GoldFactory

GoldFactory is a financially motivated Chinese-speaking cybercrime group targeting mobile users in Southeast Asia, particularly in Indonesia, Thailand, and Vietnam. The group has been observed since at least October 2024 impersonating government services and other trusted entities to distribute modified banking applications and Android malware. Reported lures include impersonation of government services and Vietnam's public power company EVN, with victims contacted via phone calls and messaging apps such as Zalo and redirected to fake Google Play landing pages. Group-IB linked GoldFactory to campaigns using custom malware families including GoldPickaxe, GoldDigger, and GoldDiggerPlus, and connected the group to the Gigabud Android malware. Recent campaigns have delivered Android malware and remote access trojans including Gigabud, MMRat, and Remo. GoldFactory has also developed a newer Android malware variant, Gigaflower, identified through the group's infrastructure. The group's operations focus on mobile banking fraud. Their malware abuses Android accessibility services for remote control and injects malicious code into legitimate banking apps while preserving normal app functionality. Reported runtime-hooking malware families used in modified apps include FriHook, SkyHook, and PineHook, which leverage the Frida gadget, Dobby, and Pine frameworks respectively. These capabilities are used to bypass security features, hide malicious activity, prevent screencast detection, spoof app signatures, hide installation sources, implement custom integrity tokens, and obtain account balances. Gigaflower reportedly supports 48 commands, including real-time device streaming, keylogging, UI reading, gesture automation, fake screen serving, and extraction of data from ID card images; a QR code scanner for Vietnamese identity cards was under development. According to the provided reporting, GoldFactory's latest wave was first detected in Thailand and then spread to Vietnam and Indonesia. Group-IB identified over 300 unique samples of modified banking apps and more than 3,000 related artifacts, resulting in at least 11,000 infections, with the majority of altered apps targeting the Indonesian market. The group previously used iOS malware in earlier campaigns tied to KYC process abuse, but has reportedly shifted away from iOS and now instructs victims to use Android devices, likely due to stricter iOS security.