Wema Bank has issued a fresh warning to its customers over a growing wave of cyberattacks in which fraudsters use deceptive online adverts and pop-up prompts to lure unsuspecting users into downloading malicious mobile applications designed to hijack their banking details.
The warning, sent to customers via email on Thursday, highlights a troubling shift in tactics by cybercriminals, who are now embedding malware inside apps disguised as everyday tools ranging from sports betting platforms and live score trackers to streaming services, utility apps, fake banking support tools, and bogus phone update notifications.
According to the lender, these disguises are deliberate and increasingly convincing, designed to lower a user’s guard long enough to grant the app the permissions it needs to do damage.
Once installed, the rogue software can effectively seize control of a victim’s phone. From there, it can extract stored banking credentials and transaction PINs, quietly intercept incoming SMS messages and one-time passwords, and go on to execute unauthorized transactions directly from the customer’s own registered mobile banking profile, notably without needing to switch or clone the victim’s device, a detail the bank says makes this particular scheme harder for customers to detect early.
In its advisory, Wema Bank described the malware’s capabilities in stark terms, noting that once installed, the malware can take control of a device, steal banking credentials and transaction PINs, intercept SMS and OTPs, and initiate unauthorized transactions through the customer’s registered mobile banking profile without requiring a device change.
To help customers stay ahead of the threat, Wema Bank laid out a series of precautionary steps. Chief among them: customers should source banking and other sensitive applications strictly from official platforms such as the Google Play Store or Apple’s App Store, avoiding third-party links altogether.
The bank was equally emphatic about steering clear of app installations triggered through links or pop-up ads encountered on social media, websites, emails, or chat platforms the very entry points cybercriminals are said to be exploiting most aggressively.
Customers were also urged to treat unsolicited prompts demanding system updates or “security verification” with suspicion, to periodically audit their phones for unfamiliar or unused apps and delete them, and to ensure their device operating systems and security software remain current, since outdated systems are often the easiest targets.
For customers who suspect their accounts may already be compromised, the bank’s guidance is immediate and direct: disconnect the affected device from the internet without delay, contact the bank, and formally report the incident so containment measures can begin.
Wema Bank extended this call for vigilance beyond individual customers as well, encouraging both account holders and other financial institutions to escalate suspected phishing attempts and spam messages to the relevant fraud desks or information security teams, stressing that swift reporting plays a critical role in curbing the broader spread of cyber fraud across Nigeria’s financial services sector.
Thursday’s advisory is not an isolated move. It builds on a string of recent actions by the bank aimed at tightening its defences against digital fraud. In June, Wema Bank took the unusual step of temporarily pulling back its communications on X (formerly Twitter) and Telegram, a decision it attributed at the time to concerns over impersonation attempts and the need to shield customers from fraudulent accounts posing as official bank channels.
Taken together, the two episodes point to a bank increasingly on the defensive against a fraud landscape that analysts say is evolving faster than many users’ awareness of it, with mobile malware, in particular, emerging as one of the more insidious threats facing Nigerian bank customers this year.
WHAT YOU SHOULD KNOW
Fraudsters are no longer just phishing for passwords; they’re tricking people into installing malware disguised as everyday apps (betting, streaming, and “update” tools), which then silently steal banking credentials, intercept OTPs, and drain accounts without ever needing the victim’s physical device.
The single most important defense is to simply download apps from official app stores, never through pop-ups or links, and if anything seems off, disconnect from the internet and contact your bank immediately.
























