A sophisticated cybercrime operation, attributed to the financially motivated group GoldFactory, has successfully infected over 11,000 mobile devices across Indonesia, Thailand, and Vietnam. The attackers are leveraging modified banking applications, disguised as legitimate government services or trusted local brands, to distribute Android malware. This campaign, active since October 2024, highlights a concerning trend of social engineering and app tampering to compromise user data and financial information.

Key Takeaways

• Widespread Infections: Over 11,000 devices in Indonesia, Thailand, and Vietnam have been compromised.

• Malware Delivery: Attackers use modified banking apps, impersonating government entities and local brands.

• Sophisticated Techniques: The malware abuses Android's accessibility services for remote control and bypasses security features.

• Evolving Threat: GoldFactory is a well-organized, Chinese-speaking group with connections to other malware families like Gigabud.

The GoldFactory Operation

GoldFactory, a cybercrime group known for its financially driven attacks, has been actively targeting mobile users in Southeast Asia since October 2024. The group's modus operandi involves distributing trojanized banking applications that serve as a gateway for various Android malware. Evidence suggests GoldFactory has been operational since at least June 2023, with previous campaigns targeting both Android and iOS devices using custom malware families such as GoldPickaxe, GoldDigger, and GoldDiggerPlus.

Attack Vectors and Targets

The latest wave of attacks began in Thailand, later spreading to Vietnam by late 2024 and early 2025, and Indonesia from mid-2025 onwards. The infection chains typically start with social engineering tactics. Threat actors impersonate government agencies or well-known local companies, contacting potential victims via phone. They then trick individuals into installing malware by directing them to click on links sent through messaging applications like Zalo. For instance, fraudsters have posed as representatives of Vietnam's public power company, EVN, urging customers to pay overdue bills to avoid service suspension and providing a malicious app link via Zalo.

Technical Details of the Malware

The compromised applications are essentially legitimate mobile banking apps with malicious code injected into specific parts, allowing the original functionality to remain intact while enabling malicious activities. Researchers have identified three distinct malware families based on the hooking frameworks used: FriHook, SkyHook, and PineHook. These frameworks enable the malware to perform several malicious actions, including:

• Concealing the list of applications with enabled accessibility services.

• Preventing screencast detection.

• Spoofing application signatures.

• Hiding the installation source.

• Implementing custom integrity token providers.

• Obtaining victim account balances.

Evolving Threat Landscape

Group-IB's analysis also revealed a pre-release version of a new Android malware variant, Gigaflower, which is likely the successor to Gigabud. Gigaflower boasts extensive capabilities, including real-time device activity streaming, harvesting personal information through fake system update prompts, and extracting data from identification cards. Interestingly, GoldFactory appears to have shifted away from its bespoke iOS trojan, now instructing victims to use an Android device to continue the attack process, possibly due to stricter iOS security measures.

The use of legitimate frameworks like Frida, Dobby, and Pine to modify trusted banking applications represents a sophisticated yet cost-effective approach for cybercriminals. This allows them to bypass traditional security detections and rapidly scale their operations, posing a significant and evolving threat to mobile users in the region.

Sources

• GoldFactory Hits Southeast Asia with Modified Banking Apps Driving 11,000+ Infections, The Hacker News.