GoldFactory Hits Southeast Asia with Modified Banking Apps Driving 11,000+ Infections

GoldFactory Hits Southeast Asia with Modified Banking Apps Driving 11,000+ Infections

Cybercriminals linked to GoldFactory distributed modified banking apps in Indonesia, Thailand, and Vietnam, infecting over 11,000 users through government impersonation scams. The malware uses runtime hooking frameworks like Frida and Dobby to bypass security measures.

Why This Matters

GoldFactory’s attacks exploit the trust users place in legitimate banking apps by injecting malicious code that mimics official functionality. Unlike traditional malware, which relies on zero-day exploits, this method leverages widely available hooking tools to modify trusted apps, bypassing detection. Group-IB reports this approach has scaled to 11,000+ infections, costing victims financial data and exposing weaknesses in app store moderation and user verification processes.

Key Insights

• “11,000+ infections across Southeast Asia, 2025”: Group-IB analysis
• “Runtime hooking via FriHook, SkyHook, PineHook”: Malware bypasses security by altering app logic
• “Group-IB tracks GoldFactory’s evolution from 2023 to 2025”: Includes pre-release Gigaflower malware

Practical Applications

• Use Case: Fraudsters impersonate EVN (Vietnam’s power company) to trick users into installing malware via Zalo links
• Pitfall: Relying on app store reputation without runtime integrity checks allows modified apps to evade detection

References:

• https://thehackernews.com/2025/12/goldfactory-hits-southeast-asia-with.html