- Group-IB Links Poisoned Mobile Banking Apps to GoldFactory
- Attackers decompile legitimate applications, add Trojans/backdoors and spread them via phishing lures and fake sites.
- Advanced malware families can take complete control of devices, exposing tens of thousands of people to bank fraud.
Hackers trick people into downloading poisoned mobile banking apps, stealing their login credentials, monitoring their activity, and in many cases enabling financial fraud.
This is according to cybersecurity researchers Group-IB who, in a recent report, said the group was most likely GoldFactory, known for stealing facial recognition data and targeting businesses and consumers in the Asia-Pacific region.
The first step in the process is to decompile a legitimate banking application. This allows attackers to add their own code, usually a remotely accessible Trojan or form of backdoor. Then they recompile the app and create a landing page that in many ways is identical to the authentic page.
Sophisticated bank fraud
From there, they engage in “targeted social engineering campaigns,” posing as local governments or different service providers, according to the researchers. In other words, attackers create convincing phishing lures, tricking people into visiting fake government and service provider websites, and loading these poisoned apps.
The worst part is that the app, on the surface, behaves as it is supposed to, convincing victims and making them oblivious to what is happening in the background.
“GoldFactory uses a suite of advanced malware families – including SkyHook, FriHook, PineHook and Gigabud variants – to bypass application integrity checks, hide malicious activities and take full control of infected devices. These tools allow attackers to capture sensitive data, automate on-screen actions and even remotely view and use the victim’s phone,” Group-IB explained.
Although the focus so far has been on the Asia-Pacific, the approach has enabled rapid deployment to all countries, it was said. Tens of thousands of users, and dozens of financial institutions, are thus exposed to “high-impact banking fraud”.
Craig Jones, former director of cybercrime at Interpol, recently spoke about GoldFactory on an episode of Masked Actors, and said its modus operandi “is sophisticated bank fraud.”
TechRadar Pro was first reported on GoldFactory in mid-February 2024, when Gold-IB discovered GoldPickaxe, a Trojan that steals biometric data and uses it to generate convincing deepfakes that can then be used to break into mobile banking applications.
The best antivirus for every budget
Follow TechRadar on Google News And add us as your favorite source to get our news, reviews and expert opinions in your feeds. Make sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp Also.
