The Evolution of Mobile Apps and Its Impact on Card Data Theft Methods in 2025: A Detailed Educational Analysis

[Student]

The evolution of mobile apps by 2025 has radically changed the financial technology landscape, providing unprecedented convenience for users but simultaneously creating new opportunities for cybercriminals. The rise of contactless payments, the integration of artificial intelligence (AI), cloud technologies, and complex app ecosystems have made card data theft more sophisticated, automated, and scalable. In this answer, we will examine in detail how the evolution of mobile apps has impacted card data theft methods, examining key vulnerabilities, new attack techniques, statistics, examples, and countermeasures. For educational purposes, the information is structured with an emphasis on technical details, real-world cases, and protection recommendations.

1. The Evolution of Mobile Apps: Key Changes by 2025​

Mobile apps have evolved from simple utilities to sophisticated platforms integrated with financial services, biometrics, NFC (Near Field Communication), cloud storage, and AI. Here are the key aspects of this evolution that have influenced card data theft methods:

• The rise of mobile wallets and contactless payments: Apps like Apple Pay, Google Pay, Samsung Pay, and local equivalents (e.g., WeChat Pay) have become the standard for payments. According to Statista, by 2025, 60% of global transactions will be conducted through mobile devices, and NFC is used in 80% of financial apps.
• Third-party API integration: Apps increasingly use third-party services (e.g., Stripe, PayPal, Firebase) for payment processing, analytics, and personalization. This increases the attack surface due to potential supply chain vulnerabilities.
• Cloud technologies: Storing card data and PII (Personally Identifiable Information) in the cloud makes scaling easier, but creates risks of leaks if encryption or access is not configured correctly.
• AI and personalization: AI analyzes user behavior, but attackers use it to create targeted attacks, including phishing and social engineering.
• Complex ecosystems: 2025 apps are often integrated with wearables, IoT, and banking systems, expanding entry points for attacks.

These changes have made mobile apps central to financial transactions, but have also attracted the attention of cybercriminals who have adapted their methods to suit the new technology.

2. New methods of stealing card data in 2025​

The evolution of mobile apps has led to the emergence of new, more stealthy and automated methods for stealing card data. Let's take a closer look at them:

2.1. NFC relay attacks (Ghost Tap and similar)​

• How it works: NFC allows payments to be made without physical contact between the card and the terminal. Attackers use malicious apps or devices to intercept NFC signals, simulating transactions. For example, the SuperCard X malware (discovered in 2025) installs itself on Android devices and intercepts card data, even if the phone is locked.
• Technical details: The attack uses MITM (man-in-the-middle), where the attacker acts as an intermediary between the victim's device and the terminal. This is achieved by:
  • Software: Malicious applications disguised as legitimate ones (for example, games or utilities).
  • Hardware: Portable NFC readers capable of reading signals up to 10 meters away via amplifiers.
• Example: In Q1 2025, US banks reported losses of $120 million due to NFC attacks where card data was intercepted in public places (subways, cafes).
• Impact of app evolution: The rise of NFC apps (90% of financial apps in 2025) and weak end-to-end encryption (E2EE) implementation in 31% of Android apps (according to OWASP) have made such attacks widespread.

2.2. Malicious applications and Trojans​

• How it works: Attackers publish malicious apps in stores (Google Play, App Store) or distribute them via sideloading. These apps request excessive permissions (access to SMS, contacts, keyboard) and steal card data.
• Technical details:
  • Keyloggers: Record card data input (number, CVV, name).
  • SMS interception: Steals one-time passwords (OTP) for two-factor authentication (2FA).
  • Screenshots and window overlays: Apps use overlay attacks to create fake data entry forms that look like legitimate banking interfaces.
  • Cloud data transfer: Malicious applications use HTTPS to covertly send data to C2 (command-and-control) servers, making detection difficult.
• Example: In August 2025, Google removed 77 malicious apps (19 million downloads), including fake PDF readers and games that stole card data through SMS and keyboard access.
• Impact of app evolution: The growth of apps (5.2 million on Google Play, 2.1 million on the App Store) and lax app store moderation are facilitating the spread of malware. The shift to cloud services has simplified the covert transfer of stolen data.

2.3. Digital Skimming (E-Skimming)​

• How it works: Attackers inject malicious JavaScript into mobile apps or their web components (for example, payment forms in e-commerce apps). The code intercepts card data as it is entered.
• Technical details:
  • Supply chain vulnerabilities: Third parties (such as analytics SDKs) contain vulnerable code that allows script injection.
  • Mechanism: Scripts send card data to remote servers via WebSocket or HTTPS.
  • Bypass protection: Lack of certificate pinning and weak encryption (TLS 1.2 instead of 1.3) increase the risks.
• Example: In 2025, an attack on a popular e-commerce app resulted in the leak of 2.3 million card data records due to a vulnerability in a third-party SDK.
• Impact of app evolution: The integration of apps with multiple APIs and scripts (an average of 15–20 third-party libraries per app) has created new entry points for e-skimming.

2.4. Phishing and social engineering through apps​

• How it works: Fraudsters create fake apps that imitate banking or payment services. Users enter their card details, believing the interface to be legitimate.
• Technical details:
  • Interface imitation: UI kits are used to create exact copies of banking applications.
  • Targeted phishing: AI analyzes data leaks (such as those from the dark web) and sends personalized notifications to lure victims.
  • Example: In 2025, a fake app impersonating PayPal infected 500,000 devices, stealing $10 million through phishing forms.
• Impact of app evolution: AI and access to user data (through permissions or leaks) have made phishing hyper-personalized, increasing the success of attacks.

