GoldFactory Trojan Infects 11,000+ Mobile Users in Southeast Asia through Fake Banking Apps
Executive Summary
Between October and December 2024, a financially motivated threat group known as GoldFactory orchestrated an extensive campaign targeting mobile users across Indonesia, Thailand, and Vietnam. By impersonating trusted government services, the attackers distributed modified Android banking apps laced with malware, resulting in over 11,000 infections. Once installed, these malicious applications harvested sensitive financial data and enabled unauthorized transactions, posing significant financial risks to individual users and undermining trust in mobile banking channels. The campaign used phishing techniques and social engineering, making detection challenging for average users.
This incident illustrates the growing trend of cybercriminals leveraging mobile channels and government impersonation to amplify reach and lower the barrier for monetization in emerging markets. It also highlights the urgent need for stronger mobile security controls, user education, and regulatory vigilance to mitigate evolving threats targeting digital financial services.
Why This Matters Now
Mobile banking malware campaigns are accelerating in both sophistication and frequency, particularly in Southeast Asia where digital adoption is rapid but security hygiene may lag. As attackers innovate their social engineering and malware delivery methods, financial institutions and regulators must act swiftly to shore up controls and protect millions of vulnerable users.
Attack Path Analysis
GoldFactory initiated attacks by distributing modified banking apps impersonating government services to compromise Android mobile users in Southeast Asia. After users installed these trojanized apps, malware obtained elevated privileges on infected devices, allowing deeper access. The malware then attempted to move laterally across the compromised user's environment or leverage the device to pivot into cloud or backend resources. The infected devices established command and control (C2) communications with attacker infrastructure, receiving instructions and updating payloads. Collected banking and personal data were exfiltrated to the threat actor's servers using covert channels. Ultimately, the attackers used the stolen data for financial fraud, resulting in loss of funds and disruption for victims and organizations.
Kill Chain Progression
Initial Compromise
Description
Attackers distributed phishing SMS and web links leading to fake government sites hosting trojanized banking apps, tricking users into installing malicious APKs.
Related CVEs
CVE-2023-20963
CVSS 7.8An elevation of privilege vulnerability in the Android Framework allows a local attacker to gain access to sensitive data.
Affected Products:
Google Android – 11, 12, 13
Exploit Status:
exploited in the wildCVE-2023-20954
CVSS 7.8An elevation of privilege vulnerability in the Android Framework allows a local attacker to gain access to sensitive data.
Affected Products:
Google Android – 11, 12, 13
Exploit Status:
exploited in the wild
MITRE ATT&CK® Techniques
Input Capture
Masquerading
Deliver Malicious App via Authorized App Store or Third-party App Store
Multi-Stage Channels: Downloading or Dropping Apps
Credential Access
Access Sensitive Data in Device Storage
Modify System Partition
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Secure Authentication for Remote Access
Control ID: 8.3.1
NYDFS 23 NYCRR 500 – Information Security Program
Control ID: 500.03
DORA (Digital Operational Resilience Act) – ICT Risk Management Framework
Control ID: Art. 9
CISA Zero Trust Maturity Model 2.0 – Identity Verification & Device Trust
Control ID: Identity - Pillar 1
NIS2 Directive – Cybersecurity Risk Management Measures
Control ID: Art. 21
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Banking/Mortgage
Mobile banking trojans directly target financial institutions through modified banking apps, enabling credential theft, transaction manipulation, and regulatory compliance violations across Southeast Asia.
Financial Services
GoldFactory's modified banking applications compromise financial service platforms, exposing customer data and payment systems to fraud while violating encryption and data protection standards.
Government Administration
Cybercriminals impersonate government services to distribute Android malware, undermining public trust and compromising citizen data through fraudulent official application channels in targeted regions.
Telecommunications
Mobile network infrastructure enables malware distribution through compromised applications, requiring enhanced east-west traffic security and zero trust segmentation to prevent lateral movement attacks.
Sources
- GoldFactory Hits Southeast Asia with Modified Banking Apps Driving 11,000+ Infectionshttps://thehackernews.com/2025/12/goldfactory-hits-southeast-asia-with.htmlVerified
- GoldFactory Resurfaces With Fake Banking Apps Across Southeast Asiahttps://www.redsecuretech.co.uk/blog/post/goldfactory-resurfaces-with-fake-banking-apps-across-southeast-asia/572Verified
- GoldFactory Malware Infects 11,000 Devices in Southeast Asiahttps://www.betterworldtechnology.com/post/goldfactory-malware-banking-apps-asiaVerified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Applying Zero Trust principles and CNSF controls—including egress policy enforcement, microsegmentation, network encryption, and threat detection—would have limited the malware's ability to communicate externally, move laterally, and exfiltrate sensitive data. CNSF capabilities reduce the risk surface by continuously inspecting, segmenting, and controlling both north-south and east-west traffic, thereby disrupting critical attacker actions.
Control: Threat Detection & Anomaly Response
Mitigation: Early detection of malicious links and anomalous device/app behavior.
Control: Zero Trust Segmentation
Mitigation: Limits lateral effects and prevents over-privileged service interactions.
Control: East-West Traffic Security
Mitigation: Inter-service lateral movement is blocked or closely inspected.
Control: Egress Security & Policy Enforcement
Mitigation: Prevents malicious outbound C2 communications even over encrypted channels.
Control: Encrypted Traffic (HPE)
Mitigation: Sensitive data exfiltration is detected or blocked in encrypted network flows.
Rapid incident response and isolation reduce operational and financial harm.
Impact at a Glance
Affected Business Functions
- Mobile Banking Services
- Customer Account Management
Estimated downtime: 7 days
Estimated loss: $5,000,000
Potential exposure of sensitive customer information, including personal identification data and financial credentials, due to malware's ability to intercept and exfiltrate data from infected devices.
Recommended Actions
Key Takeaways & Next Steps
- • Implement egress policy enforcement and FQDN-based controls to block unauthorized outbound and C2 communications from cloud and edge workloads.
- • Enforce granular zero trust segmentation and least-privilege access between workloads and services, limiting lateral movement opportunities.
- • Deploy continuous encrypted traffic monitoring and anomaly detection to identify and alert on suspicious exfiltration behaviors.
- • Leverage centralized, multicloud visibility for rapid incident response and compliance reporting across distributed environments.
- • Regularly validate and update segmentation and egress policies to adapt to evolving mobile malware and banking threats.
