A financially driven cybercrime crew known as GoldFactory has kicked off a fresh wave of attacks against mobile users in Indonesia, Thailand, and Vietnam, and their newest trick is impersonating government agencies to push infected banking apps.
The activity has been ongoing since October 2024, according to a new technical report from Group-IB. And while the group has been active for a few years now, this campaign shows just how far they're willing to go to blend real apps with malicious code.
A Familiar Threat Actor With Evolving Tactics
GoldFactory first popped up in mid-2023 with an entire toolbox of custom Android and iOS malware, GoldPickaxe, GoldDigger, GoldDiggerPlus all designed to dig into victims’ financial data.
Investigators say the group is Chinese-speaking and likely connected to another Android threat called Gigabud, which surfaced around the same time. Even though their codebases don’t match one-to-one, they clearly target the same regions and rely on nearly identical impersonation tactics.
Wave After Wave Across the Region
The first infections were spotted in Thailand, then spread into Vietnam by late 2024 and early 2025, and eventually hit Indonesia around mid-2025.
Group-IB found:
1. 300+ unique modified banking apps targeting Indonesia
2. ~2,200 confirmed infections from those samples
3. 3,000+ related artifacts linked to 11,000 infections overall
4. 63% of tampered apps aimed at Indonesian users
That’s a big footprint and it’s still growing.
How the Scam Works
GoldFactory doesn’t just rely on random downloads. They actually call victims directly, posing as government workers or employees from trusted companies.
The script usually goes like this:
1. Impersonate a government or utility agency
2. Claim the victim needs to take urgent action
3. Ask them to add the scammer on Zalo
4. Send a malicious link disguised as a Google Play Store page
5. Get the victim to install an “official” app that’s actually malware
One case involved fraudsters pretending to be EVN, Vietnam’s national power provider, telling people their electricity would be cut unless they paid overdue bills. During the call, victims were instructed to download a fake app to “resolve the issue.”
The Apps Look Real
Here’s the trick: these fake apps are actual banking apps, just patched with embedded malicious modules.
Group-IB researchers explained it simply: the attackers inject small sections of malicious code while keeping the genuine app functioning normally.
That code can:
1. Hide apps using Accessibility Services
2. Block screencast detection
3. Spoof application signatures
4. Conceal the installation source
5. Fake integrity checks
6. And even grab bank account balances
The malware relies on runtime hooking using three frameworks:
1. FriHook – uses a Frida gadget hidden in the app
2. SkyHook – built on the open-source Dobby hooking framework
3. PineHook – uses the Java-based Pine framework
Different tools, same end goal.
Enter Gigaflower, A New Malware Variant in Testing
During infrastructure analysis, Group-IB discovered a pre-release build of a new Android malware strain dubbed Gigaflower, likely the successor to Gigabud.
Early capabilities include:
1. 48+ remote commands
2. Real-time device/screen streaming via WebRTC
3. Keylogging
4. Reading UI contents
5. Fake screens for PINs and system dialogs
6. OCR-based data extraction from ID card images
7. And an upcoming QR-reader for Vietnamese ID cards
Clearly, this thing is designed to automate the entire identity theft lifecycle.
A Low-Cost, High-Impact Approach
Group-IB’s conclusion is blunt:
GoldFactory has moved on from exploiting KYC systems to directly patching legitimate banking apps, using off-the-shelf hooking frameworks to avoid detection and scale their operations quickly and cheaply.
And with infections continuing across Southeast Asia, there’s no sign of them slowing down.
Source: The Hacker News
