A new Android banking trojan named Golddigger has been found targeting multiple financial applications with the aim of siphoning off victims’ funds and backdooring infected devices.
“The malware targets more than 50 Vietnamese banking, e-wallet and crypto wallet applications,” Group-IB said. “There are signs that this threat is set to expand its reach to the broader APAC region and Spanish-speaking countries.”
The malware was first detected by the Singapore-headquartered company in August 2023, although there is evidence that it has been active since June 2023.
Although the exact scale of the infection is not currently known, malicious apps have been found impersonating Vietnamese government portals and an energy company to request permission to infiltrate to meet their data-gathering goals.
This mainly involves misuse of Android’s accessibility services, which are intended to help disabled users use apps, to interact with targeted apps and extract personal information, steal banking app credentials, SMS messages can be intercepted And various user functions can be performed.
Granting permissions to the malware allows it to gain full visibility into a user’s actions and view bank account balances, capture two-factor authentication (2FA) codes, and log keystrokes, as well as facilitate device remote access.
The attack chains that distribute Golddigger take advantage of fake websites impersonating Google Play Store pages and fake corporate websites in Vietnam, increasing the likelihood that these links are spread to victims through link smishing or traditional phishing tactics.
However, the success of the campaign depends on enabling the “Install from unknown sources” option to allow installation of arbitrary apps that are not available outside the official storefront.
Golddigger is one of several Android banking trojans that have surfaced over the past few months and joins the large number of similar tools currently roaming the wild.
“One of the main features of Golddigger is the use of advanced security mechanisms,” the company said in a report.
“Virbox Protector, a legitimate software identified in all discovered samples of GoldDigger, allows the Trojan to significantly complicate both static and dynamic malware analysis and evade detection. This presents a challenge in triggering malicious activity in sandboxes or emulators.”
