Cybersecurity technology creator, Group-IB, has noted a concerning rise in cyber threats in the Asia-Pacific region, particularly a sophisticated Android Trojan known as "GoldDigger". This Trojan specifically targets users of over 50 Vietnamese banking, electronic wallet and cryptocurrency wallet apps, aiming to steal funds. The danger posed by this Trojan, among others in the region, is escalating rapidly.
GoldDigger uses a number of tactics to exploit users, including impersonating a Vietnamese government tax portal and an energy company. Group-IB's Computer Emergency Response Team (CERT-GIB) has proactively notified the Vietnamese Government's CERT (VNCERT) to help combat this threat. By exploiting Android's Accessibility service, GoldDigger can extract data and steal user credentials.
Furthermore, the Trojan employs Virbox Protector, a tool designed for advanced obfuscation and encryption techniques. This particular software is often used by malware creators as an aid to frustrate the efforts of cybersecurity researchers, who endeavour to analyse and reverse-engineer malicious code. Its use complicates detection and prevention measures deployed by regular anti-fraud solutions, although Group-IB's Fraud Protection system is successfully identifying and counteracting GoldDigger's activities, demonstrating their superior expertise in cybersecurity measures.
Uncovered by Group-IB's Threat Intelligence unit, the Trojan has been active since June 2023 and uses the Android Accessibility service to extract sensitive information and manipulate user interfaces. By doing so, GoldDigger is able to simulate user actions, intercept confidential SMS messages and steal credentials from banking apps. The specific number of affected devices and stolen funds is yet to be determined.
To appear legitimate, over ten fake websites have been identified, posing as Google Play Store pages and company websites. Websites are adorned with user reviews and the emblem of Vietnam to try and trick users into downloading GoldDigger, nicknamed after a specific Android activity found within the APK file, called 'GoldActivity'. GoldDigger may have been distributed through messengers or traditional phishing.
Anh Le, Group-IB's Business Development Manager in Vietnam, highlighted that while GoldDigger is currently targeting Vietnam, "the malware includes language translations to Spanish and traditional Chinese. This suggests that the cybercriminals may extend GoldDigger's reach to Spanish and Chinese-speaking countries in the near future".
In order to protect themselves from Trojans like GoldDigger, Group-IB recommends users keep their mobile devices updated, download apps only from the Google Play Store and check the permissions requested by an application once downloaded. Group-IB's Fraud Protection solution can enhance corporate security by using machine learning algorithms to flag suspicious behaviour and the presence of malware such as GoldDigger.
The pioneering work of Group-IB's Threat Intelligence team, to investigate, prevent and fight digital crime, reinforces their reputation as a leading creator of cybersecurity technologies. Their defence strategies continue to evolve, offering complete protection from modern cyber threats.