What is GoldDigger? Inside GoldFactory’s Mobile Banking Fraud Operation

GoldDigger is an Android banking trojan developed by a Chinese-speaking threat actor known as GoldFactory. First identified by Group-IB in August 2023, with activity dating back to at least June 2023, the trojan initially targeted more than 50 Vietnamese banking applications, e-wallets, and cryptocurrency wallets before rapidly expanding its targeting to other APAC regions and beyond.

GoldDigger is not a standalone threat. It is the first member of a malware family that has grown into a full fraud suite, with GoldFactory subsequently releasing GoldDiggerPlus, GoldKefu, and GoldPickaxe, the latter being the first iOS trojan ever documented to steal facial recognition biometric data.

GoldDigger Definition and Background

GoldDigger is classified as an Android banking trojan because it targets mobile banking applications and uses the Android Accessibility Service to intercept credentials and session data without the victim’s awareness. Group-IB’s August 2023 discovery placed GoldDigger within a broader GoldFactory ecosystem that researchers believe maintains active development and regular capability updates.

The trojan’s initial focus on Vietnamese banking applications established a high-value target set: over 50 financial apps with significant mobile user bases. Researchers subsequently identified targeting expansion indicators pointing toward European banking apps and Spanish-language markets.

The GoldFactory Malware Suite

GoldFactory operates as an organized mobile fraud development group, maintaining a suite of related malware rather than a single tool.

GoldDigger

The original Android trojan. Targets banking apps through Accessibility Service abuse to intercept credentials, monitor SMS messages for OTP codes, and exfiltrate captured data to attacker-controlled servers.

GoldDiggerPlus

An enhanced version of GoldDigger with an embedded Trojan component called GoldKefu, adding real-time communication capabilities for more interactive fraud.

GoldKefu

An embedded trojan within GoldDiggerPlus that enables interactive fraudulent calls, where attackers contact victims directly while the malware operates in the background.

GoldPickaxe

The most technically significant member of the family. Designed for both Android and iOS, GoldPickaxe is the first iOS trojan documented to steal biometric facial recognition data. It collects face scans, identity documents, and SMS messages to enable deepfake-assisted bank fraud. Thai police confirmed that this technique was used in connection with a series of fraudulent banking transactions.

Researchers have also identified connections between GoldFactory and the Gigabud Android RAT family, suggesting broader infrastructure sharing within a Chinese-speaking cybercriminal network.

How GoldDigger Works: Attack Flow and Mechanics

How GoldDigger works

Delivery through social engineering

GoldDigger is not distributed through the official Google Play store. Attackers spread it through fake application storefronts, malicious links shared in phishing messages, and apps that impersonate legitimate government or utility services.

Accessibility Service abuse

Once installed, the malware requests Accessibility Service permissions. When granted, these permissions give GoldDigger broad visibility into screen content, text entry fields, and actions taken in other apps. This is the core capability that enables credential theft from banking apps.

Evasion and obfuscation

The malware uses the Virbox Protector commercial obfuscation tool to frustrate static analysis and slow detection by researchers and antivirus products. It also runs anti-emulator and anti-sandbox checks, detecting analysis environments and suppressing its malicious behavior when one is found.

Exfiltration to C2

Captured data, including banking credentials, OTP codes intercepted from SMS messages, and device information, is transmitted to C2 servers operated by GoldFactory.

GoldPickaxe: The First iOS Trojan Stealing Biometric Data

GoldPickaxe represents a significant technical escalation in mobile banking fraud. While Android banking trojans are well established, iOS trojans are rare because of Apple’s stricter application controls.

GoldPickaxe distributes on iOS through two channels: TestFlight, Apple’s beta testing platform, and MDM profile exploitation. By convincing victims to install a malicious MDM profile, attackers gain device management permissions that allow application installation outside the App Store.

The malware’s primary capability is the collection of facial recognition data. GoldPickaxe prompts victims to scan their faces, using lures such as a request to verify identity for a government service. The collected face scans are then used to generate deepfake videos that pass biometric verification checks at banking institutions, allowing attackers to initiate fraudulent transactions.

The combination of identity document collection, SMS interception, and facial biometric theft makes GoldPickaxe significantly more capable than conventional banking trojans.

Target Regions, Industries, and Victims

GoldDigger’s initial targeting focused on Vietnam, where the trojan specifically listed over 50 banking apps, e-wallets, and cryptocurrency services. Subsequent research by Group-IB and other threat intelligence firms identified expansion to Thailand, with the Thai banking sector reporting GoldPickaxe-linked fraud incidents that prompted a police warning.

Expansion indicators suggest GoldFactory is actively developing targeting for European banking applications and Spanish-language markets. The malware’s architecture is modular, and adding new target app lists requires relatively little development effort.

Target profiles favor retail banking customers with mobile banking apps, cryptocurrency exchange users, and individuals who have linked digital payment services to their accounts.

How GoldFactory Evades Detection

Anti-emulator checks: detect whether the device has the characteristics of an analysis environment, including the number of installed applications, device identifier patterns, and hardware properties. When analysis conditions are detected, the malware suppresses its behavior.

Legitimate app impersonation: uses the icons, names, and interface designs of real government services and banking apps to reduce suspicion during installation.

MDM profile abuse: GoldPickaxe uses MDM profiles, which are legitimate enterprise management tools, as a delivery mechanism, so the installation looks like standard enterprise device management to the device’s security controls.

How to Protect Against GoldDigger and GoldFactory Trojans

For individuals

Install apps only from the official Google Play Store or Apple App Store. Reject any request to install an MDM profile from an unknown source. Be skeptical of requests to scan your face through an application that was not downloaded from an official store. Enable bank notification alerts so unusual transactions are detected quickly.

For security team

Monitor threat intelligence for GoldFactory IOCs and update mobile threat defense tools with the latest signature and behavioral rules. Educate employees and customers about sideloading risks. Consider biometric fraud detection controls at the authentication layer.

For banks and fintech

Review biometric authentication flows for vulnerability to deepfake bypass. Implement liveness detection controls that go beyond a static face scan. Monitor for unusual patterns in facial verification failures that might indicate an ongoing deepfake fraud operation.

How SOCRadar Threat Intelligence Tracks GoldFactory?

SOCRadar monitors threat actor activity including GoldFactory through its threat intelligence feeds and Advanced Dark Web Monitoring capabilities. IOCs associated with GoldDigger and GoldPickaxe campaigns, including C2 infrastructure, malicious app hashes, and attacker infrastructure, are tracked and made available to security teams through the SOCRadar platform.

Frequently Asked Questions

What is GoldDigger malware?

GoldDigger is an Android banking trojan developed by GoldFactory that uses the Android Accessibility Service to steal banking credentials, intercept OTP codes, and exfiltrate data from over 50 targeted financial applications.

What is GoldPickaxe?

GoldPickaxe is the iOS member of the GoldFactory malware suite. It is the first documented iOS trojan that collects facial recognition biometric data to enable deepfake-assisted bank fraud.

Is GoldDigger targeting my country?

GoldDigger initially targeted Vietnam and Thailand. Expansion indicators suggest active development of European and Spanish-language targeting. Monitor GoldFactory threat intelligence reporting for current geographic scope.