Security researchers have discovered a new and prolific trojan Androiddesigned to secretly collect user information, including banking app credentials.
The malevolent agent, nicknamed by Group-IB with the name GoldDiggerwould be active at least from June 2023 and is active on 50 Banking Apps and Cryptocurrency Wallets.
Although the infection appears to be particularly widespread among users from Vietnam, it also occurs in other languages, suggesting that cybercriminals plan to expand into the rest of Asia, Europe and South America.
Per Mr.leHead of Business Development of Group-IB in Vietnam”At the moment GoldDigger is mainly focusing on targets in Vietnam. However, Group-IB’s Threat Intelligence team discovered that, in addition to Vietnamese, the malware includes language translations in Spanish and Traditional Chinese“.
According to experts’ reconstructions, the Trojan spread through a campaign e-mail phishingthrough which a link to a Counterfeit Google Play page. Here, the victim is pressured into downloading an Android app that is passed off as government or otherwise trustworthy. Installing the software, as expected, activates the malware that takes possession of the device.
The GoldDigger Trojan targets bank accounts and crypto wallets
Once installed, GoldDigger requires access to the Android Accessibility Service. This allows the malicious agent to monitor and manipulate the device’s functions. In doing so, the trojan is able to steal sensitive information, including banking app passwordsas well as intercept SMS messages.
Malware developers also use a legitimate obfuscation tool i.e Virbox Protector, to make threat analysis more difficult. This could make GoldDigger even more dangerous if cybercriminals plan to attack global targets.
Group-IB urged users to update operating systems of mobile devices and to avoid downloading applications from external sources with respect to Google Play Store. Furthermore, as per practice, experts always recommend check permissions requests an application once downloaded and installed.
