With some financial institutions implementing two-factor authentication, miscreants were observed utilizing mobile Remote Access Trojans (RATs) to capture these SMS PINs for account takeover. This presentation will explore recent campaigns that have used mobile RATs to defeat two-factor systems, the challenges for mitigating this new breed of user attacks, and the vulnerabilities of these cybercrime kits.