Android banking malware warns of threats to users in 21 countries.
A large-scale Android banking malware campaign linked to phishing organizations is spreading globally, threatening users in 21 countries.
A new report from Infoblox Threat Intel, a security research division of Infoblox (USA), has revealed a worrying link between two seemingly separate issues: forced labor scam centers in Southeast Asia and a global Android banking malware campaign.

According to research conducted in collaboration with the Anti-Fraud Organization (Vietnam), this is the first time experts have clear evidence showing that victims coerced into "fraud centers" are being exploited to operate malware distribution systems, directly targeting users of digital banking services.
An organized, transnational fraud network.
The report indicates that the malware distribution operation is well-organized and large-scale. The operating groups continuously create fake domain names, averaging around 35 new domains per month, designed to mimic banking interfaces or familiar services.
These websites act as "traps" to trick users into installing malicious applications in APK file format. The scams often revolve around fake bank notifications; account issue alerts; delivery notifications; and urgent verification requests.
When users click on the link, they will be directed to fake app download pages, thereby inadvertently installing malware on their Android devices.
Malware takes control of devices and steals money in real time.
After infiltrating, this banking malware quickly gains deep control over the device. According to Infoblox, the malware is capable of intercepting and reading SMS messages; bypassing biometric authentication; and tracking and manipulating banking transactions.
Notably, the malware can directly interfere with real-time transactions. This allows attackers to transfer money while users are using the application, without the victim realizing it.
Furthermore, it uses overlay techniques to display fake login screens over the real banking app, thereby stealing login information. In some cases, hackers can even remotely control the device, performing actions as if they were the user.
The "malware as a service" model is dangerous.
Researchers describe this campaign as operating on a "malware-as-a-service" model. Accordingly, the technical infrastructure and attack tools are built centrally, while "branches" are responsible for distribution and interacting with victims.
This organizational structure lowers the barrier to entry, allowing multiple criminal groups to exploit the system without developing their own malware. This is also why the campaign was able to rapidly expand to many different countries.
In fact, victims have been reported in many regions, from Southeast Asia (Indonesia, Thailand) to Europe (Spain, Türkiye) and even Latin America. The malware is capable of customizing itself to local languages and banking systems, increasing the success rate of attacks.
Connections to scam centers in Cambodia
One of the most striking aspects of the report is its direct link to fraud operations in Cambodia, particularly the alleged cybercrime hub in Sihanoukville.
Researchers determined that part of the campaign's infrastructure was operated from locations such as K99 Triumph City – described as a heavily guarded complex linked to cybercrime activity.
More seriously, those who are tricked into working there are often forced to participate in malware distribution activities, from sending phishing messages to instructing victims to install applications. This makes the campaign not only a high-tech crime, but also linked to human trafficking and forced labor.
Previously, numerous international reports also documented cases of citizens being lured to Cambodia with promises of attractive jobs, only to be forced to participate in online scams.
Warnings and recommendations for Android users.
Experts warn that the combination of sophisticated technology and organized crime poses a serious threat to global users, particularly in the digital finance sector.
To minimize risks, Android users need to:
- Only install apps from the Google Play store or official sources.
- Do not click on links in suspicious messages or emails.
Avoid downloading APK files from websites of unknown origin.
- Carefully check the app's access permissions, especially SMS and Accessibility permissions.
In addition, users should be wary of job offers abroad, especially those that lack transparency.
In the context of increasingly sophisticated and global attack campaigns, raising awareness and adhering to basic security principles remains crucial to protecting personal assets and data.


