GoldFactory’s Southeast Asia Campaign: Modified Banking Apps Drive 11,000+ Infections

December 4, 2025 Faeem BLOGS 0

A new Group-IB report details how the financially motivated cybercrime group GoldFactory has escalated its operations in Southeast Asia, targeting mobile users in Indonesia, Thailand, and Vietnam with modified banking apps that deliver Android malware.

Key Findings

  • Scale of infections:
    • Over 300 unique samples of modified banking apps identified.
    • At least 11,000 infections across Southeast Asia, with 63% targeting Indonesia.
    • ~2,200 confirmed infections in Indonesia alone.
  • Attack chain:
    1. Social engineering — attackers impersonate government agencies or utilities (e.g., Vietnam’s EVN power company).
    2. Phone calls + messaging apps (Zalo) — victims are pressured to click malicious links.
    3. Fake landing pages — mimic Google Play Store listings.
    4. Dropper malware — Gigabud, MMRat, or Remo installed.
    5. Main payload — abuses Android accessibility services for remote control, data theft, and fraud.
  • Technical sophistication:
    • Malware injected into legitimate banking apps, preserving normal functionality while bypassing security.
    • Runtime hooking frameworks:
      • FriHook (Frida gadget injection)
      • SkyHook (Dobby framework)
      • PineHook (Java-based Pine framework)
    • Capabilities include hiding accessibility services, spoofing app signatures, preventing screencast detection, and stealing account balances.

Emerging Threat: Gigaflower

  • Likely successor to Gigabud, currently in pre-release testing.
  • Supports 48 commands including:
    • Real-time screen/device streaming via WebRTC.
    • Accessibility-based keylogging and UI content reading.
    • Fake system update/PIN/account registration screens for credential harvesting.
    • OCR-based extraction of ID card data.
    • Upcoming QR code scanner for Vietnamese identity cards.

Strategic Shifts

  • iOS targeting abandoned: GoldFactory now instructs victims to borrow Android devices, likely due to stricter iOS security and App Store moderation.
  • Fraud focus: Earlier campaigns exploited KYC processes; current wave directly patches legitimate banking apps to commit fraud.
  • Low-cost but effective: Leveraging open-source frameworks (Frida, Dobby, Pine) allows rapid scaling while evading traditional detection.

Defensive Recommendations

  • For users:
    • Never install apps from links received via calls or messaging apps.
    • Verify app sources directly in Google Play Store.
    • Enable Play Protect and keep devices updated.
  • For organizations:
    • Monitor for modified banking app variants in app distribution channels.
    • Detect runtime hooking frameworks (Frida, Dobby, Pine) in mobile environments.
    • Educate customers about impersonation scams involving government or utility services.

Final Thought

GoldFactory’s campaign demonstrates how trusted apps can be weaponized with injected malicious modules, blending normal functionality with fraud-enabling features. The group’s pivot to Android-only attacks and development of Gigaflower shows a clear intent to scale operations across Southeast Asia.

Be the first to comment

Leave a Reply

Your email address will not be published.


*


This site uses Akismet to reduce spam. Learn how your comment data is processed.