Cybercriminals associated with a financially motivated group known as GoldFactory have been observed launching new attacks targeting mobile users in Indonesia, Thailand, and Vietnam by impersonating government services.
The activity, which has been observed since October 2024, involves the distribution of modified banking applications that act as a conduit for Android malware, Group-IB said in a technical report issued on Wednesday.
GoldFactory, which has been assessed to be active as far back as June 2023, first gained attention early last year when the Singapore-based cybersecurity firm detailed threat actors’ use of custom malware families including GoldPickaxe, GoldDigger, and GoldDiggerPlus, which targeted both Android and iOS devices.
Evidence indicates that GoldFactory is an organized Chinese-speaking cybercriminal group with close ties to Gigabud, another Android malware discovered in mid-2023. GoldDigger and Gigabud have been found to have similar spoofed targets and landing pages, despite significant differences in their codebases.
The first cases of the latest attack wave were detected in Thailand, and the threat then appeared in Vietnam by late 2024 to early 2025, and Indonesia from mid-2025 onwards.
Group-IB said it has identified more than 300 unique samples of modified banking applications that have caused approximately 2,200 infections in Indonesia. Further investigation uncovered more than 3,000 artifacts believed to have caused more than 11,000 infections. Approximately 63% of the compromised banking apps are for the Indonesian market.
In simple terms, the infection chain involves impersonating a government agency or trusted local brand, approaching a potential target on the phone, and instructing them to click on a link sent to a messaging app like Zalo to install malware.
In at least one incident recorded by Group-IB, scammers posed as Vietnam’s public electricity company EVN and urged victims to pay overdue electricity bills or risk immediate service suspension. During the call, the attacker allegedly asked the victim to add him to Zalo in order to receive a link to download the app and link his account.
These links redirect victims to fake landing pages disguised as Google Play Store app listings, resulting in the deployment of remote access Trojans such as Gigabud, MMRat, or Remo. This Trojan appeared earlier this year using the same tactics as GoldFactory. These droppers pave the way for the main payload, which exploits Android’s accessibility services to facilitate remote control.
“Malware is […] “It is based on the original mobile banking application,” said researchers Andrei Polovinkin, Sharmin Lo, Ha Thi Thu Nguyen and Pavel Naumov. “It works by injecting malicious code only into parts of the application, allowing the original application to retain its normal functionality.” The functionality of the injected malicious module varies depending on the target, but it primarily bypasses the security features of the original application. ”
Specifically, it works by hooking into application logic to execute malware. Three different malware families were discovered based on the frameworks used by modified applications to execute runtime hooks: FriHook, SkyHook, and PineHook. Regardless of these differences, the modules have overlapping functionality, allowing you to:
Hide the list of applications with accessibility services enabled Prevent screencast detection Spoof the Android application signature Hide the installation source Implement a custom integrity token provider and retrieve the victim’s balance account
SkyHook leverages the publicly available Dobby framework to run hooks, while FriHook employs the Frida gadget that is inserted into legitimate banking applications. PineHook, as its name suggests, utilizes a Java-based hooking framework called Pine.
Group-IB said its analysis of the malicious infrastructure built by GoldFactory also uncovered a pre-release test build of a new Android malware variant called Gigaflower, which is likely a successor to the Gigabud malware.
Supports approximately 48 commands that enable streaming of real-time screen and device activity using WebRTC. Weaponize accessibility services for keylogging, reading user interface content, and performing gestures. It collects personal information by providing fake screens that mimic system updates, PIN prompts, and account registration, and uses built-in text recognition algorithms to extract data from images associated with ID cards.
We are also currently developing a QR code scanner function to read QR codes on Vietnamese ID cards. Presumably the purpose is to simplify the process of retrieving details.
Interestingly, GoldFactory appears to have ditched the custom-built iOS trojan and taken the unusual approach of instructing victims to borrow an Android device from a family member or relative to continue the process. The trigger for this shift is not clear at this time, but it is believed to be due to increased security measures and app store moderation in iOS.
“While previous campaigns have focused on abusing KYC processes, recent activity indicates that they are directly patching legitimate banking applications to commit fraud,” the researchers said. “Modifying trusted banking applications using legitimate frameworks such as Frida, Dobby, and Pine represents a sophisticated, low-cost approach that allows cybercriminals to bypass traditional detection and quickly scale their operations.”
Source link
