Android Banking Trojan Linked to Cambodia Scam Compounds Hits 21 Countries
Android banking trojan linked to Cambodia scam compound targets 21 countries using forced labor.
Summary
Infoblox Threat Intel and Chong Lua Dao have identified the first confirmed connection between a Southeast Asian scam compound in Cambodia (K99 Triumph City) built on forced labor and an Android banking trojan operating across 21 countries. The malware distributes through fake domains mimicking banking interfaces, tricks users into installing malicious apps, and can intercept SMS, bypass biometric authentication, and manipulate banking sessions in real-time. Trafficked workers in the compound are forced to manage parts of the operation, from phishing to victim guidance, transforming the campaign into organized crime with active slavery.
Full text
Security Cyber Crime MalwareAndroid Banking Trojan Linked to Cambodia Scam Compounds Hits 21 Countries Android banking trojan linked to Cambodia scam compounds uses forced labour to target users in 21 countries, bypassing security to steal funds. byWaqasApril 10, 20263 minute read A new report from Infoblox Threat Intel connects two issues that are often discussed separately but rarely proven to be linked. The company says it has identified the first confirmed relationship between a Southeast Asian scam compound built on forced labour and an Android banking trojan used in attacks across 21 countries. The research, conducted with Vietnamese non-profit Chong Lua Dao, shows how people trafficked into scam centres are forced to support a malware distribution system that targets mobile banking users. According to researchers, this connection shows how people are being forced to help run scams that steal from others online. Looking at how the malware spreads, the report points to fake domains being created month after month. Investigators tracked roughly 35 new domains being registered regularly, all designed to mimic trusted services or banking interfaces. These sites trick victims into installing malicious Android apps disguised as legitimate tools. The report describes common lures such as fake banking alerts, delivery notifications, or messages that push users to install an app outside official app stores. Once installed, the trojan gives attackers a high level of control over the device. It can intercept SMS messages, bypass biometric checks, and manipulate banking sessions in real time. That combination allows attackers to move funds without any alert that users expect to protect them. According to Infoblox’s report shared with Hackread.com, victims have been identified in multiple parts of the world, including Indonesia and Thailand in Southeast Asia, Spain and Türkiye in Europe, and several countries in Latin America. This points to an infrastructure that can target different banks and adjust to local languages, which helps improve its success rate. Malware-As-A-Service Researchers have described the operation as malware-as-a-service, where the tools and infrastructure are maintained centrally while affiliates handle distribution and victim engagement. That setup makes it easier for more groups to get involved without having to build anything themselves. Another detail highlighted in the research is how the malware keeps control even after installation. It can overlay fake login screens on top of real banking apps, capture credentials as they are entered, and forward that data to attackers. In some cases, it can also take control of the device remotely, allowing attackers to carry out transactions as if they were the user. K99 Triumph City, Cambodia, Slavery and Scams Researchers noted the malware operation is being hosted from several locations, including the K99 Triumph City compound, reportedly, a heavily fortified cybercrime compound located in Sihanoukville, Cambodia. The connection to scam compounds in Cambodia makes the situation more serious. Infoblox Threat Intel and Chong Lua Dao say individuals inside these facilities are forced to manage parts of the operation, from sending phishing messages to guiding victims through the installation process. This turns what might look like a standard cybercrime campaign into a system built on organised crime and active slavery. The first image shows malicious Android apps designed to target users in Brazil. The second shows a message sent by a trafficked worker to Chong Lua Dao, asking for rescue from K99 Triumph City in Sihanoukville, Cambodia. The third image captures a workstation used inside the same compound. (Credit: Infoblox) These findings carry weight. As reported by Hackread.com in April 2024, Indian law enforcement agencies rescued hundreds of their citizens who had been lured to Cambodia with false promises of legitimate jobs, only to be forced to work for cybercrime gangs. If you are offered a job in Cambodia, the risks should not be ignored. If you use an Android device, stick to official app stores and avoid downloading unnecessary apps. For a deeper look at this threat, Infoblox’s report includes detailed technical insights, including IOCs. Waqas I am a UK-based cybersecurity journalist with a passion for covering the latest happenings in cybersecurity and tech world. I am also into gaming, reading and investigative journalism. View Posts AndroidBankingCambodiaChong Lua DaoCyber CrimeCybersecurityInfobloxK99 Triumph CityMalwareTROJANtrojon Leave a Reply Cancel reply View Comments (0) Related Posts Read More Security EV Charging Stations at Risk of DoS Attacks Although a fix is available to patch vulnerabilities, the EV industry is slow in applying the updates. byDeeba Ahmed Cyber Crime US COVID-19 relief bill to make copyrighted content streaming a felony The $300/week unemployment legislation includes a clause that will make streaming of protected content a punishable crime. byDeeba Ahmed Read More Security Malware Phishing Scam Hackers Use Excel Exploit to Hide XWorm 7.2 in JPEG Files, Hijack PCs A new phishing campaign is spreading XWorm 7.2 via malicious Excel files, hiding the malware in Windows processes, and using AES encryption to steal passwords and Wi-Fi keys. byDeeba Ahmed Read More Security Cyber Attacks Phishing Scam Global Ongoing Phishing Campaign Targets Employees Across 12 Industries SUMMARY Cybersecurity researchers at Group-IB have exposed an ongoing phishing operation that has been targeting employees and associates from… byWaqas