2025 Mobile Channel Security Trends

Technology trends move so quickly nowadays that it can be hard to detect when events are likely to converge to create lasting change.

Yet sometimes the clouds clear just long enough for us to make out some concrete shapes.

As I sit writing these words in the final weeks of 2024, I’m reflecting on some of the themes I’ve noticed happening in parallel this year. And it feels like a trend is emerging out in the distance:

Mobile banking and mobile wallets are gaining more and more traction around the world with their unique flavours and sets of challenges that are reflecting local cultures and states of technologies; mobile ID projects are being planned and implemented around the world (spoiler: nobody invited real field security to the planning sessions); Apple is being forced to open up its walled garden ecosystem; the integrity of AI entities is being tested; and bad actors are using a combination of eKYC bypass, social engineering, and remote access tools (plus dangerous forms of malware) to carry out mobile banking fraud.

In the following paragraphs, I’ll explain how these seemingly unique trends are actually related to one another. I’ll explore what they mean for mobile security. And I’ll update you on what we’ve been doing here at Licel to keep the mobile channel safe this year, next year, and beyond.

A couple of months ago we carried out a mini research project using data from our threat intelligence solution, Alice. We wanted to understand (and visualize) how malware can spread across a country in a matter of days. We chose to focus on India; a dynamic landscape for mobile development.

The results were fascinating and reinforced that, much like a biological virus, malware can easily infiltrate and multiply without adequate defenses. Indeed, the animation below of how the malware we examined spread across India brings to mind the Covid-19 infographics that were a daily part of our lives three or four years ago.

Malware has become a persistent threat for mobile applications across a range of different industries, but mobile banking is the primary target. Some malware is designed specifically to whir into action once a mobile banking app has been opened on a user’s device. Once the payload is operational, malware can exploit in-built features like Android’s Accessibility Services. Well meaning tools like this that exist to make smartphones easy to use for everybody can end up enabling bad actors to share fake screens and trick people into giving away their credentials and sensitive, personal information.

Remote Access Tools (RAT) can also allow attackers to access even more of a user’s device and can facilitate the malware spreading to a victim’s contacts.

According to GSMA, there are currently 1.75 billion mobile money accounts out there, processing about $2.7 million per minute. So, the incentives for cybercriminals are obvious, and there are still plenty of mobile banking apps out there with insufficient means to protect themselves.

Malware isn’t the only risk facing these apps, too. eKYC bypass and account takeovers are becoming the primary mechanisms to commit fraud and are a major headache for banks when onboarding new clients. Fraudsters abuse the verification process using stolen or counterfeit documents to open accounts, apply for loans, and obtain credit.

Banks are losing vast quantities of time and money due to this fraudulent activity – not to mention the substantial investments they’re making in liveness checks.

The increasing sophistication of AI models is helping to make both malware and eKYC attacks more convincing, and more scalable. In the case of eKYC fraud, it is helping attackers to create deep fakes to trick liveness checks. While in the case of malware, it is making social engineering more believable. Bad actors are skilled at understanding the emotional cues most likely to resonate with us. They know our weaknesses. They know our mental traps.?

Exploiting these mental traps helps to explain how the Indian malware variant above was able to spread so quickly until there was barely a town or city in the country that it hadn’t touched.

AI is evolving so quickly that it’s tough to keep up. Just a few days ago I read about a project where over a thousand individuals were interviewed in depth about their beliefs and values. Their opinions were then fed into a large language model which essentially created digital AI agents based on each of the interviewees. These digital replicants can now answer questions 85% as accurately as the original human respondents.

Clearly there are a lot of potential benefits from projects such as this one. But AI advancements can also be used for more nefarious ends and those of us working in cybersecurity need to be prepared for what’s coming over the horizon.

The integrity of AI entities will need to be checked meticulously from now onwards. And indeed we might soon need to have open conversations about how to define users. Can users only be human? Or might AI entities soon be able to (or at least attempt to) open digital accounts, too???

Another piece of news to grab my attention in recent days was the announcement that Vipps, the Nordic mobile wallet, had launched a competitor to Apple Pay on iPhone.

Last summer we wrote about the push in the EU for Apple to open up its famous walled garden ecosystem with a view to making the digital landscape more competitive. But we also cautioned that bad actors are highly skilled at exploiting legislation like this that might, in the short term at least, put end users in a more perilous position.

What’s good for competition isn’t always what’s good for security. For every legitimate app developer keen to sell their mobile game outside the Apple App Store – perhaps on their own website or on a third-party app store – there’s a bad actor tricking end users to download their bogus application laced with malware. And as we mentioned earlier, thanks to AI, it’s a lot easier for them to appear like the real deal.

It’s clear that there will likely be many more mobile wallets like Vipps emerging in the coming months and years. And this is indeed a good thing for consumers. But it also highlights a pressing need for the most advanced security to protect sensitive mobile transactions and operations. Challenger wallets will only succeed and grow if they prioritize security. Otherwise they’ll find it impossible to obtain and then keep the trust of their users.??

This is also true of Mobile ID initiatives around the world, where governments are keen to digitize identification, bringing documents like passports onto mobile wallets on your phone.

Mobile ID has the potential to transform the way that we access services in the digital world, as well as driving economic growth and opening up the digital economy to those who may not previously have had access to it.

However, security needs to be prioritized if citizens are going to buy into these projects. They need to be as easily accessible as possible, and as safe as possible. And right now it feels like there aren’t enough conversations happening about how to secure mobile ID solutions to the same stringent levels demanded by mobile payment regulations.?

At Licel, we’ve spent 2024 doing what we’ve been doing for the preceding 12 years; working hard to make sure we’re offering the highest-quality solutions on the market to solve some of the most pressing security challenges app developers are facing.

This includes refining our industry-leading anti-malware offering that leverages both DexProtector and Alice Threat Intelligence. It provides apps with integrated malware and Potentially Harmful App detection capabilities, such as checks for known malware signatures and flags for potential malware interference. Our solutions also stop screen capture, screen sharing, and screen recording. And they prevent apps from running on a device that has been infected.

We’ve also been hard at work to stop eKYC fraud by preventing deepfakes and image injection spoofing for ID verification, as well as stopping fraudsters from using outdated, insecure, or tampered with versions of applications to evade security controls.?

But the achievement that makes me most proud this year is having our Virtual Trusted Execution Environment (vTEE) evaluated and approved by EMVCo for both platforms: Android and iOS.

Our groundbreaking vTEE provides peace of mind for innovative players in the mobile wallet, SoftPOS, and ID industries. Its secure environment enables ultra-sensitive, business-critical operations and transactions to take place safely.

The upshot of this advanced security is that developers can use Trusted Applications for both Android and iOS and get on with doing what they do best, safe in the knowledge that their app is protected.

Have any of the trends I’ve covered here resonated with you? If so, please do add a comment below or reach out to me here on LinkedIn.?