Security researchers have discovered an Android banking Trojan that is believed to operate from the K99 Triumph City compound in Cambodia. The malware-as-a-service platform registers approximately 35 new domains each month and is active in at least 21 countries.
Infoblox Threat Intel and the Vietnamese nonprofit Chong Lua Dao tracked down the Android banking Trojan. This followed a spike in anomalous DNS traffic across Infoblox customer networks. It led to a previously undocumented malware-as-a-service platform.
The operations are believed to be run from multiple locations, including the K99 Triumph City compound in Cambodia. Various malware campaigns are run from this cybercrime hub. That location had previously been on the UN’s radar due to large-scale fraud and forced labor.
“These aren’t random one-off scams. They’re factory lines. For years we knew these scam compounds existed, and suspected malware distribution at the sites, but this is a firm confirmation,” says Dr. Renée Burton, VP of Infoblox Threat Intel.
Fake apps from banks to tax agencies
The platform registers approximately 35 new domains each month that impersonate banks, social security agencies, tax authorities, utility companies, and police departments in at least 21 countries. The most intense activity targets users in Indonesia, Thailand, Spain, and Turkey. Once victims install the fake app, operators gain full control over the device. The trojan captures facial recognition data during fake Know Your Customer checks, intercepts SMS one-time access codes, and silently logs into mobile banking apps to funnel money across borders. It thus turns biometrics and OTPs into attack vectors for account takeover fraud.
Tip: RadzaRat Trojan deceives Android users without their knowledge