Cybercriminals linked to a financially motivated group known as GoldFactory have staged a campaign targeting mobile users in Indonesia, Thailand and Vietnam by impersonating government services and distributing modified banking applications, Group-IB said in a technical report.
Group-IB reported the activity has been observed since October 2024 and that the actor has been active at least since June 2023. Analysis identified more than 300 unique samples of altered banking apps tied to roughly 2,200 infections in Indonesia and over 3,000 related artifacts linked to at least 11,000 infections overall; about 63% of the modified apps targeted the Indonesian market, the company said.
The infection chains rely on impersonation of government entities and trusted local brands, phone-based social engineering and links sent via messaging apps such as Zalo, researchers found. Victims are redirected to fake landing pages that mimic Google Play listings and are instructed to install droppers that deploy remote access trojans including Gigabud, MMRat and Remo, then enable Android accessibility services to allow remote control.
Researchers said the malicious packages are based on legitimate banking apps with injected code that preserves normal functionality while performing runtime hooking. Three hooking frameworks were identified in the altered apps-SkyHook, FriHook and PineHook-with SkyHook found using the Dobby framework, FriHook employing a Frida gadget and PineHook using the Java-based Pine hooking library. The injected modules can hide apps with accessibility enabled, prevent screencast detection, spoof app signatures, hide installation sources and harvest account balances.
Group-IB also uncovered a pre-release testing build of a new Android variant dubbed Gigaflower, which supports around 48 commands for real-time screen and device streaming via WebRTC, keylogging and UI scraping through accessibility abuses, serving fake screens to harvest credentials and extracting text from ID images. The report noted a planned QR code scanner feature intended to read QR codes on Vietnamese identity cards and said GoldFactory has shifted away from a bespoke iOS trojan toward instructing victims to use Android devices.
Researchers characterized the use of legitimate tooling and lightweight code injection as a low-cost method for bypassing traditional detection and scaling fraud operations.