A newly identified variant of Android malware is presently spreading, posing a significant threat to users. This emerging threat possesses the capability to illicitly siphon funds from multiple banking applications. Cybersecurity experts at Group-IB reported the detection of this Android trojan in August through a blog post. The malware is presently honing in on financial institutions in Vietnam, meaning Indian users can breathe a sigh of relief, as this particular malware, codenamed GoldDigger, is not an immediate concern for them. Group-IB has diligently notified its clients both within Vietnam and abroad of its discoveries. Furthermore, the cybersecurity firm has shared its findings with VNCERT (Vietnam Computer Emergency Response Team).

How this trojan can affect users

According to Group-IB, the GoldDigger Android trojan has been in operation since June 2023. This insidious malware adopts a deceptive guise by posing as a counterfeit Android application, effectively masquerading as both a Vietnamese government portal and a local energy company. The primary objective of this Android bug is to pilfer banking credentials. Similar to numerous other Android Trojans, the malware exploits the Accessibility Service to illicitly harvest personal data, intercept SMS messages, and execute a variety of user interactions. Additionally, GoldDigger possesses the capability for remote access, making it even more menacing.

How the malware remains undetectable

A prominent feature of GoldDigger is its utilization of an advanced protective mechanism. In all instances of GoldDigger that have been uncovered, the presence of Virbox Protector, a legitimate software, has been identified. This software empowers the trojan to substantially enhance the complexity of both static and dynamic malware analysis, effectively eluding detection. Consequently, it poses a considerable challenge when attempting to initiate malicious behavior within sandboxes or emulators.

The recent emergence of VirBox as a tool used by banking trojans represents a notable trend. According to Group-IB's Threat Intelligence team, three Android Trojans currently operating in the Asia Pacific region, including GoldDigger, have adopted this evasion technique.

Researchers have observed that the GoldDigger Trojan employs counterfeit Vietnamese apps as its method of attacking victims. Additionally, this Trojan includes language translations for Spanish and traditional Chinese, suggesting that these attacks could potentially extend their influence beyond Vietnam, encompassing Spanish-speaking countries and other nations within the APAC region.

The report highlights that GoldDigger's distribution involves the use of counterfeit websites, which are cleverly disguised as Google Play pages and corporate websites in Vietnam. It is likely that the operators of this Trojan are disseminating links to these websites through methods such as smishing or traditional phishing. These deceptive websites contain links that facilitate the download of malicious Android apps. However, it's important to note that the malware requires the "Install from Unknown Sources" function to be enabled on a victim's device for successful installation.