Cybercriminals related to a financially motivated group referred to as GoldFactory have been noticed staging a recent spherical of assaults focusing on cell customers in Indonesia, Thailand, and Vietnam by impersonating authorities providers.
The exercise, noticed since October 2024, includes distributing modified banking purposes that act as a conduit for Android malware, Group-IB stated in a technical report printed Wednesday.
Assessed to be lively way back to June 2023, GoldFactory first gained consideration early final yr, when the Singapore-headquartered cybersecurity firm detailed the menace actor’s use of customized malware households like GoldPickaxe, GoldDigger, and GoldDiggerPlus focusing on each Android and iOS units.
Proof factors to GoldFactory being a well-organized Chinese language-speaking cybercrime group with shut connections to Gigabud, one other Android malware that was noticed in mid-2023. Regardless of main disparities of their codebases, each GoldDigger and Gigabud have been discovered to share similarities of their impersonation targets and touchdown pages.
The primary instances within the newest assault wave had been detected in Thailand, with the menace subsequently showing in Vietnam by late 2024 and early 2025 and in Indonesia from mid-2025 onwards.
Group-IB stated it has recognized greater than 300 distinctive samples of modified banking purposes which have led to virtually 2,200 infections in Indonesia. Additional investigation has uncovered over 3,000 artifacts that it stated led to at least 11,000 infections. About 63% of the altered banking apps cater to the Indonesian market.
The an infection chains, in a nutshell, contain the impersonation of presidency entities and trusted native manufacturers and approaching potential targets over the telephone to trick them into putting in malware by instructing them to click on on a hyperlink despatched on messaging apps like Zalo.
In no less than one case documented by Group-IB, fraudsters posed as Vietnam’s public energy firm EVN and urged victims to pay overdue electrical energy payments or danger going through fast suspension of the service. In the course of the name, the menace actors are stated to have requested the victims so as to add them on Zalo in order to obtain a hyperlink to obtain an app and hyperlink their accounts.
The hyperlinks redirect the victims to pretend touchdown pages that masquerade as Google Play Retailer app listings, ensuing within the deployment of a distant entry trojan like Gigabud, MMRat, or Remo, which surfaced earlier this yr utilizing the identical ways as GoldFactory. These droppers then pave the way in which for the primary payload that abuses Android’s accessibility providers to facilitate distant management.
“The malware […] is predicated on the unique cell banking purposes,” researchers Andrey Polovinkin, Sharmine Low, Ha Thi Thu Nguyen, and Pavel Naumov stated. “It operates by injecting malicious code into solely a portion of the appliance, permitting the unique utility to retain its regular performance. The performance of injected malicious modules can differ from one goal to a different, however primarily it bypasses the unique utility’s security measures.”
Particularly, it really works by hooking into the appliance’s logic to execute the malware. Three totally different malware households have been found primarily based on the frameworks used within the modified purposes to carry out runtime hooking: FriHook, SkyHook, and PineHook. No matter these variations, the performance of the modules overlaps, making it potential to –
- Conceal the checklist of purposes which have accessibility providers enabled
- Stop screencast detection
- Spoof the signature of an Android utility
- Conceal the set up supply
- Implement customized integrity token suppliers, and
- Get hold of the victims’ steadiness account
Whereas SkyHook makes use of the publicly out there Dobby framework to execute the hooks, FriHook employs a Frida gadget that is injected into the reputable banking utility. PineHook, because the identify implies, makes use of a Java-based hooking framework known as Pine.
Group-IB stated its evaluation of the malicious infrastructure erected by GoldFactory additionally uncovered a pre-release testing construct of a brand new Android malware variant dubbed Gigaflower that is possible a successor to the Gigabud malware.
It helps round 48 instructions to allow real-time display screen and machine exercise streaming utilizing WebRTC; weaponize accessibility providers for keylogging, studying person interface content material, and performing gestures; serve pretend screens to imitate system updates, PIN prompts, and account registration to reap private info, and extract information from photos related to identification playing cards utilizing a built-in textual content recognition algorithm.
Additionally presently within the works is a QR code scanner characteristic that makes an attempt to learn the QR code on Vietnamese id playing cards, possible with the objective of simplifying the method of capturing the main points.
Curiously, GoldFactory seems to have ditched its bespoke iOS trojan in favor of an uncommon method that now instructs victims to borrow an Android machine from a member of the family or relative to proceed the method. It is presently not clear what prompted the shift, however it’s believed that it is as a result of stricter safety measures and app retailer moderation on iOS.
“Whereas earlier campaigns targeted on exploiting KYC processes, current exercise reveals direct patching of reputable banking purposes to commit fraud,” the researchers stated. “Using reputable frameworks comparable to Frida, Dobby, and Pine to change trusted banking purposes demonstrates a complicated but low-cost method that enables cybercriminals to bypass conventional detection and quickly scale their operation.”
