The Silent Alarm on Mobile Banking Apps Went Off

The most famous example of a third-party software supply chain attack to date has been Solar Winds, where nation-state attackers inserted malicious code into an automated update and thereby gained access to the networks, systems, and data of thousands of downstream customers, including the US government.

It’s not getting any better. According to the latest report from the Identity Theft Resource Center (ITRC), over 200 million individuals were affected by supply chain attacks in 2024 (a massive increase from only about 10 million victims in 2022). ITRC research also highlights that Financial Services (led by commercial banks and insurance) was the most breached industry last year.

AI-powered DevSecOps Introduces New Problems

Without effective human oversight, mobile application dependencies become opaque. Generative artificial intelligence (GenAI) tools are increasingly used to automate and accelerate mobile app development cycles. While “agentic AI” may be the latest buzzword for business value, some typical mistakes that AI makes in DevOps coding include:

• Generating hardcoded secrets in code
• Misconfiguring Infrastructure-as-Code (IaC) with open permissions
• Overlooking secure CI/CD pipeline configurations

Researchers tracked and examined 439 AI-related common vulnerabilities and exposures (CVEs) in 2024, identifying a staggering 1025% year-over-year increase. Nearly all (99%) of these were API-related, including misconfigurations, injection flaws, and new memory corruption vulnerabilities.

Use of large language models (LLMs) in mobile application development may also be unintentionally delivering malicious open-source code. A recently published university study notes that the high use of popular programming languages (e.g., Python, JavaScript, etc.) in centralized package repositories and open-source software, combined with the emergence of code-generating LLMs, creates a new type of threat to the software supply chain: package hallucinations. The researchers note, “These hallucinations, which arise from fact-conflicting errors when generating code using LLMs, represent a novel form of package confusion attack that poses a critical threat to the integrity of the software supply chain.”

AI-based tools used for automated mobile application security testing introduce a different set of challenges. Software vulnerability submissions generated by AI models have been observed to generate low-quality “slop” security reports for open source code. These cost organizations precious time and money to investigate while diverting limited human analyst resources from other potentially critical remediation efforts.

Learn more:

As Mobile Threats Multiply, Other Risks Add Up

On top of the potential code-based weaknesses that occur when DevOps teams prioritize speed over security, mobile banking applications remain a highly profitable focal point for malicious actors. Fraud against banks and their customers is on the rise, according to a February 2025 report from PYMNTS Intelligence, with 87% of institutions claiming increases in stolen or falsified credentials over the past year.

Android threats targeting banking apps and cryptocurrency wallets grew by 20% in the second half of 2024. More specifically, the number of Trojan banker malware attacks on Android smartphones (designed to steal user credentials for online banking, e-payment services, and credit card systems) surged by 196% in 2024.

Besides upfront financial losses, there are also compounding risks of a successful mobile app attack. These include service downtime, reputational impact on the institution’s brand, litigation costs, and potential penalties for violating increasingly strict industry regulations. Examples include:

• The European Union’s Payment Services Directive 3 (PSD3) regulations cover e-payment services, customer experience, and retention. Organizations that fail to meet PSD3 data protection requirements can face fines as well as potential license removal.
• In the US, the Gramm-Leach-Bliley Act (GLBA) requires protections of customer data and systems that extends to mobile banking applications. Non-compliance includes fines up to $100K per violation.
• The Reserve Bank of India (RBI) maintains comprehensive cybersecurity requirements for digital payment applications (including banks). Failure to comply with their customer protection guidelines can result in monetary penalties.
• The Monetary Authority of Singapore (MAS) maintains specific regulations addressing technology risk management for banks, including mobile-specific security requirements. MAS can take a range of enforcement actions, including reprimands, composition penalties, prohibition orders, civil penalties, and even referring a case for criminal prosecution.