A newly discovered Android banking trojan, named GoldDigger, has emerged as a significant threat to users of financial applications in the Asia-Pacific (APAC) region.
Furthermore, this malicious software has been found targeting more than 50 financial apps, including Vietnamese banking, e-wallet, and cryptocurrency wallet applications, with the intention of siphoning off victims’ funds and establishing backdoors on infected devices. Security firm Group-IB first identified this trojan in August 2023, though evidence suggests it may have been active since June of the same year.
GoldDigger employs deceptive tactics, such as impersonating legitimate websites like a Vietnamese government portal and an energy company, to request intrusive permissions from users.
It primarily abuses Android’s accessibility services, designed to assist users with disabilities, to interact with targeted apps and gather personal information. This includes stealing banking app credentials, intercepting SMS messages, logging keystrokes, and facilitating remote device access. The trojan also gains full visibility into user actions, allowing it to capture two-factor authentication (2FA) codes and view bank account balances.
The success of GoldDigger’s campaign relies on victims enabling the “Install from Unknown Sources” option, which allows the installation of apps from unofficial sources. Notably, the trojan employs an advanced protection mechanism called “Virbox Protector,” complicating both static and dynamic malware analysis and making it challenging to detect.
GoldDigger is often distributed through fake websites that impersonate Google Play Store pages and counterfeit corporate websites in Vietnam. This raises concerns that these links may be propagated to victims via smishing or traditional phishing tactics, emphasizing the need for heightened cybersecurity awareness and measures in the APAC region and beyond.
