How advanced malware from Asia is targeting Africa's financial sector

What we are seeing

Between June 2024 and June 2025, the malware tooling that previously lived in Vietnamese-targeted Southeast Asian fraud campaigns has migrated. The actor cluster behind the dominant family is the same. The attack surfaces are similar. The estates are African. The detailed report this article condenses is published as The New Frontier — How advanced malware from Asia is targeting Africa’s financial sector (v1, June 2025) [21], with primary-source references retained and reproduced inline below.

The runtime sees the symptoms first — an accessibility service that should not be active, an overlay that does not match the host application, a hooking attempt against a banking call. By the time backend fraud scoring would catch a pattern, our substrate has already signed the deviation.

The actors

GoldFactory tooling reaches African targets

GoldFactory is a well-organised, Chinese-speaking cybercrime group active since at least mid-2023 [4, 5, 6]. The cluster originally targeted Vietnam, Thailand, and other APAC markets [8, 9]; UNODC reporting in 2025 documented the broader Asian syndicate migration into new operational zones [1, 2]. The actor language is Chinese-speaking; the initial target geography was Vietnamese.

The directly-evidenced African link is via the Gigabud trojan — a sibling of GoldDigger sharing source code, the “libstrategy.so” UI library, and the Virbox commercial packer for evasion [3]. VNCS analysis confirmed Gigabud campaigns deployed against targets in South Africa and Ethiopia [3]. The leap from Gigabud to “GoldFactory operating in Africa” is an attribution inference through the shared-tooling chain [3, 4]; deployment of the wider GoldFactory toolkit (GoldDigger / GoldDiggerPlus / GoldPickaxe) in African markets is not directly documented in the cited reports as of June 2025.

The toolkit includes:

• GoldDigger / GoldDiggerPlus — Android banking trojans built around accessibility-service abuse, fake overlays, and SMS-OTP interception [3, 8, 9]. GoldDiggerPlus embeds a secondary trojan, GoldKefu, with overlay attacks and real-time interactive voice calls to victims [4].
• GoldPickaxe (Android + iOS) — the first iOS banking trojan attributed to the cluster, harvesting facial-biometric video used for downstream AI-generated deepfakes that defeat liveness checks in banking applications [5, 7]. On iOS, distribution uses Apple TestFlight or malicious Mobile Device Management (MDM) profiles rather than App Store delivery [7]. Group-IB’s reporting documents the technique as developed to defeat enhanced facial recognition deployed by Thai banks [4, 5]; deployment of GoldPickaxe in African markets is not directly documented in the cited reports — the inferential bridge is the African banking sector’s parallel investment in biometric authentication, which the same technique is structurally positioned to defeat.

Both rely on the user’s device behaving normally from the backend’s point of view. That assumption is exactly what Execution Evidence Infrastructure (EEI) — the device-identity infrastructure layer for banking and payments — takes away.

Tria Stealer in Nigeria

In June 2025, Nigeria’s Computer Emergency Response Team (ngCERT) issued an alert regarding a highly evasive Android malware campaign in Nigeria dubbed Tria Stealer [10]. The campaign spreads through fake wedding and event invitations shared via WhatsApp and Telegram — distribution channels outside the official app stores. Once installed, Tria Stealer hijacks messaging accounts, intercepts OTPs, steals data from financial applications, and communicates with its C2 over Telegram bots [10].

The Nigerian deployment is sourced from the ngCERT advisory [10]; this article does not extend Kaspersky’s Malaysia/Brunei attribution to Nigeria.

Anubis and AhMyth — the persistent baseline

Check Point’s April 2025 most-wanted malware reporting placed Anubis and AhMyth among the most prevalent mobile threats active across eight African countries [11]. Anubis is a mature Android banking trojan that has evolved to include keylogging, ransomware features, and full Remote Access Trojan functionality. AhMyth is an open-source Android RAT, widely adopted because of its accessibility, granting attackers screen capture, camera and microphone surveillance, and SMS interception [11].

Device takeover fraud (DTO)

Increasingly, fraud is executed from the victim’s own device. DTO mimics legitimate user behaviour and is invisible to backend monitoring or fraud scoring engines. The session looks correct. The transactions look correct. The backend has no way to tell the user is no longer the one operating.

The witness layer sees what the backend cannot. The presence of an active accessibility service, the timing of input events, the stack of the running process — each surfaces as a signal inside the signed evidence record.

Overlay attacks

A wave of overlay-based impersonation continues to target South African banking and welfare services. The attack interfaces mimic official apps; users hand over credentials to a screen that looks correct but is not the one their bank rendered. SABRIC reported a 47% year-on-year rise in financial losses attributable to digital fraud in 2023, with fraud on banking apps accounting for 60% of all digital banking crime [18].

