Financially motivated cybercriminal group GoldFactory has launched a new wave of attacks targeting mobile users in Indonesia, Thailand and Vietnam. Attackers are using a government spoofing technique to distribute legitimate banking applications modified with malware.
The activity, observed since October 2024, involves the distribution of apps that act as conduits for advanced Android malware, according to a Group-IB white paper.
The GoldFactory Threat Actor
GoldFactory is a Chinese-speaking cybercrime group, active since at least June 2023. The group is known for using custom malware families such as GoldPickaxe, GoldDigger, and GoldDiggerPlus, which previously targeted Android and iOS devices. Research suggests that GoldFactory has close ties to Gigabud, another Android malware detected in mid-2023. Despite differences in code base, GoldDigger and Gigabud share similarities in their spoofing targets and landing pages.
Tactics and Chain of Infection
The latest attack campaign was first detected in Thailand, subsequently expanding to Vietnam in late 2024 and early 2025, and to Indonesia in mid-2025. Group-IB has identified more than 300 unique samples of modified banking applications, resulting in almost 2,200 infections in Indonesia and a total of at least 11,000 documented infections.
The infection method is based on impersonating government entities and trusted local brands. Criminals contact victims by phone to trick them into installing malware by directing them to click on a link sent through messaging apps such as Zalo.
In one documented case, attackers posed as Vietnam’s public electricity company, EVN, and demanded payment for overdue electricity bills. During the call, they asked victims to add them on Zalo to receive an app download link and link their accounts. The links redirect to fake landing pages that imitate Google Play Store app listings, deploying remote access Trojans such as Gigabud, MMRat or Remo. These droppers allow the installation of the main payload that abuses Android accessibility services to facilitate remote control.
Malware Technical Analysis
Group-IB researchers detail that the malware is based on the original mobile banking applications, but injects malicious code into a portion of the application. This allows the legitimate application to maintain its normal functionality, while the injected code bypasses the original security features.
Three different malware families have been identified based on the frameworks used for code injection at runtime:
- FriHook: Uses a Frida gadget injected into the legitimate banking app.
- SkyHook: Employs the publicly available Dobby framework.
- PineHook: Uses a Java-based hooking framework called Pine.
Despite the differences in frameworks, the functionality of the malicious modules overlaps, allowing attackers to:
- Hide the list of apps with accessibility services enabled.
- Prevent detection of screencasts.
- Forge the signature of an Android application.
- Hide the installation source.
- Implement custom integrity token providers.
- Obtain victims’ account balance.
The Next Level: Gigaflower
Analysis of GoldFactory’s malicious infrastructure also revealed a test version of a new Android malware variant called Gigaflower, a likely successor to Gigabud. Gigaflower is a highly advanced malware that supports around 48 commands to:
- Stream screen and device activity in real time using WebRTC.
- Instrument accessibility services to perform keylogging, reading user interface content, and performing gestures.
- Display fake screens to simulate system updates, PIN requests and account registration, with the aim of collecting personal information.
- Extract data from images associated with ID cards using a built-in text recognition (OCR) algorithm.
The Abandonment of iOS
GoldFactory appears to have abandoned its custom Trojan for iOS. Instead, they have taken an unusual approach by instructing iOS victims to borrow an Android device from a family member or relative to continue the fraud process. This change is believed to be a result of stricter security measures and more rigorous App Store moderation by Apple.
Conclusions
GoldFactory’s campaign demonstrates an evolution in the sophistication of mobile threats. By modifying legitimate banking applications with hooking frameworks such as Frida, Dobby, and Pine, cybercriminals are able to effectively bypass traditional detection and scale their operations quickly at relatively low cost. The emergence of Gigaflower, with its advanced spying and data collection capabilities, underscores this group’s continued innovation in the mobile financial threat landscape.
References
- [Group-IB] Technical report on GoldFactory cybercrime group.