VỮNG MÃI MỘT NIỀM TIN
Warning: Banking Trojan Attacks Target Android Users in Vietnam
- 24/09/2025
A new wave of cyberattacks with a high level of sophistication is directly targeting Android users in Vietnam and Indonesia. According to researchers from DomainTools, financially motivated cybercriminals are distributing banking trojans disguised as fake government and payment applications.
The dangerous aspect of this campaign lies in the advanced evasion techniques used by the attackers. They created fake Google Play Store websites that closely mimic the official app marketplace. When victims click “download,” instead of receiving a fixed link, a special WebSocket connection is initiated. The installation file (.apk) is then delivered in small fragments accompanied by a fake progress bar. This method successfully tricks users while bypassing firewalls and automated security systems.
The malware being spread is primarily variants of BankBot – a notorious banking trojan whose source code was leaked in 2016. These variants can display fake login screens to steal account credentials, intercept SMS messages to bypass two-factor authentication, and harvest sensitive payment data directly from the device.
Analysis shows that the threat actors maintain hundreds of domains with consistent infrastructure. These domains are typically registered via Gname[.]com Pte. Ltd., use nameservers like share-dns[.]net or Cloudflare, and are hosted by providers such as Alibaba or Scloud in Singapore and Indonesia. On average, a new domain is registered and activated in just over 10 hours, mostly during business hours in East Asia — suggesting that the operators may be based in the region.
However, sophistication does not mean perfection. Some fake websites reveal sloppy mistakes. For example, a counterfeit Indonesian tax app called M-Pajak contained a mix of languages ranging from Thai, Vietnamese, Portuguese, to Indonesian, indicating careless use of pre-made templates.
For Vietnamese users, this threat is particularly alarming. Fake apps often use names that closely resemble popular local services, making it easy for users to mistakenly install them. Once infected, victims risk losing personal financial data, having their bank accounts drained, or being exploited for fraudulent transactions.
To reduce risks, experts strongly recommend downloading apps only from the official Google Play Store or other trusted marketplaces, carefully checking developer information and download counts before installing. Enabling two-factor authentication, monitoring bank account activity regularly, and keeping devices updated are essential defensive measures. For businesses and banks, issuing proactive warnings to customers about fake apps can significantly limit the damage.
This banking trojan campaign is a stark reminder of the increasing sophistication of cybercrime. By combining advanced evasion techniques with psychological manipulation, attackers can easily compromise users with just a single tap. As Vietnam remains a prime target, staying vigilant and cautious with every app installation becomes the very first — and most important — shield to protect digital assets.
The dangerous aspect of this campaign lies in the advanced evasion techniques used by the attackers. They created fake Google Play Store websites that closely mimic the official app marketplace. When victims click “download,” instead of receiving a fixed link, a special WebSocket connection is initiated. The installation file (.apk) is then delivered in small fragments accompanied by a fake progress bar. This method successfully tricks users while bypassing firewalls and automated security systems.
The malware being spread is primarily variants of BankBot – a notorious banking trojan whose source code was leaked in 2016. These variants can display fake login screens to steal account credentials, intercept SMS messages to bypass two-factor authentication, and harvest sensitive payment data directly from the device.
Analysis shows that the threat actors maintain hundreds of domains with consistent infrastructure. These domains are typically registered via Gname[.]com Pte. Ltd., use nameservers like share-dns[.]net or Cloudflare, and are hosted by providers such as Alibaba or Scloud in Singapore and Indonesia. On average, a new domain is registered and activated in just over 10 hours, mostly during business hours in East Asia — suggesting that the operators may be based in the region.
However, sophistication does not mean perfection. Some fake websites reveal sloppy mistakes. For example, a counterfeit Indonesian tax app called M-Pajak contained a mix of languages ranging from Thai, Vietnamese, Portuguese, to Indonesian, indicating careless use of pre-made templates.
For Vietnamese users, this threat is particularly alarming. Fake apps often use names that closely resemble popular local services, making it easy for users to mistakenly install them. Once infected, victims risk losing personal financial data, having their bank accounts drained, or being exploited for fraudulent transactions.
To reduce risks, experts strongly recommend downloading apps only from the official Google Play Store or other trusted marketplaces, carefully checking developer information and download counts before installing. Enabling two-factor authentication, monitoring bank account activity regularly, and keeping devices updated are essential defensive measures. For businesses and banks, issuing proactive warnings to customers about fake apps can significantly limit the damage.
This banking trojan campaign is a stark reminder of the increasing sophistication of cybercrime. By combining advanced evasion techniques with psychological manipulation, attackers can easily compromise users with just a single tap. As Vietnam remains a prime target, staying vigilant and cautious with every app installation becomes the very first — and most important — shield to protect digital assets.
.png)
.png)
.png)
.png)
.png)