New Malware Hijacks Trusted Banking Apps — Stay Safe Now

Emerging Threat: Malicious Banking Apps and Phishing Schemes

Hackers are increasingly targeting legitimate banking applications by decompiling them and injecting malicious code. These modified apps are then distributed through common cyber threat methods such as phishing lures and fake websites that closely resemble real ones. Researchers at Group-IB have identified this activity as part of a broader campaign potentially linked to the GoldFactory group, which is known for stealing facial recognition data.

The malware campaign has exposed thousands of users to banking fraud and allowed attackers to gain full control over infected devices. In addition to adding trojans or backdoors, the group has tampered with 27 original banking applications. After injecting malicious code, the attackers impersonate government agencies or services using tactics like smishing, phishing, or social engineering to trick victims into visiting counterfeit websites.

For instance, an initial lure might come in the form of a text message from an electricity provider or the Department of Health, directing the target to a fake website that mimics an official one. Victims are then prompted to download an infected app to make a payment. Some scams start with messages on text or messaging apps and later escalate to phone calls for further instructions.

Victims may be asked to borrow an Android device to complete the process or given a link to a site that resembles the actual Google Play Store but is used to deliver an APK file. Because the fake app functions similarly to the genuine one, users often don’t realize they are interacting with a malicious entity.

Once downloaded, the app requests unnecessary permissions, enabling threat actors to steal login credentials, monitor activities, commit financial fraud, and even take over the device. The group can also erase traces of their actions after completing these malicious tasks.

Group-IB notes that GoldFactory uses advanced hooking malware families such as SkyHook, FriHook, PineHook, or Gigabug. These tools can bypass many built-in app integrity checks, allowing attackers to hide their activities. They can also capture sensitive data, automate on-screen actions, and remotely view or operate the victim’s phone.

Although the current victims are mainly located in regions where GoldFactory typically operates—Vietnam, Thailand, and Indonesia—the approach could easily expand to other countries like the U.S. or the U.K.

How to Stay Safe from Malware

Fortunately, this campaign isn’t widespread yet. However, as with most phishing, vishing, and smishing campaigns, the best way to protect yourself is to stay calm and think critically about any messages you receive. Be extremely suspicious of any messages from government agencies or services that arrive through non-official channels. Does your power company usually send you text messages? Is it normal for the Department of Health to contact you via mobile?

When encountering unexpected messages, the rules remain the same: Never click on any links or codes in a message if you don’t know who sent it. Avoid downloading anything unless you’ve verified its source. If someone asks you to download something, hang up or ignore the message and contact the organization directly to confirm the request is legitimate.

Always check the URLs of websites you visit or manually enter them to ensure you're accessing the correct site. Make sure you have reliable antivirus software installed on your devices. Most antivirus programs include features that alert you when visiting a suspicious website or attempting to download an illegitimate program. Additional features like a VPN, ransomware rollback, and more can help keep you safe online.

While this campaign is currently limited to several Southeast Asian countries, its success so far suggests it could spread. For this reason, it's crucial to maintain good cyber hygiene and remain cautious of unsolicited messages claiming to be from government agencies or businesses. This proactive approach can help you avoid becoming a victim of this evolving malware campaign if it spreads to other regions.