How advanced malware from Asia is targeting Africa's financial sector

What we are seeing

In 2025, the malware tooling that previously lived in Vietnamese and broader Southeast Asian fraud campaigns has migrated. The operators are the same. The attack surfaces are similar. The estates are African.

The runtime sees the symptoms first — an accessibility service that should not be active, an overlay that does not match the host application, a hooking attempt against a banking call. By the time backend fraud scoring would catch a pattern, our substrate has already signed the deviation.

The actors

GoldFactory expands to Africa

GoldFactory, a Chinese-speaking cybercrime group, is now operational in South Africa and Ethiopia. Their toolkit:

• GoldDiggerPlus — a mobile banking trojan built around fake overlays and real-time UI manipulation.
• GoldPickaxe — captures facial video and bypasses biometric authentication via AI-generated deepfakes.

Both rely on the user’s device behaving normally from the backend’s point of view. That assumption is exactly what execution evidence takes away.

Tria Stealer in Nigeria

Tria Stealer is spreading through WhatsApp and Telegram — distribution channels outside the official app stores. Once installed it masquerades as local event apps or utilities, harvests OTPs, and takes over messaging applications to propagate.

It is a side-loaded threat. The runtime declares the trust basis of the host app’s installation; a side-loaded payload cannot forge a legitimate one.

Device takeover fraud (DTO)

Increasingly, fraud is executed from the victim’s own device. DTO mimics legitimate user behaviour and is invisible to backend monitoring or fraud scoring engines. The session looks correct. The transactions look correct. The backend has no way to tell the user is no longer the one operating.

The witness layer sees what the backend cannot. The presence of an active accessibility service, the timing of input events, the stack of the running process — each surfaces as a signal inside the signed evidence record.

Overlay attacks resurface

A wave of overlay-based impersonation is targeting South African banking and welfare services. The attack interfaces mimic official apps; users hand over credentials to a screen that looks correct but is not the one their bank rendered.

Overlay detection is inside the runtime. The signed evidence declares whether an overlay was active at the moment of input.

IoT botnet expansion — Android.VO1D

Malware such as Android.VO1D is compromising Android-powered smart TVs and household IoT devices, integrating them into botnet infrastructure. These devices are not where transactions execute, but they are where attacker capacity lives.

Why this is hitting Africa now

Africa’s mobile financial growth has outpaced security investment. Threat actors arrive with malware honed through years of targeting Asian financial systems, infrastructure built for low detection, and campaigns optimised for stealthy, high-reward fraud.

The result: declining detection rates, rising financial losses, and growing systemic risk across the mobile financial ecosystem. Detection at the backend is too late.

What the substrate does about it

Each of the threat classes above is observable at the device, at the moment of execution. The runtime measures, the substrate signs, the operator verifies — without us in the path. The same evidence record is consumed by the gateway, the issuer, the dispute platform, and the forensic investigator.

What we recommend, beyond execution evidence:

• Real-time biometric liveness detection.
• Monitoring and blocking accessibility-service abuse and overlays at the runtime.
• Anti-repackaging and runtime-integrity checks in every Android application.
• User education on social-engineering threats over messaging platforms.
• Tracking Asia-based malware trends to anticipate migration before it lands.

A closing observation

The threat is not new. The geography is. Operators that protect African financial estates are inheriting a war already fought elsewhere. Backend systems will not see it. The device will. The substrate that signs what executed on the device is how this remains observable, attributable, and defendable.