In recent months, cybersecurity analysts have observed a troubling increase in the activity of Golddigger and Gigabud Android banking trojan. Since July 2024, Gigabud malware has seen a dramatic rise in detection rates. This uptick signifies a substantial increase in both the distribution and impact of the malware.
Gigabud has adopted advanced phishing tactics, disguising itself as a legitimate airline application. These fraudulent apps are distributed through phishing websites that closely imitate the official Google Play Store, thereby deceiving users into downloading them.
The Link Between Golddigger and Gigabud Malware
According to Cyble Intelligence and Research Labs (CRIL), the malware’s geographical reach has expanded significantly. Initially focusing on regions like Vietnam and Thailand, Gigabud now targets users in Bangladesh, Indonesia, Mexico, South Africa, and Ethiopia. This broader scope indicates a strategic expansion in the malware’s operations, aiming to compromise a more extensive range of potential victims.
The connection between Golddigger and Gigabud becomes clearer when examining their historical development. In January 2023, CRIL discovered a Gigabud campaign impersonating government entities to target users in Thailand, the Philippines, and Peru. By June 2023, Golddigger, another Android banking trojan, emerged, targeting Vietnamese users under the guise of a government entity.
Recent analyses have highlighted significant similarities between the Golddigger and Gigabud malware. The source code of both strains shows notable overlap, suggesting that they may originate from the same Threat Actor (TA). This shared code and strategy indicate a coordinated approach in their malicious campaigns.
Phishing Tactics and Geographic Expansion
CRIL’s research has identified various phishing sites designed to distribute Gigabud malware. These sites mimic the Google Play Store and pose as legitimate South African Airways and Ethiopian Airlines apps.
The use of such impersonation tactics reflects the malware’s expansion into new target regions, including South Africa and Ethiopia.
Moreover, Gigabud malware has been observed impersonating Mexican banking institutions, such as “HeyBanco,” and Indonesian government applications, including “M-Pajak.” Fraudulent login pages for these institutions are created to trick users into entering their sensitive credentials, thus compromising their personal and financial information.
The technical aspects of Gigabud malware reveal further similarities with Golddigger. Recent samples of Gigabud employ the Virbox packer, a technique also used by Golddigger. The Virbox packer obfuscates the malware’s true nature, making it more challenging for security solutions to detect and analyze the threat.
One of the critical similarities between Golddigger and Gigabud is the use of the native file “libstrategy.so.” This file is integral to the malware’s ability to interact with the user interface elements of targeted banking applications. The presence of this file in both malware strains highlights the shared tools and techniques employed by the attackers.
Gigabud’s latest versions incorporate an impressive number of API endpoints—32, up from just 11 in earlier versions. These endpoints facilitate a range of malicious activities, including uploading recorded face videos, SMS messages, stolen bank details, and more. The addition of these features reflects an ongoing effort by the TA to enhance the malware’s functionality and effectiveness.
Recent samples of Gigabud have also shown a continued use of the “libstrategy.so” library, which is crucial for interacting with UI components on infected devices.
This library includes parsed UI element IDs for various targeted banking applications and lock pattern windows from different mobile devices. The malware uses this information to execute malicious actions, such as locking and unlocking devices and targeting specific UI elements to steal financial data.
Visual Evidence, Analysis, and Mitigation Strategies
To illustrate the extent of this overlap, consider the visual evidence from recent analyses. Figures highlight the phishing sites used to distribute Gigabud, such as those impersonating South African Airways and Ethiopian Airlines. Additionally, images of fake login pages for Mexican and Indonesian institutions reveal how Gigabud attempts to deceive users into revealing their credentials.
Technical figures further demonstrate the use of common libraries and API endpoints. For instance, the comparison of old and new Gigabud samples shows how the malware’s code has evolved while retaining core similarities. The use of the Retrofit library for Command and Control (C&C) communication, along with consistent API endpoints, confirms the connection between newer and older versions of Gigabud.
The investigation into Gigabud and Golddigger malware highlights a significant overlap, suggesting that the same TA is behind both strains. The recent increase in Gigabud’s activity, coupled with the shared techniques and tools, highlighted a sophisticated campaign employed by threat actors. The malware’s expansion into new regions and its continuous enhancement of features indicate a coordinated effort to target a broader audience.
To protect against these persistent threats, users are advised to implement robust cybersecurity measures. These include activating biometric security features such as fingerprint or facial recognition, being cautious with links received via SMS or email, ensuring that Google Play Protect is enabled, and keeping devices, operating systems, and applications up to date. By following these best practices, users can better defend themselves against threats posed by Android malware like Golddigger and Gigabud.
