A 2025 Threat Intelligence Report by YinkoShield Threat Lab

Overview

In 2025, Africa’s fast-growing mobile-first financial ecosystem is facing a new generation of threats: highly advanced malware imported from Asia.

Threat actors previously active in regions such as Vietnam and Southeast Asia are now deploying AI-powered malware, biometric deepfakes, and targeted overlay attacks, all specifically adapted to exploit African banks, fintech platforms, and government-linked mobile services.

This report examines the actors, techniques, and malware families now active across the continent — and provides strategic recommendations for strengthening mobile app security in this rapidly evolving landscape.

Key Findings

1. GoldFactory Expands to Africa

GoldFactory, a Chinese-speaking cybercrime group, is now operational in South Africa and Ethiopia.

Their malware toolkit includes:

• GoldDiggerPlus – A mobile banking trojan that uses fake overlays and real-time manipulation.

• GoldPickaxe – Malware that captures facial video and bypasses biometric authentication using AI-generated deepfakes.

2. Localized Social Engineering in Nigeria

Tria Stealer is spreading rapidly through WhatsApp and Telegram, bypassing app store protections.

Once installed, it:

• Masquerades as local event apps or utilities

• Harvests OTPs and financial credentials

• Takes over messaging apps for further propagation

3. Device Takeover Fraud

Threat actors are increasingly executing fraud directly from the victim’s own device, bypassing traditional detection systems.

• Device Takeover (DTO) fraud mimics legitimate user behavior

• Often invisible to backend monitoring or fraud scoring engines

4. Overlay Attacks Resurface

A wave of overlay-based impersonation is targeting South African banking and welfare services.

• Common targets include pension distribution and subsidy platforms

• Interfaces closely mimic official apps, tricking users into sharing credentials

5. Botnet Expansion Through IoT Devices

Malware such as Android.VO1D is actively compromising:

• Android-powered smart TVs

• Household IoT devices

These devices are being integrated into larger botnet infrastructures, increasing persistence and attack reach.

Strategic Implications

Africa’s mobile financial growth has outpaced security investment — and threat actors are taking full advantage.

They bring:

• Malware honed through years of targeting Asian financial systems

• Infrastructure built for low detection and rapid adaptation

• Campaigns optimized for high-reward, stealthy fraud

The result: declining detection rates, rising financial losses, and growing systemic risk across the mobile financial ecosystem.

Recommended Actions

To respond to these evolving threats, organizations should:

• Implement real-time biometric liveness detection

• Monitor and block abuse of Accessibility Services and overlays

• Integrate anti-repackaging and runtime integrity checks into all Android apps

• Educate users about social engineering threats on messaging platforms

• Track Asia-based malware trends to anticipate attack migration

Download the Full Report

This report provides a complete breakdown of the most active malware families, threat actor tactics, and actionable strategies to protect mobile apps across the African financial landscape.