A new Android trojan named GoldDigger has emerged to set its sights on Vietnam’s financial sector. Cybersecurity firm Group-IB revealed that its intriguing moniker is derived from a distinct “GoldActivity” activity embedded within its APK structure.

Diving into Details

• It can masquerade as a counterfeit Android application, impersonate a Vietnamese government portal, and also pose as a local energy company.
• GoldDigger abuses Android’s Accessibility Service to extract personal information, intercept SMS messages, and execute various user actions.
• The trojan’s primary objective is to pilfer banking credentials. 

Evasion technique

• The malware employs “Virbox Protector,” a legitimate software, making the trojan’s detection and analysis exceptionally challenging.
• This software not only impedes both static and dynamic malware analysis but also stymies malicious activity identification in sandboxes or emulators.

Why this matters

• GoldDigger’s reach may extend beyond Vietnam. Its inclusion of translations for Spanish and traditional Chinese indicates potential threats to Spanish-speaking countries and other Asia Pacific nations.
• There’s a rising trend where banking trojans harness VirBox for evasion. Besides GoldDigger, Group-IB identified more Android families currently leveraging this technique in Asia Pacific.
• These trojans aim to infect a multitude of devices to access user accounts.

Countering them demands client-side fraud protection solutions that emphasize real-time protection, adaptability, and a focus on behavioral indicators.

The bottom line

GoldDigger serves as a stark reminder of the ever-evolving cyber threats targeting Asia Pacific. As a proactive step, organizations must educate their customers about the risks associated with installing apps from unknown sources on Android devices. By monitoring user behavior and understanding genuine user interactions, organizations can fortify their defenses, ensuring that they remain a step ahead of cyber adversaries.