GoldFactory’s Expanding Threat in Southeast Asia
GoldFactory has launched new attacks across Indonesia, Thailand, and Vietnam. The group targets mobile users by posing as government services. Moreover, it distributes modified banking apps to deliver malware. These attacks have grown steadily since late 2024.
Researchers have linked GoldFactory to earlier threats. They first noticed the group in mid-2023 through custom malware families. Additionally, experts believe the operators speak Chinese and know another threat group that uses similar tactics. These links suggest organized and ongoing criminal activity.
How the Attack Wave Spread
The latest infections first appeared in Thailand. They then moved to Vietnam in late 2024 and early 2025. Finally, they reached Indonesia by mid-2025. This steady expansion shows deliberate planning.
Researchers uncovered over 300 modified app samples in Indonesia alone. These apps caused more than 2,200 infections in that market. Furthermore, investigators found over 3,000 related artifacts tied to at least 11,000 infections region-wide. About two-thirds of the altered apps targeted Indonesian users.
Tactics Used to Trick Victims
GoldFactory relies on impersonation to gain trust. Fraudsters often pretend to represent government offices or reputable services. Then, they call victims and pressure them to click links sent through messaging apps. These steps make the attacks feel legitimate.
In one case, criminals impersonated a local power provider in Vietnam. They threatened service suspension unless overdue bills were paid. Afterwards, they directed victims to add them on a messaging app to receive a fake payment app. Victims were then redirected to counterfeit app-listing pages that resembled trusted marketplaces.
Malware Delivered Through Fake Apps
The fake apps install remote access malware on Android devices. Consequently, criminals gain full control of infected phones. They use this access to monitor activity, capture sensitive data, and perform fraudulent actions. These tools also exploit Android accessibility features for deeper control.
Researchers discovered that the malware modifies real banking apps. It injects malicious code while the original functions still appear intact. However, the injected modules bypass security checks, hide accessibility settings, and spoof app signatures. They also gather users’ account balances.
Different hooking frameworks enable this behavior. For example, some apps use a public code-injection tool, while others rely on alternative runtime frameworks. Despite these variations, the result is the same: hidden and persistent control over a victim’s device.
New Malware Variants Under Development
Investigators also found a pre-release version of a new malware strain. This variant supports nearly 50 commands for real-time control. It can record screens, capture gestures, and mimic system prompts. Additionally, it extracts data from identification images using text-recognition features.
The group is also testing a QR code tool for reading local identity cards. Therefore, they may soon automate personal-data theft more efficiently. Interestingly, recent campaigns instruct iPhone users to borrow an Android device. This shift suggests that improved iOS security disrupts GoldFactory’s methods.
How to Prevent These Attacks
Users should avoid installing apps from unofficial links and remain cautious of unsolicited calls. They should also enable strong device protections, such as threat monitoring and secure network filtering. Services that provide mobile threat detection and secure application-scanning can further reduce risks. These solutions help block modified apps and detect suspicious activity before harm occurs.
Sleep well, we got you covered.
