This study addresses the growing threat of financial data breaches in East and Southeast Asian banking applications caused by malicious abuse of accessibility services, exemplified by the FjordPhantom trojan. Existing defenses struggle to counter stealthy attacks leveraging virtualization and hooking techniques. To bridge this gap, this work presents the first systematic empirical analysis of FjordPhantom’s attack vectors and defensive blind spots in real-world banking apps, introducing a novel vulnerability identification framework that integrates virtualization environment detection with behavioral analysis of accessibility services. Through dynamic hook monitoring, virtualization detection, and penetration testing, the study exposes severe vulnerabilities in multiple mainstream banking applications and demonstrates that the proposed approach effectively identifies such flaws, substantially enhancing defense capabilities against these sophisticated threats.

Android banking applications have revolutionized financial management by allowing users to perform various financial activities through mobile devices. However, this convenience has attracted cybercriminals who exploit security vulnerabilities to access sensitive financial data. FjordPhantom, a malware identified by our industry collaborator, uses virtualization and hooking to bypass the detection of malicious accessibility services, allowing it to conduct keylogging, screen scraping, and unauthorized data access. This malware primarily affects banking and finance apps across East and Southeast Asia region where our industry partner's clients are primarily based in. It requires users to be deceived into installing a secondary malicious component and activating a malicious accessibility service. In our study, we conducted an empirical study on the susceptibility of banking apps in the region to FjordPhantom, analyzed the effectiveness of protective measures currently implemented in those apps, and discussed ways to detect and prevent such attacks by identifying and mitigating the vulnerabilities exploited by this malware.