Cybercriminals related to a financially motivated group generally known as GoldFactory have been noticed staging a recent spherical of assaults concentrating on cellular customers in Indonesia, Thailand, and Vietnam by impersonating authorities providers.
The exercise, noticed since October 2024, includes distributing modified banking purposes that act as a conduit for Android malware, Group-IB mentioned in a technical report revealed Wednesday.
Assessed to be energetic way back to June 2023, GoldFactory first gained consideration early final yr, when the Singapore-headquartered cybersecurity firm detailed the risk actor’s use of customized malware households like GoldPickaxe, GoldDigger, and GoldDiggerPlus concentrating on each Android and iOS gadgets.
Proof factors to GoldFactory being a well-organized Chinese language-speaking cybercrime group with shut connections to Gigabud, one other Android malware that was noticed in mid-2023. Regardless of main disparities of their codebases, each GoldDigger and Gigabud have been discovered to share similarities of their impersonation targets and touchdown pages.
The primary circumstances within the newest assault wave have been detected in Thailand, with the risk subsequently showing in Vietnam by late 2024 and early 2025 and in Indonesia from mid-2025 onwards.
Group-IB mentioned it has recognized greater than 300 distinctive samples of modified banking purposes which have led to virtually 2,200 infections in Indonesia. Additional investigation has uncovered over 3,000 artifacts that it mentioned led to at least 11,000 infections. About 63% of the altered banking apps cater to the Indonesian market.
The an infection chains, in a nutshell, contain the impersonation of presidency entities and trusted native manufacturers and approaching potential targets over the telephone to trick them into putting in malware by instructing them to click on on a hyperlink despatched on messaging apps like Zalo.
In a minimum of one case documented by Group-IB, fraudsters posed as Vietnam’s public energy firm EVN and urged victims to pay overdue electrical energy payments or danger dealing with speedy suspension of the service. Throughout the name, the risk actors are mentioned to have requested the victims so as to add them on Zalo in order to obtain a hyperlink to obtain an app and hyperlink their accounts.
The hyperlinks redirect the victims to pretend touchdown pages that masquerade as Google Play Retailer app listings, ensuing within the deployment of a distant entry trojan like Gigabud, MMRat, or Remo, which surfaced earlier this yr utilizing the identical ways as GoldFactory. These droppers then pave the way in which for the principle payload that abuses Android’s accessibility providers to facilitate distant management.
“The malware […] relies on the unique cellular banking purposes,” researchers Andrey Polovinkin, Sharmine Low, Ha Thi Thu Nguyen, and Pavel Naumov mentioned. “It operates by injecting malicious code into solely a portion of the appliance, permitting the unique utility to retain its regular performance. The performance of injected malicious modules can differ from one goal to a different, however primarily it bypasses the unique utility’s security measures.”
Particularly, it really works by hooking into the appliance’s logic to execute the malware. Three completely different malware households have been found primarily based on the frameworks used within the modified purposes to carry out runtime hooking: FriHook, SkyHook, and PineHook. No matter these variations, the performance of the modules overlaps, making it attainable to –
Conceal the checklist of purposes which have accessibility providers enabled
Forestall screencast detection
Spoof the signature of an Android utility
Conceal the set up supply
Implement customized integrity token suppliers, and
Get hold of the victims’ stability account
Whereas SkyHook makes use of the publicly obtainable Dobby framework to execute the hooks, FriHook employs a Frida gadget that is injected into the authentic banking utility. PineHook, because the title implies, makes use of a Java-based hooking framework referred to as Pine.
Group-IB mentioned its evaluation of the malicious infrastructure erected by GoldFactory additionally uncovered a pre-release testing construct of a brand new Android malware variant dubbed Gigaflower that is probably a successor to the Gigabud malware.
It helps round 48 instructions to allow real-time display and system exercise streaming utilizing WebRTC; weaponize accessibility providers for keylogging, studying consumer interface content material, and performing gestures; serve pretend screens to imitate system updates, PIN prompts, and account registration to reap private info, and extract information from pictures related to identification playing cards utilizing a built-in textual content recognition algorithm.
Additionally presently within the works is a QR code scanner characteristic that makes an attempt to learn the QR code on Vietnamese id playing cards, probably with the objective of simplifying the method of capturing the small print.
Apparently, GoldFactory seems to have ditched its bespoke iOS trojan in favor of an uncommon strategy that now instructs victims to borrow an Android system from a member of the family or relative to proceed the method. It is presently not clear what prompted the shift, nevertheless it’s believed that it is resulting from stricter safety measures and app retailer moderation on iOS.
“Whereas earlier campaigns centered on exploiting KYC processes, latest exercise exhibits direct patching of authentic banking purposes to commit fraud,” the researchers mentioned. “The usage of authentic frameworks akin to Frida, Dobby, and Pine to switch trusted banking purposes demonstrates a complicated but low-cost strategy that permits cybercriminals to bypass conventional detection and quickly scale their operation.”
