Threat actors have been trying to get malicious software onto desktops and mobile devices since the earliest days of technology. But despite its heritage, malware remains a pertinent security threat in 2025. In the last few years, our security teams and partners have seen a particular rise in mobile banking trojans—Snowblind and FjordPhantom.
For many mobile app vendors, developments like these raise questions about how to protect apps and sensitive information. But before we answer those, it’d be helpful to recap what these malware are trying to achieve and how they’re doing so.
For all the innovation we’ve seen in recent years, the fundamental goal of most malware stays the same: to install software on your device that can get sensitive information off it. Generally, the software hackers try to install falls into one of the following categories:
But when it comes to mobile devices, it’s not as simple as just installing the malware because mobiles have app sandboxes that limit the data that an individual app can access. And to break that limit, hackers find a way around these restrictions by:
Together, you can consider these techniques the first generation of mobile malware. Most modern malware continues to disable the defenses mobile apps have built against them. This has created a cat-and-mouse game between mobile app security and the hackers trying to get past it. Here are some recent examples of this in practice:
In 2023, the GoldDigger banking trojan was discovered, targeting about 50 Vietnamese banking, e-wallet, and crypto wallet apps.
Like many mobile malware tools, it abused Android’s accessibility services to extract personal information and steal banking app credentials. The attack used fake websites that impersonated the Google Play store and various corporate websites to encourage users to download repackaged apps.
Customers of these legitimate organizations were targeted with links to fake websites as part of an organized phishing campaign.
In September 2024, McAfee researchers discovered SpyAgent. Like GoldDigger, it used fake apps posing as legitimate banking, government services, utilities, or TV streaming products.
The users were encouraged to download repackaged apps via a phishing attempt to steal their cryptocurrency mnemonic keys.
An interesting detail in this case was how the fake apps used loading screens, unexpected redirects, and blank screens to distract the user while they exfiltrated information.
Today, many straightforward and widely used protections can detect the techniques we discussed in the last section. While they can look as simple as detecting if accessibility services are enabled (and advising users not to input sensitive information while they are), they’re often quite effective.
As a result, hackers have developed new techniques which we can consider the second generation of mobile malware. These involve some combination of phishing, repackaging, and social engineering.
Their goal is to encourage you to download fake (or repackaged) versions of legitimate apps that do not have security defenses. Hackers use several techniques to convince you to download their repackaged app instead of the genuine version, including:
Despite the effort that goes into this, these attacks have been surprisingly prominent and effective in recent years, particularly in Southeast Asia.
While the second-generation techniques are still widely effective, they’re not foolproof. Mobile apps are increasingly being built with anti-repackaging defenses, including many of the techniques we use at Promon.
This has given rise to a new wave of third-generation malware techniques, including Snowblind and FjordPhantom, in which hackers look to disable security defenses by focusing on anti-tampering. Both of these emerging malware techniques were discovered by a partnership between Promon and i-Sprint.
Snowblind was first discovered in Southeast Asia in 2024.
This technique misuses a Linux kernel feature called seccomp. It is designed as a security feature but can also be manipulated by malicious actors to aid an attack.
Hackers use seccomp to hook into the app’s anti-repackaging checks and redirect them away from the tampered code. Snowblind adds an additional native library into the app that gets loaded before the anti-tampering checks can run, so red flags aren’t detected.
From there, the repackaged apps can be installed on your device and the malware implemented.
Read more: Beware of Snowblind: A new Android malware
FjordPhantom was also discovered in Southeast Asia by Promon’s partner i-Sprint in 2023. It works similar to Snowblind by redirecting anti-tampering checks so they don’t detect the repackaged app.
Hackers use virtualization to ensure the repackaged and legitimate versions of the app are installed on the same device with a virtualized layer between them. It is the same concept that security teams use to separate work and personal apps on employee devices.
This virtual layer sits between the anti-tampering checks and the app itself to redirect the checks to the legitimate version of the app, ensuring the repackaged version is not detected.
Read more: FjordPhantom: Promon discovers new security malware threat
By far, the most effective way to safeguard your apps and devices is to detect and prevent the techniques that malware uses. This can detect the effects of malware even if hackers break out of the app sandbox.
Here’s what some of these protections include:
When combined with the other protections we discussed in this blog, this helps you create an effective, fundamental, and layered approach to mobile malware.
To find out more about our approach to malware detection and how we can help you stop innovative threats like Snowblind and FjordPhantom, talk with one of our experts today.