GoldFactory Hits Southeast Asia with Modified Banking Apps, Leading to 11,000+ Infections

A major cyber fraud operation has been discovered targeting mobile banking users across Southeast Asia. A criminal group known as GoldFactory has been distributing modified versions of real banking apps that look completely genuine. These fake apps contain hidden malware designed to steal financial information from victims. More than 11,000 devices in Indonesia, Thailand, and Vietnam have been infected so far.

Researchers first noticed this activity around October 2024, although signs show the group began preparing even earlier. GoldFactory has a long history of creating advanced malware aimed at banking and identity systems. In this operation, they injected malicious code into legitimate banking apps while keeping the original look intact. This trick allowed the apps to appear safe while silently collecting sensitive data.

Victims were often targeted through convincing social-engineering messages posing as government or service officials. People received fake alerts telling them to download a new or updated banking or payment app. Once installed, the malware activated quietly and ran in the background without raising suspicion. It hid itself and provided attackers with access to the user’s financial accounts.

Investigators uncovered more than 300 unique malicious app samples linked to GoldFactory. They also found over 3,000 related malicious files connected to this campaign. Around 63 percent of the Trojanized apps were aimed at Indonesian users, making Indonesia the main target. These apps stole banking credentials, intercepted SMS codes, and bypassed security checks.

GoldFactory used powerful tools such as Frida, Dobby, and Pine to modify the real apps. These tools allowed them to secretly add harmful functions without affecting how the app normally works. The malware could hide permission requests, spoof app signatures, and avoid detection by security systems. It also enabled attackers to control the device remotely and perform fraudulent transactions.

GoldFactory has previously created well-known malware families like GoldDigger, GoldDiggerPlus, and GoldPickaxe. One earlier version could even steal facial-recognition data and identity documents from victims. The malware used advanced techniques to collect biometrics and break through identity verification systems. Their focus on Android banking apps now shows their tactics are constantly evolving.

During the investigation, researchers discovered a new test version of another malware variant. This new build appears to include screen streaming, fake overlays, and other advanced features. It may even scan identity cards through QR codes, indicating future plans for deeper fraud. The constant upgrades show that GoldFactory intends to expand and refine its attacks.

This campaign is a clear warning about the rising danger of mobile banking fraud in the region. Users should install apps only from official app stores and trusted banking sources. Any unexpected message or call asking to download an app should be considered suspicious. Staying cautious and verifying information can greatly reduce the risk of falling victim to GoldFactory’s attacks.

Stay alert, and keep your security measures updated!

Source: Follow cybersecurity88 on X and LinkedIn for the latest cybersecurity news