Golddigger And Gigabud Android Malware Attacking Airlines Customers

Gigabud, an Android banking trojan impersonating government entities, initially targeted Thailand, the Philippines, and Peru. Its source code significantly overlaps with Golddigger, another Android banking trojan targeting Vietnam. 

It indicates a shared threat actor who has expanded Gigabud’s scope to include Bangladesh, Indonesia, Mexico, South Africa, and Ethiopia, demonstrating increased sophistication and geographic targeting. 

Researchers have discovered phishing sites mimicking Google Play to disseminate Gigabud malware, which disguise themselves as South African Airways and Ethiopian Airlines to trick users into downloading malicious apps. 

The alignment of malware samples from South Africa and the use of African airline themes suggest threat actors have broadened their targeting to include both South Africa and Ethiopia.

Free Webinar on Detecting & Blocking Supply Chain Attack -> Book your Spot

Gigabud malware has expanded its targeting to include Mexico and Indonesia, impersonating HeyBanco and M-Pajak, respectively, through fraudulent login pages.

The malware’s distribution has surged since June 2024, indicating a heightened campaign. 

It shares code similarities with Golddigger, suggesting a common threat actor behind both, and the use of diverse icons to mimic legitimate entities underscores its social engineering tactics aimed at deceiving victims. 

New Gigabud malware samples have been identified, leveraging the Virbox packer to obfuscate their malicious nature, which employs evasion tactics similar to Golddigger malware, exploiting the zip file format, and abuse significantly hinders detection and analysis by security solutions. 

Analysis of recent Gigabud samples reveals a strong resemblance to Golddigger malware. Both utilize a native library, “libstrategy.so,”  to target specific UI elements within banking apps.  

Gigabud builds upon Golddigger’s functionality by incorporating support for additional banking applications, including Yape (Peru) and Dutch-Bangla Bank Rocket (Bangladesh), which highlights the evolving capabilities of Gigabud and the need for heightened vigilance against such mobile banking threats. 

Recent samples previously attributed to Golddigger malware have been reclassified as Gigabud after unpacking analysis revealed shared libraries and classes with known Gigabud variants. 

A new unpacked Gigabud sample, distributed via a phishing site, lacks Virbox packing but maintains code similarities to older versions, particularly in fraudulent bank dialog box displays. 

Recent Gigabud malware samples leverage Retrofit for C&C communication and include endpoints for uploading various user data like contacts, SMS, and screen recordings. 

 Parsed UI element IDs of targeted bank applications in the Strategy native file 

The malware also employs the libstrategy.so library, which is also used by Golddigger malware, to target specific UI elements of banking apps to steal financial information, whose reuse suggests the same threat actor is behind both malware strains.

Analysis by Cyble Intelligence and Research Labs shows strong links between Golddigger and Gigabud malware, suggesting a single attacker, while the recent increase in Gigabud samples and shared techniques indicates more sophisticated tactics and a wider target range. 

New features and attacks in Bangladesh, Indonesia, Mexico, South Africa, and Ethiopia highlight the evolving threat, while the shared code, similar phishing, and impersonation tactics confirm the connection and necessitate heightened vigilance and advanced defenses. 

Are you from SOC and DFIR Teams? Analyse Malware Incidents & get live Access with ANY.RUN -> Get 14 Days Free Acces