How modern banking trojans use credential theft, mobile device takeover and remote access to fuel account takeover, fraud and ransomware risk
Key takeaways
- Banking trojans are still widely used in 2026 but now operate as part of broader attack chains.
- Modern variants combine credential theft, remote access and device takeover capabilities.
- Mobile banking trojans are expanding quickly, shifting attacks closer to users and unmanaged devices.
- Threat actors are pairing familiar malware with newer lures, including AI-themed tools and social engineering.
- For SMBs, banking trojans are often the first step toward account takeover, fraud or ransomware.
What are banking trojans used for now?
Quick answer: Banking trojans are still active in 2026, but they have evolved from simple credential stealers into multi-stage tools used for account takeover, fraud, remote access, and ransomware preparation. Modern variants can target desktops, browsers, mobile devices, and cloud accounts, which makes them especially risky for SMBs and lean IT teams that need to protect users across multiple access points.
For years, banking trojans were easy to explain. They infected a device, captured login credentials and enabled financial fraud. That model still exists, but it no longer reflects how these threats operate today.
Modern banking trojans behave more like platforms than single-purpose malware. They’re designed to gain access, maintain control and enable follow-on activity. In many cases, they sit in the middle of a broader attack chain, connecting phishing and social engineering to account takeover, business email compromise or even ransomware.
They’ve also followed users. What started as a desktop threat has expanded to mobile devices, browser extensions and cloud-based applications. And while AI is changing how attacks are delivered, the underlying crimeware hasn’t gone away. It’s simply been repackaged and deployed more efficiently.
The result is a category of malware that still looks familiar on the surface but plays a much larger role in modern cybercrime. Let’s take a close look at three key examples.
How are Grandoreiro and BTMOB RAT changing cross-platform banking attacks?
Recent campaigns involving Grandoreiro, a long-running Windows banking trojan active since 2016, illustrate how traditional banking trojans continue to evolve rather than fade away.
Active for years, Grandoreiro is still being used in 2026 to target financial institutions and users across Europe and Latin America. It’s typically delivered through phishing and relies on techniques like DLL side-loading to evade detection and execute malicious code.
What stands out in recent activity is how it blends into normal traffic and behavior. The malware uses communication methods tied to legitimate services, including WebRTC, to make detection more difficult.
At the same time, campaigns are pairing desktop trojans with mobile-focused malware such as BTMOB RAT, an Android remote access trojan used to exfiltrate data and give attackers remote control of infected devices.
This combination reflects a broader shift. Instead of targeting a single endpoint, attackers are building cross-platform campaigns that follow users across devices, increasing the chances of successful account takeover and fraud.
Why are mobile banking trojans like Rokarolla more dangerous now?
If you want a clear picture of how far banking trojans have evolved, mobile malware provides it.
Rokarolla, a recently identified Android banking trojan, demonstrates how these threats have expanded well beyond credential theft. It targets hundreds of banking and cryptocurrency applications and is designed to take near-total control of an infected device.
Once installed, it uses overlay attacks to display fake login pages on top of legitimate apps, capturing everything the user enters. It can also intercept SMS messages, including one-time passcodes, allowing attackers to bypass common authentication controls.
What’s changed is the level of control. Rokarolla can monitor user activity, manipulate device behavior and even block calls or alerts that might warn the victim about suspicious transactions.
This reflects a broader trend in mobile banking malware. The goal is no longer just to steal credentials and use them later, but to perform fraud directly on the device in real time, making detection significantly more difficult.
Why are some banking trojans becoming harder to detect?
Not all modern banking malware follows the same model. Some variants are becoming more focused, stealthy and even partially human-driven.
The UnregStealer campaign, a human-operated banking malware campaign that targets browser sessions, highlights this shift. Disguised as a legitimate browser update, the malware tricks users into installing what appears to be a required security component.
Once active, it monitors browser sessions and targets specific banking sites. Instead of automatically executing its attack, it allows a human operator to observe activity and decide when to act, such as capturing session data or credentials during a live banking session.
This approach reduces the visibility of the attack. Because actions are triggered selectively rather than automatically, they’re harder for automated detection systems to identify.
It also shows how banking trojans are moving toward more targeted, high-value attacks that focus on maximizing success rather than scale.
How can you reduce the risk from banking trojans?
Taken together, these examples point to a consistent pattern. Banking trojans are no longer standalone threats. They’re part of a larger ecosystem of tools used to gain access, maintain persistence and enable financial or follow-on attacks.
For lean IT teams, that has a few practical implications. First, you can’t treat these as isolated endpoint infections. A compromised device, whether it’s a laptop or a mobile phone, can quickly lead to account takeover or broader access to business systems.
Second, traditional detection approaches may miss them. These threats often rely on legitimate-looking behavior, user permissions and real-time interaction rather than obvious malicious activity.
Finally, the delivery methods continue to evolve. Phishing remains a primary entry point, but it’s increasingly paired with social engineering, messaging platforms and AI-themed lures designed to make attacks more convincing.
To reduce risk, prioritize phishing protection, identity monitoring, mobile device visibility, and user training, because banking trojans now move across email, endpoints, accounts, and mobile apps. A layered approach should include:
- Strong email and phishing protection to block initial access attempts
- Visibility into identity and account activity, especially for unusual behavior
- Coverage for mobile devices and unmanaged endpoints
- Ongoing user awareness around app downloads, permissions and “security updates”
This is also where a layered approach becomes critical. Platforms like Barracuda Email Protection and Barracuda Managed XDR are designed to identify suspicious messages early, correlate activity across users and endpoints, and surface behavior that looks legitimate on the surface but isn’t. That kind of visibility is important when you’re dealing with threats that increasingly rely on user interaction and account access rather than obvious malware signatures.
Banking trojans may not dominate headlines in the same way as AI-driven attacks, but they continue to play a central role in real-world compromise. Understanding how they’ve evolved helps you recognize where attacks actually start and how to stop them before they escalate.
FAQ: Banking trojans in 2026
Are banking trojans still a threat in 2026? Yes. Banking trojans remain active because they still help attackers steal credentials, hijack sessions, take over accounts, and support financial fraud. What has changed is their role in broader attack chains that can lead to business email compromise, ransomware or other follow-on attacks.
Why are mobile banking trojans more dangerous now? Mobile banking trojans can abuse device permissions, display fake login screens, intercept SMS codes and monitor activity across apps. That gives attackers a way to steal credentials and complete fraudulent transactions directly from a trusted user device.
How do banking trojans bypass MFA? Some banking trojans steal session cookies, intercept one-time passcodes or take over the device used to approve a transaction. Others rely on real-time operator control, which lets an attacker act while the legitimate user is already signed in.
What should organizations and security teams do to defend against banking trojans? Focus on blocking phishing, monitoring unusual account activity, protecting mobile devices, and training users to avoid fake updates, sideloaded apps and unexpected permission requests. These controls help reduce the chance that one infected device becomes a larger business compromise.
2026 Email Threats Report
Learn how AI and phishing-as-a-service are reshaping the email threat landscape and how to stay protected
Subscribe to the Barracuda Blog.
Sign up to receive threat spotlights, industry commentary, and more.
The Managed XDR Global Threat Report
Key findings about the tactics attackers use to target organizations and the security weak spots they try to exploit