evolved from simple keyloggers into full remote-control tools. Once installed, they often request broad permissions such as accessibility services, notification access or the ability to draw over other apps. If the user grants these rights, the malware can monitor and manipulate almost everything that happens on the screen.

Instead of directly breaking into bank servers, attackers use these trojans to interact with apps on the device in real time. They can capture login details as they are typed, read incoming SMS or push notifications that contain one-time passwords, and even approve fraudulent transfers by simulating taps and swipes while the phone screen is off.

From passwords to codes and push approvals

Many banks have strengthened login flows by adding one-time codes via SMS, app notifications or authenticator apps. The goal is to make stolen passwords useless on their own. Criminal groups have responded by designing malware that sits inside the trusted device and waits for those second factors to appear.

Modern trojans often come with modules specifically designed to intercept one-time codes. They may forward SMS messages to a remote server, silently read notification content that reveals codes, or grab text from authenticator apps using accessibility features. In some cases, they can accept push-based login prompts automatically, so the victim may never see the approval request.

Common infection paths: from fake apps to smishing

These attacks rarely begin with a direct assault on a bank. Instead, users are tricked into installing malicious apps that pose as utilities, security tools or even official banking helpers. Some appear as QR code readers, file cleaners or PDF viewers that request far more permissions than they need for the advertised function.

Criminals also rely on smishing, or SMS phishing, where messages claim to be from a parcel service, tax agency or bank support agent. Links in these texts may lead to fake download pages that instruct Android users to sideload an app. Since such apps are not coming from Google Play, people may need to enable installation from unknown sources, which significantly increases the risk of malware.

What banks and fintech companies are changing

Financial institutions are responding by tightening how their apps handle sensitive data on the device. Many now mask one-time codes inside notifications or avoid displaying full codes on lock screens. Some are also limiting the amount of information shown in transaction alerts so that trojans cannot easily reconstruct account details.

Developers are adding checks that look for suspicious behavior, such as accessibility services from unknown apps that run while a banking app is open. If detected, the app may block certain actions, log the user out or show a warning that another process appears to be controlling the screen.

Stronger device-level protections from Google

On the platform side, Google has introduced tighter controls around accessibility and notification permissions in recent Android versions. Apps now must request these rights in clearer ways, and users see more prominent warnings when an app wants access to sensitive capabilities that can be abused by malware.

Google Play Protect has also expanded its real-time scanning and server-side checks to flag banking trojans more quickly. Suspicious apps can be blocked before installation or removed remotely if they are later identified as harmful. Despite these moves, sideloaded apps and third-party stores remain a weak point that is harder to police.

Practical steps users can take today

While much of the response is happening behind the scenes, individual users still play a crucial role in preventing infections. Agreeing to broad permissions without reading prompts is one of the fastest paths to compromise, especially when an unfamiliar app requests accessibility or notification access just to perform a simple task.

A few practical habits can significantly reduce risk:

• Install apps only from trusted stores:Prefer Google Play or a well-known vendor store, and avoid downloading APK files from random links in messages or social media.
• Scrutinize permissions:Be skeptical if a flashlight, wallpaper, QR reader or cleaner app asks for SMS, accessibility or notification access.
• Use app-based authenticators on a separate device:Keeping your primary banking apps and your authenticator on different devices can blunt the impact of a single-device infection.
• Lock down notifications:Hide sensitive content on the lock screen for banking and authentication apps so codes are not visible without unlocking the phone.
• Keep Android and apps updated:System and app updates often include protections that block known malware techniques.

Implications for everyday digital banking

The rise of these trojans does not mean that mobile banking is inherently unsafe, but it does highlight how the threat model is changing. Attackers now assume that some form of two-factor authentication is in place and design their campaigns to operate from inside the trusted device environment.

For everyday users, that shift reinforces an old lesson with a new twist: the weakest point is often the phone in your hand, not the bank server. Paying attention to what you install, which permissions you grant and how your one-time codes are delivered can make the difference between a blocked attempt and a drained account.