Overlay detection is inside the runtime. The signed evidence declares whether an overlay was active at the moment of input.

Mobile-adjacent IoT — the Android.Vo1d botnet

Android.Vo1d (also known as LinkDoor) compromises Android-based TV boxes and smart TVs. The botnet was first publicly disclosed by Doctor Web in September 2024, with the original report documenting ~1.3 million compromised devices across 197 countries [22]. By early 2025, South Africa was among the most heavily affected countries — over 200,000 compromised devices recorded in YinkoShield’s field instrumentation [21, §VII.B]. These devices are not where transactions execute, but they are where attacker capacity lives: a compromised device on the same Wi-Fi network as a banking session enables Man-in-the-Middle attacks, DNS spoofing to redirect to malicious servers, or direct credential harvesting from unencrypted traffic. The “castle and moat” model that hardens the phone in isolation no longer reflects the actual perimeter [21, §VII.B].

State-aligned activity — the broader influx

Beyond financially motivated crime, China-linked espionage group Sharp Panda (Sharp Dragon) has expanded its targeting to government and strategic sectors in Africa and the Caribbean [14]. The cluster uses compromised email accounts in Southeast Asia to send phishing emails into African targets, deploying Cobalt Strike backdoors. North Korean state-sponsored actor Bluenoroff (Microsoft’s Sapphire Sleet, a Lazarus subgroup also known as APT38) explicitly includes African entities in its financial-sector victimology [16]. Initial-access broker intrusion set CL-CRI-1014, tracked by Palo Alto Networks Unit 42, has been targeting financial organisations across Africa since at least 2023 using PoshC2, Chisel, and Classroom Spy [15]. The Asia-to-Africa attack corridor is not a recent phenomenon — Kaspersky’s 2016 InPage zero-day campaign hit banking targets in Myanmar, Sri Lanka, and Uganda using the same exploit class [13].

Why this is hitting Africa now

Africa’s mobile financial growth has outpaced security investment. Sub-Saharan Africa surpassed two billion registered mobile-money accounts in 2024, with total industry transaction value crossing $1.68 trillion [20]. UNODC reporting names Zambia, Angola, and Namibia as new footholds for Asian crime syndicates seeking less-contested operational zones under enforcement pressure in Cambodia, Laos, and Myanmar [1, 2]. INTERPOL’s 2025 report warns of a sharp rise in cybercrime in Africa linked to inadequate cross-border cooperation capacity [12].

Threat actors arrive with malware honed through years of targeting Asian financial systems, infrastructure built for low detection, and campaigns optimised for stealthy, high-reward fraud.

The result is the falling-rate / rising-loss paradox: TransUnion data shows the rate of suspected digital fraud in South Africa fell from 9.0% in 2020 to 4.6% in 2024, while SABRIC reports financial losses from the same category have surged [18]. Adversaries have moved away from high-volume low-value fraud towards stealthy, low-volume high-value attacks (DTO, deepfake-driven biometric bypass) that evade rate-based risk models. Smile ID reported a sevenfold increase in deepfake videos used in identity-verification impersonation attempts in H2 2024 [19]. In Nigeria, NIBSS reported financial institutions lost an estimated ₦52.26 bn (~$32 m) to fraud in 2024 — a 350% increase since 2020 — even as the number of incidents fell [17].

Detection at the backend is too late.

What the substrate does about it

Each of the threat classes above is observable at the device, at the moment of execution. The runtime measures, the substrate signs, the operator verifies — without YinkoShield in the path. The same evidence record is consumed by the gateway, the issuer, the dispute platform, and the forensic investigator.

Beyond execution evidence, the YinkoShield Threat Report [21, §VIII] recommends:

• Dynamic liveness detection (real-time, unpredictable prompts) to defeat static deepfakes generated by GoldPickaxe-class tooling [5].
• Application-layer hardening to detect and flag accessibility service abuse, anti-overlay detection, and robust code protection against reverse-engineering.
• Customer education about social engineering on messaging apps (Tria Stealer-class delivery) [10] and the dangers of installing untrusted MDM profiles (the GoldPickaxe iOS vector) [7].
• Proactive threat-intelligence partnerships with INTERPOL and national CERTs given the documented Asia-to-Africa migration corridor [1, 12].
• Augmenting fraud-detection models with behavioural analytics capable of identifying on-device fraud and DTO scenarios — rate-based models alone misread the falling-rate / rising-loss paradox documented in South Africa and Nigeria [17, 18].

