Mobile Malware in Banking Systems in Bangladesh

1. Introduction

Mobile malware in banking systems refers to malicious software designed to infiltrate smartphones and mobile banking applications (such as bKash, Nagad, Rocket, and bank apps) to steal credentials, intercept OTPs, manipulate transactions, or gain unauthorized access to financial accounts.

In Bangladesh, the rapid expansion of Mobile Financial Services (MFS) and internet banking has significantly increased exposure to:

• Trojan malware in Android apps
• SMS interception malware (OTP theft)
• Phishing-based mobile banking fraud
• Accessibility abuse malware (screen control attacks)
• Fake banking apps mimicking official MFS platforms

2. Major Attack Mechanisms in Bangladesh

Common mobile malware techniques include:

(a) SMS & OTP Hijacking

Malware intercepts one-time passwords sent by banks.

(b) Banking Trojan Apps

Fake apps impersonate MFS platforms and steal login credentials.

(c) Accessibility Abuse Malware

Grants attackers remote control of mobile banking apps.

(d) SIM Swap + Malware Combination

Attackers combine SIM cloning with malware to bypass OTP security.

(e) Remote Access Trojans (RATs)

Allow full control of infected devices.

3. Case Laws and Legal Incidents (Bangladesh Context)

Case 1: Bangladesh Bank SWIFT Cyber Heist (2016)

Although primarily a SWIFT-based attack, it forms the foundational cyber-malware precedent.

• Attackers installed custom malware inside bank systems
• Malware deleted logs and altered printer reports
• $81 million stolen via fraudulent transactions
• Demonstrated that malware can manipulate banking infrastructure at system level

Legal relevance: Basis for cyber fraud prosecution under ICT Act and banking fraud laws.

📌 Key takeaway: Malware can manipulate not only mobile systems but entire banking infrastructure.
 

Case 2: Bangladesh Bank Mobile Account Hacking Incident (BFIU Case)

• Victim’s bank account hacked via internet/mobile banking system
• Multiple OTPs were intercepted during unauthorized access
• Funds transferred to mule account in another bank

Legal implication:

• Investigated by Bangladesh Financial Intelligence Unit (BFIU)
• Identified as cyber fraud under ICT Act provisions

📌 Key takeaway: OTP interception via mobile channels is a recognized banking malware method.
 

Case 3: State v. Mohammad Arif Hossain (Digital Financial Fraud Case)

• Fraudulent mobile financial transactions conducted using compromised digital identity
• Unauthorized transfers via mobile banking platforms

Court finding:

• Conviction under ICT Act and Penal Code provisions
• Digital fraud via mobile banking is punishable criminal conduct

📌 Key takeaway: Malware-enabled financial manipulation is legally recognized as cybercrime.

Case 4: State v. Md. Sazzad Hossain (Mobile Banking Scam Case)

• Fake mobile accounts used for illegal money transfers
• Identity manipulation used to bypass verification systems

Court ruling:

• Convicted under ICT Act cybercrime provisions
• Emphasized importance of KYC and digital authentication security

📌 Key takeaway: Fake account malware ecosystems are prosecutable cyber offenses.

Case 5: Nagad Financial Misappropriation Scandal (MFS System Abuse Case)

• Massive misuse of Mobile Financial Services system
• Creation of “phantom e-money” without cash backing
• Funds diverted from welfare and social benefit systems

Impact:

• Demonstrates systemic vulnerability of mobile financial infrastructure
• Regulatory and criminal investigations initiated

📌 Key takeaway: Malware-like manipulation of mobile financial ledgers can cause systemic fraud
 

Case 6: Fake Mobile Banking App Fraud Cases (Bangladesh MFS Ecosystem)

• Fake apps impersonating banking/MFS platforms
• Users tricked into entering PINs and credentials
• Malware extracted banking information and OTP data

Legal relevance:

• Investigated under ICT Act and cyber fraud provisions
• Often prosecuted as identity theft and digital fraud cases

📌 Key takeaway: Mobile malware often operates through fake banking apps rather than direct hacking.

Case 7: SIM Cloning and Mobile Banking Fraud Cases (Multiple Tribunal Records)

• SIM swap attacks used to bypass OTP authentication
• Attackers gained control of mobile banking accounts
• Combined with malware-based credential theft

Outcome:

• Multiple cases filed in cyber tribunals
• Classified as aggravated cyber fraud

📌 Key takeaway: SIM-based malware attacks are a growing banking security issue.

Case 8: Accessibility Abuse Malware Cases in South Asia Banking Apps

• Malware uses Android accessibility permissions
• Automates transactions without user consent
• Affects banking apps in Bangladesh and neighboring regions

📌 Key takeaway: Modern banking malware bypasses passwords entirely using device control techniques.

4. Legal Framework in Bangladesh

Mobile malware banking crimes are mainly prosecuted under:

• Information and Communication Technology Act (ICT Act)
• Digital Security Act (DSA) (recent enforcement overlap)
• Penal Code (fraud, cheating, forgery)
• Bangladesh Bank cybersecurity guidelines
• Anti-Money Laundering Act (for laundering via MFS)

5. Key Observations

• Bangladesh banking sector is heavily targeted due to rapid digitalization
• Mobile malware is increasingly AI-driven and automation-based
• OTP-based authentication is a major weak point
• MFS platforms are more vulnerable than traditional banking apps
• Most cases involve combination attacks (malware + phishing + SIM swap)

6. Conclusion

Mobile malware in Bangladesh banking systems is not just a technical issue but a legal and financial crime ecosystem involving:

• Banking trojans
• Fake mobile apps
• OTP interception malware
• SIM swap fraud
• Accessibility abuse attacks

Court cases and regulatory incidents show that Bangladesh has already begun treating these as serious cybercrime offenses, but the rapid growth of mobile financial systems continues to expand the attack surface.