Mobile malware: how to reduce fraud when variants change faster than signatures?

What the client was facing and why it was critical?

The bank identified a recurring criminal pattern: installing a malicious app on the customer’s device served as a preparatory step, while the actual fraud sequence was initiated only after some time. Following infection, there was a period of apparent “silence” (from a few hours up to several days), and actions were often carried out during times of reduced user vigilance-late evening or at night.

Key challenges

• Malware variant volatility: New packages/hashes made it difficult to quickly and unambiguously identify threats based solely on signatures.
• Attack as a sequence, not a single incident: infection → “silence” → fraud actions triggered later.
• A time window to leverage: the ability to detect risk signals on the device before an unauthorized transaction occurred.
• Need for an operational signal: information that could be used for protective actions before funds left the account.

What was implemented and how did it work in practice?

AntiMalware for Mobile was deployed in the mobile app as a detection layer on the customer’s device. The integration was lightweight: the library was added to the app and protection was started by calling a single function that initializes the detection mechanisms. Built-in components, supported by an algorithmic backend, enabled identification of infection symptoms and real-time assessment of risk context. As a result, detection did not rely solely on known signatures-the library could also flag suspicious situations for new and modified variants.

What were the results and what changed operationally?

Dynamic detection shifted the response point from “after the event” to earlier identification of risk on the customer’s device-even when a variant was not yet included in signature databases. Device signals and anomaly analysis became practical inputs to antifraud processes, enabling faster and more selective protective actions. As a result, the bank could effectively leverage the “time window” between infection and a fraud attempt, reducing situations where the only actionable signal was a transaction or a customer claim.

Post-implementation effects

• Earlier identification of malware risk on the customer device (including variants beyond signature databases).
• Better use of the “time window” between infection and fraud attempt-enabling preventive actions before the transaction.
• Faster and more selective antifraud actions enabled by an operational device-level risk signal (less reliance on post-incident handling).
• Higher effectiveness in campaigns with rapidly changing variants (new packages/hashes with the same attack pattern).

Want to learn the implementation details? Contact us.