A closing observation

The threat is not new. The geography is. Operators that protect African financial estates are inheriting a war already fought elsewhere. Backend systems will not see it. The device will. Execution Evidence Infrastructure (EEI) — the device-identity infrastructure layer for banking and payments — is how this remains observable, attributable, and defendable.

Cross-references in this theme

For the technical mechanics behind each attack class named above:

• Overlay attacks → overlay-injection
• Accessibility-service abuse → accessibility-service-abuse
• Hooking attempts against the banking call → library-injection-frida-xposed, magisk-zygisk-modules
• Side-loaded payloads / installation trust basis → /architecture/zero-trust-bootstrap

Full report

The complete field report is published as a PDF: The New Frontier — How advanced malware from Asia is targeting Africa’s financial sector (v1, June 2025).

External references

[1] UNODC. Cyberfraud in the Mekong reaches inflection point, UNODC reveals. 2025. unodc.org. Cited 2025-06-30.

[2] Al Jazeera. A cancer: UN warns Asia-based cybercrime syndicates expanding worldwide. April 2025. aljazeera.com. Cited 2025-06-30.

[3] VNCS. GoldDigger and Gigabud Android Banking Trojans — same cybercriminal, new tricks. 2025. vncs.vn. Cited 2025-06-30.

[4] The Hacker News. Chinese hackers using deepfakes in advanced mobile banking malware attacks. 2024. thehackernews.com. Cited 2025-06-30.

[5] Group-IB. Face Off — Group-IB identifies first iOS trojan stealing facial recognition data (GoldPickaxe). 2024. group-ib.com. Cited 2025-06-30.

[6] Group-IB. GoldFactory — masked actors profile. group-ib.com. Cited 2025-06-30.

[7] Infosecurity Magazine. GoldPickaxe trojan uses biometric data and deepfake tech to scam banks. 2024. infosecurity-magazine.com. Cited 2025-06-30.

[8] The Hacker News. GoldDigger Android trojan targets banking apps in Asia-Pacific countries. 2023. thehackernews.com. Cited 2025-06-30.

[9] CybersecurityAsia. Group-IB uncovers GoldDigger trojan targeting 50+ Vietnamese banks. 2023. cybersecurityasia.net. Cited 2025-06-30.

[10] Nairametrics / ngCERT. ngCERT alerts Nigerians to new Android malware targeting WhatsApp and banking apps (Tria Stealer). June 2025. nairametrics.com. Cited 2025-06-30.

[11] Itedge News (Check Point research). April 2025 most-wanted malware — eight African countries among the world’s most-targeted. 2025. itedgenews.africa. Cited 2025-06-30.

[12] INTERPOL. New INTERPOL report warns of sharp rise in cybercrime in Africa. 2025. interpol.int. Cited 2025-06-30.

[13] Kaspersky. Asian and African banks attacked using a zero-day vulnerability (InPage). 2016. usa.kaspersky.com. Cited 2025-06-30.

[14] The Hacker News. New Frontiers, Old Tactics — Chinese espionage group (Sharp Panda) targets Africa & Caribbean governments. 2024. thehackernews.com. Cited 2025-06-30.

[15] Palo Alto Networks Unit 42. Cybercriminals abuse open-source tools to target Africa’s financial sector (CL-CRI-1014). unit42.paloaltonetworks.com. Cited 2025-06-30.

[16] Sekoia. Cyber threats impacting the financial sector in 2024 — focus on the main actors. 2024. blog.sekoia.io. Cited 2025-06-30.

[17] FAnews / TransUnion. Digital fraud trends in Africa — NIBSS Nigeria fraud data 2024. 2025. fanews.co.za. Cited 2025-06-30.

[18] BankservAfrica. SABRIC reports significant increase in financial crime losses for 2023. 2024. bankservafrica.com. Cited 2025-06-30.

[19] Smile ID. 2025 Digital Identity Fraud in Africa Report. 2025. usesmileid.com. Cited 2025-06-30.

[20] GSMA. The State of the Industry Report on Mobile Money 2025. 2025. gsma.com. Cited 2025-06-30.

[21] YinkoShield. The New Frontier — How advanced malware from Asia is targeting Africa’s financial sector (v1, June 2025). yinkoshield.github.io/publications. Cited 2025-07-15. Sections referenced: §VII.B (mobile-adjacent IoT and Android.Vo1d), §VIII (strategic recommendations).

[22] Doctor Web. Android.Vo1d backdoor compromises 1.3M Android-based TV boxes. September 2024. news.drweb.com/show/?i=14900. Cited 2025-07-15.