Image: Pathum Danthanarayana (unsplash)
Security experts identified a novel Android Trojan crafted to discreetly collect user data, notably banking app credentials. This information allows unauthorized access, leading to potential financial losses for victims.
Termed “GoldDigger” by Group-IB, records indicate its activity from June 2023. Its primary focus appears to be users of more than 50 Vietnamese banking applications, in addition to e-wallets and crypto-wallets. Interestingly, the malware possesses multilingual features, indicating potential plans to widen its reach across Asia, Europe, and South America.
It seems that the initial point of contact for potential victims is deceptive emails containing links. These direct users to counterfeit Google Play pages or other deceitful brand sites, as revealed by Group-IB.
The Trojan skillfully camouflages itself within an Android application, bearing a resemblance to either a Vietnamese governmental platform or an energy firm, Group-IB noted.
Upon its installation, GoldDigger solicits permissions to access the Android Accessibility Service. This provision enables the malware to closely observe and exert influence over the device’s functionalities. Consequently, it gains the capability to extract confidential data, such as banking app passcodes. It can also seize SMS communications, transmitting them to a remote command server.
Additionally, the architects behind this malware utilize a legitimate obfuscation instrument called Virbox Protector. This adds a layer of complexity, complicating the process for experts attempting to decipher the Trojan’s inner workings, as per Group-IB.
Currently, Vietnam stands out as the central target for GoldDigger. Yet, findings from Group-IB’s Threat Intelligence unit reveal language adaptations in the malware not just for Vietnamese, but also for Spanish and traditional Chinese. Anh Le, a prominent figure at Group-IB in Vietnam, indicated the possibility of an expanded operational scope, potentially targeting Spanish and Chinese-speaking regions. Group-IB’s efforts to unravel the depths of GoldDigger’s operations remain ongoing, with updates anticipated.
To safeguard against such threats, Group-IB emphasized the importance of keeping mobile devices current with updates, practicing caution with application sources, and being meticulous about application permission requests post-download.