Android banking trojan linked to Cambodia scam compound
Infoblox Threat Intel has linked an Android banking trojan to scam compounds in Cambodia, marking the first confirmed connection between a forced-labour scam site and a mobile malware operation.
Research conducted with Vietnamese non-profit Chong Lua Dao identified the K99 Triumph City compound in Cambodia as a likely operating location. The United Nations and other organisations have previously flagged the site for large-scale scams and forced labour.
Investigators traced the operation after spotting unusual DNS traffic across customer networks. Their inquiry led to what they described as a previously undocumented malware-as-a-service platform.
According to the findings, the service registers about 35 new fraudulent domains each month. Those domains impersonate banks, social security agencies, tax authorities, utilities and law enforcement bodies in at least 21 countries.
The heaviest activity targeted users in Indonesia, Thailand, Spain and Türkiye. The campaign also has implications for bank customers and government agencies across Europe and Asia.
How it works
Victims are persuaded to install fake banking or government applications on Android devices. Once installed, the trojan gives operators broad control over the handset.
The malware can capture facial-recognition data during fraudulent know-your-customer checks, intercept SMS one-time passcodes and access mobile banking applications. This allows attackers to take over accounts and move funds across borders.
The approach targets security measures banks commonly use to verify customers on mobile devices. By compromising both biometric checks and text-message codes, the malware is designed to defeat two of the most widely used layers of retail banking protection.
The findings add to growing concern over the industrial scale of online fraud operations in Southeast Asia. Authorities in the region have repeatedly warned in recent years about scam centres that combine human trafficking, forced labour and online financial crime.
Security researchers and law enforcement agencies have long suspected that some of these compounds were involved in malware distribution as well as social engineering schemes. The new research claims to provide direct evidence linking one of those sites to an organised mobile banking fraud operation.
"These aren't random one-off scams. They're factory lines. For years we knew these scam compounds existed, and suspected malware distribution at the sites, but this is a firm confirmation," said Dr. Renée Burton, VP of Infoblox Threat Intel.
Burton also described the wider scope of the activity. "We now know that beyond the social engineering associated with so-called pig butchering scams, the compounds are being used to run sophisticated operations that steal banking credentials and allow threat actors to spy on victims," she said.
Cross-border reach
The operation appears to be structured as a service model rather than a single campaign. That suggests the infrastructure may be reused or shared among multiple actors running fraud schemes in different markets.
The use of dozens of fresh domains each month helps operators replace blocked websites and maintain a steady flow of impersonation attacks. By mimicking public agencies and trusted financial institutions, the campaign exploits victims' trust in official communications and urgent service messages.
For banks and public authorities, the case underlines the challenge of defending mobile users against attacks that begin outside formal app stores and move quickly across jurisdictions. It also highlights the role of DNS analysis in tracking criminal infrastructure that might otherwise be difficult to link to physical locations.
Organisations that rely on SMS and standard biometric checks for mobile fraud prevention could face further coordinated attacks. Banks, fintech groups and governments may also come under greater scrutiny over the resilience of their mobile security controls as these operations spread.
The identified campaign spans at least 21 countries and uses fake Android applications to imitate trusted institutions while giving criminals direct access to victims' devices.