Mobile App Malware Protection
for Banking and Payment Applications
Mobile malware has evolved into a structural risk for banking and wallet apps. It has helped attackers to scale already-growing threats like eKYC and payment fraud, and account takeovers.
Simply scanning for malicious apps isn’t enough. A multi-layered defense including runtime integrity, resistant execution, and trusted signals to enable risk-based decision making, is required to mitigate malware’s impact.
Backend fraud systems can’t see the full picture
The presence of malware isn’t always obvious to the server. Even if a device’s environment were compromised, the device fingerprint, OTP, biometrics, and API requests could still appear valid and pass. We see this happen frequently around the world.
Modern mobile banking trojans and remote access tools have evolved; they no longer need to break authentication flows but can operate inside legitimate sessions, observing inputs, manipulating flows, replaying data, or redirecting transactions. All the while appearing completely legitimate to the backend.
This reality helps to explain the importance of runtime integrity as a prerequisite for malware detection and prevention. Without it, fraud engines might be deceived.
Prevention: reducing malware’s leverage at runtime
The best place to start to mitigate malware is inside the app itself. Here at Licel, DexProtector enforces runtime integrity controls, making it much more difficult for malware to:
- Instrument application logic
- Hook security functions
- Inject code
- Run in emulated or virtualized environments
- Carry out overlay attacks and screen capture
- Repackage or modify the app binary
Mechanisms capable of detecting rooted and jailbroken devices and custom firmware reduce malware’s exposure still further.
Much of the threat of mobile malware comes from the inability of the app to defend itself in the first place. When malware’s leverage of instrumenting or manipulating app behavior is removed, its impact is greatly constrained.
Detection: identifying potentially harmful applications
Prevention should be complemented by intelligent detection. That’s where Alice Threat Intelligence comes in, via its:
- Embedded malware and potentially harmful app database
- Over-the-air (OTA) database updates
- Customizable categorization and enforcement policies
- Reporting of malware detection events
Importantly, Alice’s detection signals can be trusted because they’ve already been tamper-proofed by DexProtector. This reduces the risk of attackers spoofing or bypassing detection logic.
Depending on your needs, you can define policy-based responses to certain malware strains; including preventing an app from running if specific threat categories are detected.
Intelligence at scale: from detection to decision
The tamper-proof signals that Alice shares enable SOC teams and fraud engines to make sophisticated and nuanced decisions about threats to an application. They can:
- Enrich fraud scoring systems
- Trigger step-up authentication
- Delay high-value transactions
- Investigate emerging malware campaigns
- Perform forensic analysis
- Feed SIEMs through automatic integrations (Google SecOps, Microsoft Sentinel, Splunk Cloud)
Because individual security events include data such as install, session, and device ID, they can enable end-to-end tracking and behavioral analysis, which means it’s possible to make risk-based decisions rather than carrying out blanket lockouts.
Are certain malware strains more prevalent? How are they distributed geographically? Do they correlate with suspicious transaction behavior? Being able to answer these questions is a game changer when it comes to managing the risk of malware operationally.
Low-quality data streams are noisy. They not only generate lots of false positives, but also trigger you to spend on traffic, compute, and storage. The best threat intelligence solutions are quiet; they eliminate unnecessary spending that in some cases can reach millions of dollars.
Isolation: additional protection for high-assurance environments
Mobile wallets, SoftPOS solutions, and Digital ID apps are strictly regulated, and must make it an absolute priority to prevent any leakage of cryptographic keys and the sensitive data they protect.
The Licel vTEE provides a secure and trusted execution environment for the secure storage of cryptographic material and cryptographic calculations. That means that even in the case of a device being compromised, critical cryptographic processes remain protected.
DexProtector is an EMVCo-certified no-code security solution for Android and iOS applications and libraries.
A post-build protection tool, DexProtector is deployed fully on-premises and offline, and is easily integrated into the mobile application build process. It has been EMVCo SBMP evaluated and approved for six consecutive years.
DexProtector comprehensively secures the app through obfuscation, encryption, and Runtime Application Self-Protection (RASP), automatically integrating a range of runtime components to prevent and mitigate reverse engineering, tampering, data theft, and fraud.
The Licel vTEE is a secure environment for trusted applications to perform sensitive transactions and operations.
With greater flexibility and faster time-to-market compared to hardware TEEs, it removes dependencies on specific OEM hardware. The upshot of this is a high, uniform level of security that can be deployed across your entire user base (and a wide range of Android and iOS devices). This consistency is crucial for security and simplifies the compliance process.
Alice is a mobile app telemetry solution that provides visibility into what’s happening on end user devices. Its tamper-proof intelligence enables SOC teams to make smarter security decisions.
Alice’s trusted signals are vital weapons in the fight against mobile fraud detection and prevention. It identifies infected or high-risk devices in time to do something about it, tracks suspicious behavior, enhances fraud scoring systems, and improves your wider security posture.
Compliance considerations
Modern mobile security standards assume resilience against malware. Regulations such as:
- EMVCo SBMP
- PCI MPoC
- OWASP MASVS
- MAS TRM (Singapore)
- RBI Digital Payment Security Controls (India)
- GLBA Safeguards Rule (USA)
- HKMA (Hong Kong)
- Circular-50-2024-TT-NHNN/77-2025-TT-NHNN (Vietnam)
all emphasise protection against runtime tampering, malware interference, and hostile execution environments. Mobile malware protection is no longer a secondary control, but rather a foundational regulatory requirement, especially in the banking and payments sectors.
Protecting trust in hostile environments
Mobile malware is an operational reality in high-risk sectors. Effective mitigation requires multi-layered assurance in the shape of:
- Runtime integrity enforcement
- Resistant execution
- Isolated protection for critical operations
- Trusted sensors and monitoring
- Structured threat telemetry
- Intelligent detection
Together, these controls work to preserve trust in environments where compromise is increasingly commonplace.