- The cybercrime group GoldFactory targets mobile users in Indonesia, Thailand, and Vietnam through fake government service apps.
- Modified banking apps embed Android Malware using frameworks like Frida, Dobby, and Pine to manipulate legitimate apps and bypass security.
- Over 11,000 infections have been linked to more than 300 malware samples, mostly affecting the Indonesian market.
- A new malware variant called Gigaflower offers advanced spying and data theft features via accessibility services and real-time streaming.
- Victims are often approached via phone calls and messaging apps like Zalo, with attackers posing as government or utility representatives.
Since October 2024, the financially motivated cybercrime group GoldFactory has been carrying out attacks on mobile users across Indonesia, Thailand, and Vietnam. Their method involves distributing modified banking applications disguised as legitimate government services to install Android malware, as reported by Gold/”>Group-IB.
Active since mid-2023, GoldFactory operates under a Chinese-speaking network, linked to malware families such as GoldPickaxe, GoldDigger, and GoldDiggerPlus. They share some common targets and tactics with another malware called Gigabud, despite significant differences in code. Initial cases emerged in Thailand, followed by Vietnam and then Indonesia, where more than 11,000 infections were identified from over 3,000 artifacts in nearly 300 unique banking app samples. Approximately 63% of these apps targeted Indonesian users.
The infection process typically starts with the attackers impersonating government entities or trusted local brands. Victims receive phone calls requesting urgent actions, like paying overdue electricity bills, and are directed to messaging apps such as Zalo to receive download links. One example involved fraudsters pretending to represent Vietnam’s public power company EVN, warning users about bill suspensions.
Following the link, victims are sent to fake app store pages that install remote access trojans like Gigabud, MMRat, or Remo. These trojans exploit Android’s accessibility services, allowing attackers to control devices remotely. The malware is embedded within legitimate banking apps by injecting malicious code only in parts of the software to evade detection and maintain normal app functionality.
Three malware variants, named FriHook, SkyHook, and PineHook, use frameworks such as Frida, Dobby, and Pine to modify app behavior. These hooks enable hiding accessibility service activations, blocking screencast detection, faking app signatures, and concealing installation sources while stealing account balances.
Further investigations uncovered a testing version of a new malware called Gigaflower, which supports around 48 commands. It allows live screen streaming via WebRTC, keylogging, user interface reading, gesture emulation, faking system prompts to capture personal data, and uses text recognition to extract information from IDs. It also includes a QR code scanner designed to read Vietnamese identity card codes.
GoldFactory has reportedly stopped deploying custom iOS trojans. Instead, they instruct victims to use an Android device owned by someone close to them, likely due to tougher iOS security and app store restrictions. According to researchers, “The use of legitimate frameworks such as Frida, Dobby, and Pine to modify trusted banking applications demonstrates a sophisticated yet low-cost approach that allows cybercriminals to bypass traditional detection and rapidly scale their operation.”
✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.
