Security researchers have discovered a prolific new Android Trojan designed to covertly harvest user information including banking app credentials, with a view to hijacking and draining their accounts.
Dubbed “GoldDigger” by Group-IB, the Trojan has been active since at least June 2023 and is currently targeting users of over 50 Vietnamese banking apps, as well as e-wallets and crypto-wallets. However, the malware also features translations into additional languages, hinting at plans for further expansion in Asia, Europe and South America.
Users most likely first receive a phishing email including links to a spoofed Google Play page, or a phishing site impersonating a different brand, Group-IB said.
The Trojan itself is disguised in an Android app impersonating either a Vietnamese government portal or an energy company, it added.
Once installed, GoldDigger requests access to the Android Accessibility Service, which allows it to monitor and manipulate the device’s functions. In doing so, the Trojan is able to steal sensitive information including banking app passwords, as well as intercept SMS messages, and exfiltrate them to a command-and-control server.
Ther malware developers also use legitimate obfuscation tool Virbox Protector to make it harder for researchers to reverse engineer the Trojan, Group-IB said.
“At the moment, GoldDigger is primarily focusing on targets in Vietnam. However, Group-IB’s Threat Intelligence team found that, in addition to Vietnamese, the malware included language translations to Spanish and traditional Chinese,” warned says Anh Le, Group-IB’s business development manager in Vietnam.
“The cyber-criminals may have plans to further extend GoldDigger’s reach to Spanish and Chinese-speaking countries in the near future. We continue the investigation into GoldDigger and will provide updates when they become available.”
Group-IB urged users to ensure their mobile device is updated, avoid downloading applications from sources outside of the Google Play Store, and check what permissions an application requests once it is downloaded.