A new Android banking trojan named GoldDigger has been found targeting several financial applications with an aim to siphon victims’ funds and backdoor infected devices.
“The malware targets more than 50 Vietnamese banking, e-wallet and crypto wallet applications,” Group-IB said. “There are indications that this threat might be poised to extend its reach across the wider APAC region and to Spanish-speaking countries.”
The malware was first detected by the Singapore-headquartered company in August 2023, although there is evidence to suggest that it has been active since June 2023.
While the exact scale of the infections is currently not known, the malicious apps have been found to impersonate a Vietnamese government portal and an energy company to request intrusive permissions to meet its data-gathering goals.
This primarily includes abusing Android’s accessibility services, which is intended to assist users with disabilities to use the apps, in order to interact with the targeted apps and extract personal information, steal banking app credentials, intercept SMS messages, and perform various user actions.
Granting permissions to the malware also enables it to gain full visibility into user actions and view bank account balances, capture two-factor authentication (2FA) codes, and log keystrokes, as well as facilitate device remote access.
Attack chains distributing GoldDigger leverage fake websites impersonating Google Play Store pages and counterfeit corporate websites in Vietnam, raising the possibility that these links are propagated to victims via smishing or traditional phishing tactics.
However, the success of the campaign hinges on enabling the “Install from Unknown Sources” option to allow the installation of arbitrary apps available outside of the official storefront.
GoldDigger is one of several Android banking trojans that have surfaced just over the past few months and have added to an already large number of similar tools currently circulating in the wild.
“One of the main features of GoldDigger is its use of an advanced protection mechanism,” the company noted in a report shared with The Hacker News.
“Virbox Protector, a legitimate software identified in all discovered samples of GoldDigger, allows the Trojan to significantly complicate both static and dynamic malware analysis and evade detection. This presents a challenge in triggering malicious activity in sandboxes or emulators.”