Group-IB discovered an Android Trojan in August targeting more than 50 financial organizations in Vietnam that it’s dubbed GoldDigger.
The Trojan has been active since June, when Group-IB’s intelligence unit identified more than 10 fake websites impersonating Google Play Store pages.
GoldDigger’s primary goal is to steal banking credentials. When first installed and launched, it abuses the Accessibility Service to steal personal information and intercept SMS messages. The malware avoids detection by disguising itself as a false Android application, impersonating a Vietnamese government portal as well as an energy company through at least two different variants.
The analysis published by Group-IB noted that GoldDigger uses Virbox Protector, which allows the malware to evade detection and make it difficult to analyze. The use of Virbox by these Trojans targeting banking information is a rising trend, with two other active Android Trojans using these same methods in the Asia-Pacific region.
These Trojans seek to “infect as many devices as possible and gain access to user accounts,” Group-IB stated. “The most effective way to combat them is with client-side fraud protection solutions that offer multiple benefits. These include real-time protection, adaptability to evolving threats and, most importantly, the ability to rely on behavioral indicators to protect customers,” the researchers noted.
Group-IB contacted the Vietnam Computer Emergency Response Team to inform them of their findings, including technical information and indicators of compromise. Group-IB has also notified customers of this threat.
“At the moment, GoldDigger is primarily focusing on targets in Vietnam,” stated Anh Le, Group-IB’s business development manager in Vietnam. “However, Group-IB’s Threat Intelligence team found that, in addition to Vietnamese, the malware included language translations to Spanish and traditional Chinese. The cybercriminals may have plans to further extend GoldDigger’s reach to Spanish and Chinese-speaking countries in the near future.”