GoldFactory, a financially motivated cybercrime group, is targeting mobile users in Southeast Asia, particularly in Indonesia, Thailand, and Vietnam. They've been active since October 2024, distributing modified banking apps that deploy Android malware. Group-IB, a cybersecurity firm, reports over 2,200 infections in Indonesia alone, with 63% of the altered apps aimed at that market. The group has been linked to earlier malware like Gigabud and is known for its sophisticated tactics, including impersonating government services to trick users into installing malware via phone calls and messaging apps. The malware operates by injecting malicious code into legitimate banking applications, allowing them to retain normal functionality while bypassing security features. GoldFactory has developed three different malware families—FriHook, SkyHook, and PineHook—each using unique frameworks for runtime hooking. These modules can hide installed apps, prevent detection, spoof app signatures, and access victims’ financial information. The group’s infrastructure also includes a new malware variant, Gigaflower, which offers advanced capabilities such as real-time screen streaming and keylogging. Interestingly, GoldFactory has shifted from targeting iOS devices to focusing solely on Android. They now instruct victims to borrow Android devices from family members, likely due to tighter security measures on iOS. This change reflects their adaptability and underscores the ongoing threat they pose. Their latest campaigns illustrate not just a reliance on traditional malware methods but also a direct approach that modifies legitimate banking applications to commit fraud, demonstrating a low-cost yet effective strategy.