Hacking attacks cross 100m amid mobile banking heist

A cyber security report from the Communication Authority of Kenya (CA) shows that malicious software attacks hit 103 million in the nine months to September from 99 million in the same period a year earlier.

It is gaining popularity as criminals look for new and lucrative ways to attack firms, disrupting operations and compromising sensitive data across diverse sectors — from healthcare and financial services to retail and regulatory bodies.

This highlights the growing financial exposure of local firms to data theft, extortion and operational downtime caused by malicious software.

Central Bank of Kenya (CBK) data show that half of the Sh1.59 billion that was stolen from banks by hackers was through mobile banking.
Cyberthieves stole Sh810.68 million last year from Sh182.41 million a year earlier—representing a jump of 344 percent.

The communications regulator said the attacks mainly targeted Internet service providers, cloud platforms, government systems and enterprise networks that hold large volumes of consumer or financial data.

The Authority noted that most incidents involved the exploitation of outdated software, default passwords and unsecured system configurations that allowed attackers to gain entry and install backdoors for repeated access.

Read: Cyberattacks against Kenya more than double to 8.6bn in a year

Malware was identified as one of the top threat vectors facing Kenya’s critical information infrastructure alongside system attacks and web application exploits during the three-month review period.

“Malware attacks mostly targeted systems with known vulnerabilities and those containing sensitive information,” the report states, adding that the objectives included “data encryption or corruption, reputational damage, the deployment of backdoors for persistent access and the exfiltration of confidential data.”

The regulator said the attacks were largely aimed at stealing credentials, encrypting sensitive data or deploying ransomware designed to paralyse operations until payments are made to the perpetrators.

Malware infections often begin when employees click on phishing emails, open infected attachments or visit compromised websites that automatically download malicious code on company networks.

Once inside, the malware spreads across servers and endpoints, harvesting credentials and disabling key systems that support payments, supply chains, or public services.

The growing mobile-phone malware threats represents a new entry point for criminals who typically were used to stealing bank credentials by other means, such as installing skimmers on automatic teller machines or by using scams targeting desktop computer users.

The malware typically gets onto a phone when a user clicks on a text message from an unknown source or taps an advertisement on a website. Once installed, it often lies dormant until the user opens a banking app.

The malware then creates a customized overlay on the authentic banking app. This allows criminals to follow a user’s movements on the phone and eventually grab credentials to the account.

This type of mobile-phone malware is gaining ground as more consumers are using banking apps and financial firms are rolling out a wider array of mobile services.

The share of Kenyans with bank accounts using mobile banking has increased from 25.3 percent in 2019 to 32.6 percent in 2024, CBK data shows.

The rising popularity of mobile-banking malware creates yet another security headache for consumers who are increasingly turning to their mobile phones for everyday tasks from banking to shopping.

“Cyber risks have increased due to the digitalisation of payments and transfer of money from person to person,” CBK notes.

It also represents a setback for banks that are pushing customers toward digital channels as a way to reduce costs and improve efficiency.

Mobile phones are considered particularly vulnerable to hackers because consumers typically don’t install anti-malware protection onto their devices.

Bank executives say they are trying to thwart the malware by frequently updating and revising their banking applications.

The CA report said the persistence of malware is being driven by the use of artificial intelligence and cybercrime-as-a-service models, which allow criminals to automate attacks and lease malicious tools at minimal cost.

Read: AI scams Kenyans need to watch out for in 2025

“The detected cyber threats can be attributed to several factors, including inadequate system patching, limited user awareness of threat vectors such as phishing and other social engineering techniques, as well as the growing adoption of AI-driven attacks,” reads the report.

These developments, the agency said, have lowered the entry barrier for attackers and increased the frequency of attempted intrusions across both public and private networks.

During the quarter, the National KE-CIRT/CC issued 19.9 million cyber threat advisories, warning organisations to review firewall configurations, update antivirus systems, and strengthen password policies.

Financial institutions have been urged to reinforce monitoring of mobile and online banking platforms, which remain popular entry points for credential theft and fraudulent transactions.

CBK data shows that lenders lost Sh1.59 billion to cyber-criminals last year, with more than half of the amount linked to attacks on mobile banking channels.

The losses underscore the monetary impact of malware and related fraud, which are now being treated by the financial sector as material operational risks.

The CBK disclosure shows that the theft of customer deposits has grown four-fold from Sh412 million in 2023 due to fraudulent wire-transfer requests. CBK data showed card fraud cost customers Sh263.29 million, 16.9 times the Sh15.59 million lost in the prior year.

Computer fraud, which includes hacking into systems to steal data, saw bank customers lose Sh203.39 million, a 2.7 times jump from the preceding year, while fraud through identity theft grew six times to Sh199.08 million.

The review period saw online banking fraud rise to Sh111.83 million from Sh106.2 million, while internet scams cost lenders Sh6.07 million up from Sh797,7000 in the prior year.

The CA says weak cyber hygiene, especially in patching and password management, remains the single biggest driver of successful malware infections.

The regulator further warns that firms relying on legacy systems and unsupported software face the highest probability of financial loss from malware-related incidents.

Elsewhere, insurers have begun adjusting cyber cover terms, linking premium rates and deductibles to the maturity of a company’s internal cybersecurity controls.

Underwriters say policyholders with outdated systems or insufficient response plans face limited compensation in the event of a breach.

The CA report shows that financial institutions, government agencies and cloud service providers remain the primary targets of these attacks because of the sensitive data and real-time transactions they handle.

Tech firm IBM’s Cost of a Data Breach 2025 report estimates that the global average cost of a single data breach is about $5 million (around Sh657.5 million), covering response, downtime, customer compensation, and reputational loss.

Such costs can prove catastrophic for medium-sized enterprises and service providers whose operations rely heavily on digital infrastructure.

A prolonged system outage caused by malware can halt revenue collection, disrupt production schedules, and expose firms to penalties under data protection and business continuity regulations.

→[email protected]