Cybercrime , Finance & Banking , Fraud Management & Cybercrime

GoldDigger Banking Malware Targets Vietnamese Android Users

Android Banking Malware Used Legitimate Obfuscation Tool to Evade Detection
GoldDigger Banking Malware Targets Vietnamese Android Users
Image: Shutterstock

Cybersecurity company Group-IB said threat actors are using a new and advanced banking Trojan, dubbed GoldDigger, to steal credentials from 51 Vietnamese financial apps, e-wallets and cryptocurrency applications.

See Also: Delving Deeper: 2023 Fraud Insights Second Edition

Group-IB said in a report Thursday that it has tracked the GoldDigger Trojan since June.

The threat actors created several fake Vietnamese corporate websites and distributed links to the sites to Vietnamese mobile users through text messages and phishing emails, advertising the Android Trojan as a legitimate application for either a Vietnamese government portal or a local energy company.

Once Android users visited a fake webpage, they were prompted to turn on the "Install from Unknown Sources" function of their devices before downloading the application. Once installed, GoldDigger prompted the users to enable Accessibility Service to gain a range of intrusive capabilities.

"Granting Accessibility Service permissions to GoldDigger enables it to gain full visibility into user actions and interact with user interface elements," Group-IB said. "This means it can see the victim's balance, harvest the second credential issued for two-factor authentication and implement keylogging functions, allowing it to capture credentials."

GoldDigger can scan the host device for as many as 51 financial apps, e-wallets and crypto apps in Vietnam, capture stored credentials and exfiltrate the captured data to command-and-control servers.

GoldDigger is capable of simulating user interactions to enable remote access to a device and conduct authentication bypass to authorize a payment from a legitimate device.

Group-IB said GoldDigger was configured to perform a number of data exfiltration activities, but it did not know for sure if the cybercriminals had activated all of the malware's functions.

According to Group-IB, cybercriminals use hundreds of Android banking Trojans to target financial organizations but with GoldDigger, they took special care to build in features to evade detection and analysis, even if researchers had performed a scan in sandboxes or emulators to detect malicious activity.

Researchers found that GoldDigger's operators used a legitimate advanced protection mechanism called Virbox Protector. The tool enables software developers to protect applications, app libraries and language code from decompiling and reverse engineering attempts, ensuring that the code cannot be copied and preventing threat actors from injecting malicious code into the memory. This makes the malicious app harder to detect.

About the Author

Jayant Chakravarti

Jayant Chakravarti

Senior Editor, APAC

Chakravarti covers cybersecurity developments in the Asia-Pacific region. He has been writing about technology since 2014, including for Ziff Davis.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.