Gigabud RAT Android Banking Malware Takes Aim at International Financial Institutions
Gigabud RAT Android Banking Malware Takes Aim at International Financial Institutions

Image: Mika Baumeister (unsplash)

Customers of several financial institutions in Thailand, Indonesia, Vietnam, the Philippines, and Peru are under the threat of an Android banking malware known as Gigabud RAT.

According to Group-IB researchers, a distinctive feature of Gigabud RAT is its ability to lay dormant until the user has been authorized in the malicious app by a fraudster. This stealthy approach makes it especially challenging to detect. Instead of relying on HTML overlay attacks, this malware primarily captures sensitive information using screen recording techniques.

Gigabud RAT first came to light when Cyble reported it in January 2023. They noticed it masquerading as bank and government apps to extract valuable data. Records indicate its malicious activities started as early as July 2022.

The Singapore-based firm also revealed another variant of the malware without the RAT functions, termed Gigabud.Loan. Disguised as a loan application, this version specializes in gathering user input data. This variant targets individuals by tempting them with low-interest loans. During the process, victims are persuaded to share personal details.

Both malware iterations spread through phishing websites. Victims are often led to these sites through links sent via SMS or social media messages. Gigabud.Loan, in some cases, is shared directly as APK files via WhatsApp.

Often, potential victims on social media are persuaded to visit these sites with the promise of completing tax formalities and availing refunds.

Although Android has a security feature that disables “Install from Unknown Sources” by default, the operating system does let certain apps, like browsers and messaging tools, to request “REQUEST_INSTALL_PACKAGES” permission. If a user provides such permissions, it creates an opportunity for malicious actors to install rogue APK files, sidestepping the standard security settings.

Gigabud operates similarly to other Android banking trojans. It seeks permissions for accessibility services, allowing it to capture screens and log keystrokes. It can also substitute bank card numbers and initiate unauthorized transactions.

Conversely, Gigabud.Loan is tailored to collect detailed personal information under the pretense of bank loan applications.

Separately, there’s been a discovery of 43 deceptive apps on the Google Play Store, which run ads when the device is inactive. These apps, downloaded 2.5 million times collectively, have been either removed or updated to eradicate the fraudulent component.

Security firm McAfee has identified adware in these apps which, when installed, requests permissions that could pave the way for more malicious actions, like running ads covertly and presenting phishing sites. This ad fraud software also utilizes delay mechanisms to avoid detection and can be remotely altered for increased versatility.

Furthermore, the U.S. Federal Bureau of Investigation (FBI) has been alerting the public about a rise in deceitful recovery and tracing companies promising to help recover assets lost in cryptocurrency scams. These con artists often ask for advance payment and then either vanish or provide inadequate services, demanding more fees.

Moreover, the FBI has warned of cybercriminals employing tricky tactics, including deploying malevolent codes within beta-testing apps posing as legitimate crypto investment tools. These apps deceive by mirroring popular ones. After establishing initial communication through tactics like romance scams, these criminals direct victims to download such mobile beta-testing apps, often with promises of substantial financial rewards. Unfortunately, when victims provide legitimate account details, the funds are diverted to these criminals.

Interestingly, the misuse of Apple’s TestFlight beta testing framework for similar scams was spotlighted by cybersecurity firm Sophos the previous year. Some campaigns have even exploited Apple’s app distribution schemes to distribute fake crypto apps. In some cases, approved apps are altered post-publication, with remote codes modified to introduce malicious activities.