A recent investigation by The Economist pulls back the curtain on how online fraud operations are getting faster and more dangerous. Scam groups now rely on malware-as-a-service (MaaS) spyware that turns a simple click into full device takeover — often draining bank accounts within seconds.
At vali.now we’ve covered the rise of these threats before – from tricky SMS phishing messages to AI deepfakes that make impersonation even more convincing. This new development fits right into that pattern: skilled developers create advanced tools and rent them out, letting lower-skilled operators run sophisticated attacks at scale.
How These Attacks Actually Work
The process starts with classic social engineering but ends with technical precision. Fraudsters, often linked to large scam compounds in Southeast Asia (such as Cambodia’s K99 Triumph City), impersonate trusted entities – tax offices, police, banks, or government agencies. They send messages via WhatsApp, Facebook, SMS, or local apps like Zalo, sometimes using personal details stolen from earlier breaches to sound legitimate.
The message pushes an “urgent” action: update your tax records, verify your account, or install a new app. The link leads to a convincing fake site that serves up a malicious Android APK. Once installed, the Trojan goes to work quietly. It can:
- Access banking apps and drain funds in real time
- Read contacts, messages, photos, notes, and even capture biometrics
- Scan for new victims among your connections
- Install additional malware
Victims like accountant Ambar Nigrum in Indonesia lost hundreds of millions of rupiah meant for charity work. In Vietnam, a teacher lost $65,000 in moments. The same malware family has hit targets in more than 20 countries across Asia, Europe, Africa, and Latin America.
What makes this possible is the MaaS model. Chinese-speaking developers build and maintain the spyware, then sell or rent it on Telegram channels with updates, customization options, and support. Buyers – often organized crime groups running compounds that use trafficked workers – don’t need to write code themselves. They just deploy the ready-made tool. This setup turns fraud into an industrial process.
The Scale and Growth of the Malware-as-a-Service Economy
Exact numbers for the underground MaaS market are hard to pin down because it operates on dark-web forums, uses crypto payments, and relies on profit-sharing. But the broader online fraud industry, heavily boosted by these tools, now pulls in hundreds of billions annually, comparable in scale to the global illegal drugs trade.
Overall, cybercrime costs have reached staggering levels. Estimates for 2025–2026 put annual global damages in the range of $1.2–1.5 trillion or higher, with some longstanding projections exceeding $10 trillion when including indirect economic impacts. MaaS is a major accelerator: it lowers the technical barrier, enabling more actors to launch high-impact attacks, while developers profit from subscriptions and updates.
Evidence of rapid growth shows up in technical data. Infoblox researchers spotted one MaaS cluster’s malicious DNS queries jumped from around 400,000 in March 2025 to 1.8 million the following month. The operation keeps adding new domains, language support, and features – including better evasion of security tools and potential for extortion using stolen personal data. This matches trends we’ve seen in AI-assisted scams: faster execution, wider reach, and constant evolution.
Practical Steps to Protect Yourself
The good news is that these attacks still rely on that first human mistake – clicking a link or installing an unverified app. Here’s what actually works in practice:
Before anything happens
- Treat any unsolicited message about taxes, police matters, bank issues, or urgent updates as suspicious by default. Never click the links.
- Go directly to the official website or app yourself – type the address manually or use a bookmark.
- Download apps only from Google Play or the Apple App Store. Avoid APKs sent through messaging apps.
- Turn on transaction alerts for your bank accounts and use app-based two-factor authentication wherever possible.
- Keep your phone’s operating system and apps up to date.
If you receive something doubtful, forward it straight to help@vali.now. We’ll review it quickly and tell you clearly whether it’s safe, suspicious, or a confirmed scam. This service is free for individuals for an initial check.
If you think you’ve been infected
- Contact your bank or financial institution immediately – ask them to freeze your accounts and investigate your transactions.
- Disconnect the device from the internet (airplane mode or power it off) to limit further damage.
- Run a scan with trusted security software from a clean device if possible, or do a factory reset.
- Change all important passwords from a different, trusted device.
- Report the incident to local police and your country’s cybercrime reporting center – it helps track these larger operations.
These recommendations build on the same core advice we’ve shared in earlier pieces about spotting fake messages and dealing with deepfake threats: verify independently and act fast.
Wrapping Up
MaaS has turned parts of Scam, Inc. into something closer to a professional service industry, complete with developers, operators, and forced labor in compounds. But the entry point remains preventable with basic caution and quick verification.
If something feels off, don’t hesitate. Send it our way at help@vali.now or check vali.now for more resources. We’re here to help individuals and businesses cut through the noise and stay safer in an ever-changing landscape.
Stay sharp, verify first, and remember: the strongest defense is still not letting the malware onto your device in the first place.