GoldDigger: New Android Trojan Targets Banking Apps and Crypto Wallets

Threat intelligence researchers recently discovered a new Android trojan targeting financial applications in Vietnam. Dubbed GoldDigger, the malware’s primary goal is to commit financial fraud by secretly harvesting a user’s banking and other financial credentials.

According to researchers at Group-IB, the trojan is believed to be active since June 2023 and has been monitoring users of more than 50 financial apps, e-wallets, and crypto apps in Vietnam.

In addition to Vietnamese, the app also had translation support for Spanish and traditional Chinese. ‘’[..] these attacks may potentially extend their reach beyond Vietnam, encompassing Spanish-speaking nations and other countries in the APAC region,’’ Group-IB said.

Moreover, it has been found that the malware is being distributed via phishing sites impersonating either a Google Play page or a corporate website. The trojan itself is disguised as a fake Android application of a local energy company or Vietnamese government portal.

Although the trojan disguises itself as a seemingly legitimate app, it can successfully install and harvest user information only when the Android “Install from Unknown Sources” setting is enabled. When on, this setting allows the installation of third-party APKs onto the device.

Once installed, the malicious app requests many intrusive permissions, and exploits Android’s Accessibility Service to harvest sensitive user information, steal credentials, intercept SMS messages, and execute remote access commands. This stolen data is then transferred to a threat actor-controlled command and control (C2) server.

‘’Granting Accessibility Service permissions to GoldDigger enables it to gain full visibility into user actions and interact with user interface elements. This means it can see the victim’s balance, harvest the second credential issued for two-factor authentication, and implement keylogging functions, allowing it to capture credentials,’’ the investigation revealed.

During investigation, the researchers also discovered the use of an advanced obfuscation technique; use of Virbox Protector which prevents detection. ‘’Virbox Protector, a legitimate software [..], presents a challenge in triggering malicious activity in sandboxes or emulators.’’

With the presence of such malicious applications, it’s essential that mobile users keep their device updated, download and install applications from verified sources, and be careful in granting app request permissions.