Several Android banking apps have been observed to be vulnerable to a new malware strain capable of stealing money from them, which has been observed making the rounds.
Group-IB recently discovered an Android Trojan that appears to target more than 50 Vietnamese banking apps, e-wallet services, and cryptocurrency wallets, with its primary objective being the theft of funds.
Developed by the threat intelligence division at Group-IB, this Trojan named "GoldDigger" has been around since at least June 2023, and its digital footprints have been tracked since then. Two separate apps were used to deliver malware – one that impersonated a Vietnamese government portal and another one that impersonated a company in the energy sector.
Researchers do not yet know the exact attack vector the attackers used, but speculation is that they may have reached out to victims using social media channels, email messages, and other common ways of communicating with them.
In addition, they were using these channels to redirect victims to at least a dozen fake Google Play websites, where they presented them with the opportunity to install the apps on their smartphones.
The app will then do what it normally does once it is installed on the device: ask for “Accessibility permissions” and then proceed.
There is probably no better way to identify a malicious app than if it asks for excessive permissions - that is the most obvious way to do so. To get sensitive user information, such as passwords, GoldDigger will need to be granted some permissions by the victim to dig it out. Once it has found any of the 51 Vietnamese financial institutions' apps e-wallet apps or cryptocurrency wallet apps, it will then search for any of these apps on its own.
The GoldDigger application will be able to detect and extract the login information for the accounts it is scanning for. This is essentially granting the attackers unrestricted access to the financial accounts it is scanning for.
The researchers went on to explain that Virbox Protector is part of the feature set that they feel makes GoldDigger unique, a piece of integrated software that acts as an obfuscation and encryption system integrated into the program.
In general, Virbox Protector is a legitimate application, however here, in this case, it has been used for nefarious purposes, leading to the tasks of cybersecurity researchers becoming a lot more challenging.
It is impossible to think exactly how many people have fallen for this scam and lost their money as a result.
Still, to be on the safe side it is always best to download applications only from legitimate sources and to always be suspicious when a link or attachment is received through mail.
Malware Targeting Android Devices in The Future
GoldDigger is characterized by its use of Virbox Protector, a software program which specializes in obfuscating and encrypting data in an advanced manner. This is what sets GoldDigger apart from its competitors.
To enhance the evasion of standard fraud detection mechanisms, malware developers have taken an inventive step by making it difficult for cybersecurity experts to decipher and understand their malevolent codes, allowing them to evade standard fraud detection systems. Group-IB has the Fraud Protection suite that can detect GoldDigger's presence, perhaps for more reasons than one.