The trojan enables mobile fraud by capturing facial data, intercepting OTPs, and silently accessing banking apps to carry out cross-border account takeovers.
Malware-driven fraud and remote-access scams have surged alongside large-scale scam operations in Southeast Asia, with governments issuing warnings in recent years. However, linking specific malware to these compounds has been difficult—until now.
New research by Infoblox Threat Intel and Vietnam’s Chong Lua Dao identified an Android banking trojan likely operated from multiple locations, including Cambodia’s K99 Triumph City—previously flagged by the UN for large-scale scams and forced labour
The team uncovered the operation after a spike in anomalous DNS traffic across Infoblox customer networks led to a previously undocumented “malware-as-a-service” platform. The service registers about 35 new domains every month to spoof banks, social-security agencies, tax authorities, utilities and law enforcement in at least 21 countries, with heaviest activity against users in Indonesia, Thailand, Spain and Türkiye.
Once victims install the fake “government” or “banking” app, operators gain full control of the device. The trojan can capture facial-recognition data during spoofed KYC checks, intercept SMS one-time passcodes and silently log in to mobile banking apps to move funds across borders – turning biometrics and OTPs from safeguards into attack surfaces for account-takeover fraud.
“These aren’t random one-off scams. They’re factory lines. For years we knew these scam compounds existed, and suspected malware distribution at the sites, but this is a firm confirmation,” said Dr. Renée Burton, VP of Infoblox Threat Intel. “We now know that beyond the social engineering associated with so-called pig butchering scams, the compounds are being used to run sophisticated operations that steal banking credentials and allow threat actors to spy on victims.”
The research shows that unless banks, fintechs and governments harden their Android and mobile channels beyond SMS and basic biometrics, they should expect more coordinated cross-border raids on customer accounts – and tougher questions from regulators about the resilience of their mobile-fraud defences.
You can find the full research here.
