GoldFactory is a financially motivated cybercrime group, active since at least mid-2023, that targets mobile users in Southeast Asia by distributing modified versions of legitimate Android banking applications. These apps are altered to inject malicious code modules that hook into the app’s logic at runtime using frameworks such as FriHook (Frida gadget), SkyHook (Dobby framework), and PineHook (Java-based Pine framework). This hooking enables the malware to bypass the original banking app’s security features, hide accessibility service usage, spoof app signatures, and conceal installation sources. The infection vector involves social engineering tactics where attackers impersonate government entities or trusted brands, contacting victims via phone and messaging apps like Zalo to convince them to install the malicious apps from fake landing pages mimicking Google Play Store listings. Once installed, the malware deploys remote access trojans (RATs) such as Gigabud, MMRat, or Remo, which leverage Android accessibility services to enable remote control, keylogging, UI content reading, gesture execution, and data exfiltration. The latest variant, Gigaflower, enhances capabilities with about 48 commands, including real-time screen streaming via WebRTC, fake UI overlays to harvest credentials, and OCR-based extraction of identity card data, with plans for QR code scanning to automate data capture. GoldFactory has ceased iOS targeting, likely due to stricter app store controls, instead instructing victims to use Android devices. The group’s approach of patching legitimate apps and using publicly available hooking frameworks allows rapid scaling and evasion of traditional detection methods. The campaign has resulted in over 11,000 infections, predominantly in Indonesia, Thailand, and Vietnam, with a significant focus on Indonesian banking apps. This threat exemplifies advanced mobile banking malware leveraging social engineering and sophisticated code injection to conduct financial fraud and data theft.

For European organizations, the direct impact of GoldFactory’s current campaign is limited due to its geographic focus on Southeast Asia and targeting of local banking apps. However, the techniques employed—runtime hooking of legitimate apps, abuse of Android accessibility services, and sophisticated social engineering—represent a growing trend in mobile banking malware that could be adapted to European markets. European financial institutions and mobile users could face similar threats if attackers localize their tactics and apps. The malware’s ability to bypass app security features and maintain normal app functionality complicates detection and mitigation, increasing the risk of financial fraud, identity theft, and unauthorized access to sensitive data. Additionally, the use of remote access trojans with extensive control capabilities could facilitate broader espionage or fraud campaigns. European organizations with mobile banking apps or customers using Android devices should be alert to the evolving threat landscape and consider the potential for similar attacks leveraging social engineering and app modification. The campaign also highlights the importance of securing supply chains and app distribution channels to prevent tampering and malware injection.

European organizations should implement multi-layered defenses tailored to the sophisticated techniques used by GoldFactory: 1) Employ advanced mobile threat detection solutions capable of identifying runtime hooking and malicious code injection in legitimate apps, including behavioral analysis of accessibility service abuse. 2) Strengthen user education programs focusing on social engineering awareness, emphasizing skepticism toward unsolicited calls or messages requesting app installations or personal information, especially when impersonating government or trusted entities. 3) Collaborate with mobile app stores and distribution platforms to verify app integrity and detect modified versions of legitimate banking apps, including the use of code signing and integrity verification mechanisms. 4) Implement robust app hardening techniques, such as runtime integrity checks and anti-hooking measures, to prevent unauthorized code injection. 5) Monitor network traffic for anomalous connections indicative of remote access trojans, including WebRTC streams or unusual command-and-control communications. 6) Encourage multi-factor authentication (MFA) for mobile banking apps to reduce the risk of account compromise even if credentials are stolen. 7) Establish incident response plans specifically addressing mobile malware infections and coordinate with law enforcement and cybersecurity agencies to share threat intelligence. 8) For organizations with customers in Southeast Asia, consider proactive threat hunting and customer notifications about this specific campaign. 9) Regularly update and patch mobile apps and underlying OS components to mitigate exploitation of known vulnerabilities that could facilitate malware installation or persistence.