GoldDigger / GoldFactory¶
A suite of Android (and iOS) banking trojans operated by a Chinese-speaking threat actor group dubbed "GoldFactory" by Group-IB. The cluster includes GoldDigger, GoldDiggerPlus, GoldKefu, and GoldPickaxe. GoldPickaxe is the first mobile trojan observed stealing facial biometric data to create deepfakes for bypassing bank face-verification systems.
Overview¶
| Property | Value |
|---|---|
| First Seen | June 2023 (GoldDigger) |
| Type | Banking trojan suite |
| Attribution | "GoldFactory" (Chinese-speaking threat actor, evidence: Chinese debug strings, Chinese-language C2 panels) |
| Aliases | Trojan-Banker.AndroidOS.GoldDigger (Kaspersky) |
Malware Suite¶
| Malware | Platform | First Seen | Primary Target |
|---|---|---|---|
| GoldDigger | Android | June 2023 | Vietnam (50+ banks) |
| GoldDiggerPlus | Android | September 2023 | Vietnam |
| GoldKefu | Android (embedded in GoldDiggerPlus) | September 2023 | Vietnam |
| GoldPickaxe | Android + iOS | Late 2023 | Thailand, Vietnam |
Distribution¶
Impersonated Vietnamese government portals, energy companies, and Thai government service apps (e.g., Digital Pension app). GoldPickaxe iOS variant distributed via Apple TestFlight and later MDM profiles.
Capabilities¶
GoldDigger (Android)¶
| Capability | Implementation |
|---|---|
| Accessibility abuse | Extract personal info, steal banking credentials, intercept SMS |
| Target scope | 50+ Vietnamese banking apps, e-wallets, crypto wallets |
| Packing | All samples packed with Virbox Protector |
GoldPickaxe (Android + iOS)¶
| Capability | Implementation |
|---|---|
| Facial biometric theft | Collected facial profiles for deepfake generation |
| Identity document theft | Captured photos of identity documents |
| SMS interception | OTP and verification code theft |
| Traffic proxying | Proxied traffic through victim devices |
| AI deepfakes | Threat actors used AI face-swapping to bypass bank face-verification |
Impact¶
A documented case in February 2024 resulted in a Vietnamese victim losing over $40,000 after performing a facial recognition scan at the malware's request. By December 2025, GoldFactory campaigns drove 11,000+ infections across Southeast Asia.
Shared Infrastructure¶
GoldFactory shares infrastructure with SpyNote and Gigabud. All GoldDigger samples use Virbox Protector for obfuscation.