GoldFactory Malware Injects FriHook/SkyHook into Banking Apps to Exploit 11K SE Asia Users
The GoldFactory group has launched a new wave of attacks targeting mobile-banking users across Southeast Asia. Disguising themselves as government agencies and well-known corporations, the attackers distribute tampered banking applications. According to Group-IB, more than 11,000 devices in Indonesia, Thailand, and Vietnam have already been compromised.
Although the current surge has been recorded since October 2024, GoldFactory has been active since mid-2023. The group first drew attention through its malware families GoldPickaxe, GoldDigger, and GoldDiggerPlus. Analysts link the operation to a Chinese-speaking ecosystem and note its overlap with the Gigabud malware — sharing targets and phishing-page structures despite differences in code.
The first attacks were observed in Thailand, before spreading to Vietnam and Indonesia. Group-IB identified more than 300 modified banking applications that caused roughly 2,200 infections in Indonesia alone. In total, over 3,000 related artefacts have been uncovered, leading to 11,000 compromised devices, with most malicious apps tailored specifically for the Indonesian market.
The attack chain begins with phone calls impersonating government authorities or large companies. Victims are persuaded to follow a link sent via Zalo to “resolve an issue” related to debts or services. In Vietnam, criminals posed as the electricity provider EVN and urged users to install a “service” application. The link redirected to a counterfeit Google Play page distributing Gigabud, MMRat, or Remo — malware that grants remote access and prepares the installation of a main module that abuses Android’s Accessibility Services for covert device control.
The hallmark of this campaign is the injection of malicious code into legitimate banking applications. According to Group-IB, the original app retains its interface and functions, while the embedded modules hijack its internal logic.
Three such module families have been identified — FriHook, SkyHook, and PineHook. They hide apps with active accessibility services, obscure the installation source, forge signatures, bypass integrity checks, and extract balance information. SkyHook uses the Dobby framework, FriHook relies on Frida, and PineHook employs the Java framework Pine.
Analysis of GoldFactory’s infrastructure revealed preparations for a new Android malware strain, Gigaflower — likely the successor to Gigabud. It can stream a device’s screen via WebRTC, exploit accessibility tools to intercept taps and read the interface, display fake update prompts and PIN-code dialogs, and extract data from images of documents. Future capabilities include scanning QR codes on Vietnamese identity cards.
A clear shift in tactics is also evident on iOS. Instead of deploying a proprietary Trojan, attackers now urge victims to borrow an Android phone from relatives — a change analysts attribute to Apple’s heightened security and strict ecosystem moderation.
Experts note that GoldFactory is moving away from KYC-spoofing schemes and increasingly relying on modified legitimate banking applications. The use of Frida, Dobby, and Pine dramatically reduces operational costs and allows rapid scaling, rendering the campaign exceptionally dangerous for financial institutions across the region.
Support Our Threat Intelligence
If you find our technology report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