2.5. Theft through excessive permissions​

• How it works: Apps request access to the camera, microphone, contacts, or location that is not necessary for their functionality. This is used to collect personal information or create deepfake content for blackmail.
• Technical details:
  • Android: Permissions like QUERY_ALL_PACKAGES allow apps to see which banking apps are installed, which are used for targeting.
  • iOS: While App Tracking Transparency limits data collection, apps can still bypass protections through third-party SDKs.
• Example: In 2025, a photo editing app used camera access to record videos, which were then used for blackmail and PIN theft.
• Impact of app evolution: Increased app functionality (e.g. AR filters, voice commands) justifies permission requests, which reduces user vigilance.

3. Statistics and the scale of the problem​

The evolution of mobile apps has made card data theft one of the top threats by 2025. Here are the key findings:

• Attack volume: According to the Identity Theft Resource Center, 151,000 identity theft cases will be registered in Q1 2025, 62% of which involve card data. Globally, losses from card-not-present (CNP) fraud have reached $6.2 billion.
• E-skimming on the rise: The number of records stolen through digital skimming has increased by 186% since 2024.
• Application Vulnerabilities: According to OWASP Mobile Top 10 2025:
  • 57% of iOS apps and 40% of Android apps have insecure data storage vulnerabilities.
  • 31% of Android apps do not use SSL pinning, which facilitates MITM attacks.
• Malicious apps: 77 apps on Google Play (19 million downloads) were removed in August 2025 for stealing card data.

Theft method	Traditional (until 2020)	Evolved in 2025	Vulnerability
Skimming	Physical devices on ATMs	NFC relay via malware (Ghost Tap)	Lack of E2EE
Phishing	Email/SMS with fake links	Fake banking apps with AI targeting	UI-imitation
Data storage	Local databases	Cloud leaks due to weak encryption	Insecure storage
Data interception	Wi-Fi MITM	Injection into third-party API	Lack of certificate pinning

4. Technical vulnerabilities associated with application evolution​

The evolution of applications has led to new vulnerabilities that are exploited by attackers:

• Insecure Data Storage: Card data is often stored unencrypted or with outdated algorithms (e.g. MD5 instead of AES-256).
• Weak encryption: 31% of Android apps use TLS 1.2 or lower, which is vulnerable to downgrade attacks.
• Third-party SDK: The average app uses 15-20 third-party libraries, 10% of which have known vulnerabilities (according to Veracode).
• Lack of certificate pinning: This allows MITM attacks to be carried out on public Wi-Fi.
• Weak app store moderation: Google Play and third-party stores (such as Huawei AppGallery) are less strict than the App Store, making it easier for malware to be published.

5. Positive changes and countermeasures​

The evolution of apps has also led to security improvements that help combat card data theft:

• Protection technologies:
  • Apple Pay and Google Pay: Apple doesn't share card numbers with developers, using tokenization (a unique token instead of a card number). This prevented $9 billion in fraud by 2025.
  • AI Detection: Banks like Bank Mandiri use machine learning to analyze transactions, reducing false positives by 216%.
  • Zero-Knowledge Proofs: New protocols allow data (such as age) to be verified without transmitting PII.
• OWASP 2025 Guidelines:
  • Use MFA (multi-factor authentication) for all transactions.
  • Conduct regular penetration testing of applications.
  • Implement certificate pinning and E2EE.
  • Store data encrypted using AES-256.
• Tips for users:
  • Use iOS instead of Android for financial apps (stricter moderation and App Tracking Transparency).
  • Check app permissions and disable unnecessary ones (for example, camera access for a calculator).
  • Avoid sideloading and public Wi-Fi for financial transactions.
  • Install an antivirus (such as Malwarebytes) and monitor for leaks using services like Have I Been Pwned.

6. Real-life cases from 2025​

1. SuperCard X Malware: A malicious Android app distributed through third-party app stores infected 1.2 million devices. It exploited NFC relays and keyboard logging to steal card data, bypassing biometrics. Damages: $50 million.
2. E-Skimming in E-Commerce: An attack on a popular shopping app through a vulnerability in a third-party SDK resulted in the leak of 2.3 million credit card data records. The attackers used JavaScript to intercept payment forms.
3. Fake PayPal Phishing Scam: An app impersonating PayPal has infected 500,000 devices, stealing $10 million through fake login forms.

7. Conclusion​

The evolution of mobile apps by 2025 has made them the primary tool for financial transactions, but also a prime target for cybercriminals. Attacks have shifted from physical skimming to digital methods: NFC relays, malicious apps, e-skimming, and spear phishing. The growing number of apps, integration with third-party services, and weak implementation of modern security standards (E2EE, certificate pinning) have increased the risks. However, advances in tokenization, AI detection, and zero-knowledge proofs offer hope for mitigating threats.

For users and developers, the key to security lies in a proactive approach: regularly updating apps, using MFA, verifying permissions, and implementing strict encryption standards. The evolution of apps is a balance between convenience and risk, and only a concerted effort (technology, regulations, and awareness) can minimize the threat of card data theft in 2025.