Latin America is experiencing a robust shift toward mobile-first banking and payments — fueled by high smartphone adoption, regulatory support, and fintech innovation. 62% of Latin Americans use mobile wallets or payment apps for routine transactions. For example, Colombia is broadly in line with the regional trends, and new services like Nequi digital wallet captured 21 million users in just a couple of years.
Other regional banks also offer similar services, primarily based on mobile banking. However, as multipurpose devices, mobile phones used for banking services allow the installation of various applications — legitimate or malicious. This creates an opportunity for fraudsters to compromise mobile security, either through malware or by exploiting legitimate app functionalities to gain unauthorized control of the device.
Alarming Fraud Trends in LATAM
According to BioCatch 2025 update, in the first four months of 2025, mobile malware fraud saw a dramatic surge, already surpassing the total number of cases recorded in the entire first half of 2024. The countries most severely impacted were Argentina, Colombia, and Mexico. This rise reflects a broader trend in the digital fraud landscape: mobile devices have become the dominant vector for fraudulent activity, now accounting for 88% of all fraudulent sessions — a 13% increase compared to the previous year.
Another alarming development is the 49% spike in stolen device fraud during Q1 2025. In these cases, attackers physically steal a victim’s phone and exploit it to access digital banking platforms, bypassing traditional security measures. At the same time, remote-access fraud doubled in the same quarter.
Fraudsters combine conventional account takeover tactics — such as malware or compromised devices — with sophisticated social engineering techniques. One common method involves screen-sharing tools, where victims are unknowingly guided to authorize fraudulent transactions. This multifaceted approach demonstrates the growing complexity and danger of mobile-focused cybercrime in 2025
How Can Banks Close the Security Gaps?
1. Mobile App Shielding
Banks can integrate an App Shielding into their mobile apps that provides antimalware detection and RASP capabilities. Such defenses allow the bank to, for example, detect and block apps running on rooted/jailbroken devices or emulators, enforce bank-defined security policies, and generate device and application logs that can be securely transferred to Fraud Detection Systems (FDS), helping AI engines build a more accurate customer context and improve fraud detection.
Another way to improve the application security is to deploy application hardening techniques like code obfuscation, runtime integrity checks, and anti-tampering mechanisms, making it significantly harder for malware to exploit banking apps. A layered security approach dramatically reduces the possibility of an attack.
2. Server-Side Biometric Verification
If fraudsters compromise a device (including its PIN and biometrics), the bank may be unable to differentiate them from the legitimate user. To mitigate this risk, the banks can implement an authentication solution with server-side biometry, where the user's facial biometrics are securely stored on the server. This allows the bank to leverage facial recognition with robust liveness detection during high-risk events.
This solution enables strong, remote authentication, even if the device has been stolen or compromised, or a new authentication device needs to be registered.
3. Integration with Fraud Detection Systems (FDS)
Real-time transmission of mobile device risk data to the FDS is crucial. Security signals — such as signs of malware or unusual device behavior — can trigger transaction blocks, alerts, or secondary verification. This also supports the identification of fraud patterns and emerging attack vectors.
Why Partner with Wultra?
Wultra offers comprehensive security solutions for post-quantum authentication (PQA) and mobile app shielding, explicitly built for banks and financial institutions. Our key strengths include:
- Advanced post-quantum cryptography (PQC) endorsed by NIST.
- User-centric design with features such as passwordless login and seamless MFA for a superior user experience.
- Developer-friendly SDKs and APIs for smooth integration.
- Compliance with global regulations (e.g., PSD2, PSD3/PSR1, SUGEF 10-07, etc.).
- Proven track record in helping clients block mobile-originated fraud.
Let's Meet in Colombia and Costa Rica!
Wultra will be present at Cybersecurity Bank & Government Colombia 2025 and Andicom, and will also visit Costa Rica with the CzechTrade agency.
If you're interested in learning how to combat mobile banking fraud effectively, schedule a meeting with our team now. We’d love to connect and share how we can help.
.webp)