The rapid adoption of mobile and digital banking has created tremendous opportunities for financial institutions to meet customer demand for convenience. But it has also opened new pathways for cybercriminals and state-sponsored hackers. Recent FBI warnings and international intelligence assessments underscore that mobile banking applications are actively targeted — and in some cases exploited as part of larger nation-state campaigns.

One of the most recent and significant threats is the Chinese state-linked hacking group known as Salt Typhoon, which has launched a sweeping, coordinated campaign against telecommunications providers, government agencies, and increasingly, financial institutions.

A New Wave of Attacks on Mobile Banking Apps

Financial institutions face a variety of threats targeting mobile banking. According to recent FBI advisories, many of these threats exploit underlying weaknesses such as inadequate encryption, insecure data storage, and insufficient authentication mechanisms — highlighting how even small technical gaps can become entry points for larger attacks.

Salt Typhoon is raising the stakes by expanding its focus from traditional telecom espionage to critical industries worldwide — including financial services.

This is not just a cybersecurity issue — it’s a business continuity risk. By embedding within telecom and internet infrastructure, hackers gain strategic advantages that can extend into banking environments. Consider the potential impacts:

  • Authentication at risk: SMS-based multi-factor authentication (MFA) becomes far less reliable if attackers can intercept or reroute messages.
  • Persistent footholds: Nation-state actors may remain undetected for long periods, allowing them to monitor traffic and escalate access quietly.
  • Third-party exposure: With banks relying heavily on vendors for cloud, SaaS, and mobile platforms, compromise at the infrastructure level magnifies institutional risk.

The message is clear: threats previously viewed as technical challenges now carry systemic implications for regulatory compliance, customer trust, and long-term resilience.

Recommended Actions for Banks and Financial Institutions

To protect both customer trust and institutional stability, financial leaders should treat mobile app security not just as an IT issue, but as a core business risk management priority. Key steps include:

1. Reevaluate Your Authentication Strategy

SMS-based authentication has long been the standard, but it is increasingly vulnerable. Review your institution’s reliance on SMS one-time passcodes and develop a roadmap toward stronger, phishing-resistant options such as push-based authentication or hardware security keys.

2. Strengthen Third-Party and Vendor Oversight

You may outsource mobile app development, cloud hosting, or telecom connectivity. Conduct a vendor risk review to confirm your partners are actively monitoring and mitigating nation-state threats. Ensure cybersecurity expectations are clearly addressed in contracts and compliance reviews.

3. Integrate Cyber Risk Into Business Continuity Planning

State-linked campaigns like Salt Typhoon highlight that cyber threats can directly impact business continuity. Update your continuity and disaster recovery plans to account for mobile banking disruptions and customer access issues. Communicate to leadership and boards how cyber disruptions could affect customer confidence and financial stability.

4. Bolster Incident Response Coordination

Technology teams can’t carry the burden alone. Executive leadership, compliance officers, customer service, and communications teams should all be prepared to respond quickly if customer accounts or apps are compromised. Clear playbooks reduce confusion and reputational damage during high-stress events.

5. Stay Informed and Connected

Nation-state threats evolve rapidly. Stay current on FBI and federal advisories, and participate in peer knowledge-sharing. Proactive awareness helps leadership teams make informed decisions before threats escalate.

A Multi-Level Defense is the Best Offense

Banking applications sit at the center of both customer engagement and institutional risk. While everyday malware and phishing remain threats, campaigns like Salt Typhoon demonstrate how quickly the environment can escalate when nation-state actors target the infrastructure underlying financial services.

Mobile app security can no longer be addressed in isolation. It must be integrated with network resilience, third-party risk management, and national-level threat intelligence. Institutions that invest now in layered defenses, authentication modernization, and proactive incident response will be better positioned to withstand both criminal attacks and broader geopolitical cyber campaigns.

Protecting your mobile banking platforms requires both business insight and technical expertise.

Reach out to a Pinion financial institutions business advisor for risk and compliance guidance and connect with our IT advisors for practical security solutions.