- Group-IB links poisoned mobile banking apps to GoldFactory
- Attackers decompile legitimate apps, add trojans/backdoors and spread them via phishing lures and fake websites
- Advanced malware families enable full device takeover and expose tens of millions to bank fraud
Hackers trick people into downloading poisoned mobile banking apps, steal their login credentials, monitor their activity, and in many cases – enable financial fraud.
This is according to cyber security researchers Group-IB, who said in a recent report that the group is most likely GoldFactory, known for stealing facial recognition data and targeting businesses and consumers in the Asia-Pacific region.
The first stage of the process is to decompile a legitimate banking app. This allows the attackers to add their own code, usually a remote access trojan or some form of backdoor. Then they recompile the app and create a landing page that is in most respects identical to the authentic one.
Sophisticated bank fraud
From there, they engage in “targeted social engineering campaigns” impersonating local governments or various service providers, the researchers said. In other words, the attackers create convincing phishing lures, trick people into visiting fake government and service provider websites, and sideload these poisoned applications.
The worst part is that on the surface the app behaves as it should, convincing the victims and making them unaware of what is happening in the background.
“GoldFactory uses a suite of advanced hooking malware families—including SkyHook, FriHook, PineHook, and Gigabud variants—to bypass app integrity checks, hide malicious activity, and take full control of infected devices. These tools allow attackers to capture sensitive data, automate on-screen actions, and even remotely control the phone, view and remotely control the group,” IBs.
While the focus so far is on the Asia-Pacific region, the approach allowed for rapid deployment across countries, it said. Tens of thousands of users and dozens of financial institutions are therefore exposed to “high-impact banking fraud”.
Craig Jones, former director of cybercrime at Interpol, recently spoke about GoldFactory on an episode of Masked Actors, saying its modus operandi “is sophisticated bank fraud.”
TechRadar Pro first reported on GoldFactory in mid-February 2024 when Gold-IB discovered GoldPickaxe, a Trojan that steals biometric data and uses it to generate convincing deepfakes that can later be used to break into mobile banking applications.
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds. Be sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, video unboxings, and get regular updates from us on WhatsApp also.
