Threat actors have been trying to get malicious software onto desktops and mobile devices since the earliest days of technology. But despite its heritage, malware remains a pertinent security threat in 2025. In the last few years, our security teams and partners have seen a particular rise in mobile banking trojans—Snowblind and FjordPhantom.

For many mobile app vendors, developments like these raise questions about how to protect apps and sensitive information. But before we answer those, it’d be helpful to recap what these malware are trying to achieve and how they’re doing so.

Secure development and detection isn't enough
Learn about the major threats to your banking app and how to keep it safe.
Talk with us

 

Unpacking malware techniques: What are hackers trying to do—and why?

For all the innovation we’ve seen in recent years, the fundamental goal of most malware stays the same: to install software on your device that can get sensitive information off it. Generally, the software hackers try to install falls into one of the following categories:

  • Keylogging: Any software that records your keystrokes as you type and sends them to hackers. This is a popular way to steal login credentials by tricking you into installing third-party keyboards with access to user input.
  • Screen mirroring: These tools capture all information displayed on your mobile screen and relay it back to hackers to get your passwords, sensitive information, one-time passwords (OTPs), and more.
  • Screen reading: This is similar to screen mirroring, except it gives the hacker certain text-based content that appears on your screen by abusing accessibility services (more on this below).
  • Overlays: Some malware also uses Android overlays to display malicious windows that are designed to look like genuine app overlays. These may request permissions or encourage you to input sensitive information.

But when it comes to mobile devices, it’s not as simple as just installing the malware because mobiles have app sandboxes that limit the data that an individual app can access. And to break that limit, hackers find a way around these restrictions by:

  • Using an escalation of privilege exploit: Privilege exploits are difficult and expensive and are generally used by large-scale hackers and nation-state actors. This is why they’re often a secondary priority for cybersecurity vendors as a vast majority of customers won’t be the target of these attacks.
  • Abusing legitimate features of the operating system, like accessibility features: Most mobile malware falls into this category. While features like screen readers, overlays, and third-party keyboards need to pass through an app sandbox to function, they give hackers an attractive “back door” through the device’s built-in protections.

Together, you can consider these techniques the first generation of mobile malware. Most modern malware continues to disable the defenses mobile apps have built against them. This has created a cat-and-mouse game between mobile app security and the hackers trying to get past it. Here are some recent examples of this in practice:

GoldDigger

In 2023, the GoldDigger banking trojan was discovered, targeting about 50 Vietnamese banking, e-wallet, and crypto wallet apps.

Like many mobile malware tools, it abused Android’s accessibility services to extract personal information and steal banking app credentials. The attack used fake websites that impersonated the Google Play store and various corporate websites to encourage users to download repackaged apps.

Customers of these legitimate organizations were targeted with links to fake websites as part of an organized phishing campaign.

SpyAgent

In September 2024, McAfee researchers discovered SpyAgent. Like GoldDigger, it used fake apps posing as legitimate banking, government services, utilities, or TV streaming products.

The users were encouraged to download repackaged apps via a phishing attempt to steal their cryptocurrency mnemonic keys.

An interesting detail in this case was how the fake apps used loading screens, unexpected redirects, and blank screens to distract the user while they exfiltrated information.

Second-gen malware: How repackaging and social engineering changed the game

Today, many straightforward and widely used protections can detect the techniques we discussed in the last section. While they can look as simple as detecting if accessibility services are enabled (and advising users not to input sensitive information while they are), they’re often quite effective.

As a result, hackers have developed new techniques which we can consider the second generation of mobile malware. These involve some combination of phishing, repackaging, and social engineering.

Their goal is to encourage you to download fake (or repackaged) versions of legitimate apps that do not have security defenses. Hackers use several techniques to convince you to download their repackaged app instead of the genuine version, including:

  • Sending phishing links to customers of a legitimate app vendor to install or redownload the app from a fake landing page.
  • Contacting you directly as a customer service agent to trick you into installing the fake app and enabling accessibility services needed to pass through the app sandbox.

Despite the effort that goes into this, these attacks have been surprisingly prominent and effective in recent years, particularly in Southeast Asia.

Third-gen malware: Snowblind and FjordPhantom opened a new attack vector for hackers

While the second-generation techniques are still widely effective, they’re not foolproof. Mobile apps are increasingly being built with anti-repackaging defenses, including many of the techniques we use at Promon.

This has given rise to a new wave of third-generation malware techniques, including Snowblind and FjordPhantom, in which hackers look to disable security defenses by focusing on anti-tampering. Both of these emerging malware techniques were discovered by a partnership between Promon and i-Sprint.

Snowblind

Snowblind was first discovered in Southeast Asia in 2024.

This technique misuses a Linux kernel feature called seccomp. It is designed as a security feature but can also be manipulated by malicious actors to aid an attack.

Hackers use seccomp to hook into the app’s anti-repackaging checks and redirect them away from the tampered code. Snowblind adds an additional native library into the app that gets loaded before the anti-tampering checks can run, so red flags aren’t detected.

From there, the repackaged apps can be installed on your device and the malware implemented.

Read more: Beware of Snowblind: A new Android malware

FjordPhantom

FjordPhantom was also discovered in Southeast Asia by Promon’s partner i-Sprint in 2023. It works similar to Snowblind by redirecting anti-tampering checks so they don’t detect the repackaged app.

Hackers use virtualization to ensure the repackaged and legitimate versions of the app are installed on the same device with a virtualized layer between them. It is the same concept that security teams use to separate work and personal apps on employee devices.

This virtual layer sits between the anti-tampering checks and the app itself to redirect the checks to the legitimate version of the app, ensuring the repackaged version is not detected.

Read more: FjordPhantom: Promon discovers new security malware threat

The Promon view: How to end the cat-and-mouse game once and for all

By far, the most effective way to safeguard your apps and devices is to detect and prevent the techniques that malware uses. This can detect the effects of malware even if hackers break out of the app sandbox.

Here’s what some of these protections include:

  • Identifying potential accessibility services that are installed and enabled on your system and blocking their access to sensitive information.
  • Implementing strong anti-tampering detection that cannot be easily circumvented using seccomp or virtualization.
  • Detecting specific seccomp-related manipulations.
  • Adding additional detections to identify when the app is running in a virtualized environment.

When combined with the other protections we discussed in this blog, this helps you create an effective, fundamental, and layered approach to mobile malware.

To find out more about our approach to malware detection and how we can help you stop innovative threats like Snowblind and FjordPhantom, talk with one of our experts today.

Navigating malware isn't easy, but you aren't alone
Find out how Promon products can help secure your app from mobile malware in 2025.
Book a meeting