How this trojan can affect users
This GoldDigger Android trojan has been active since June 2023, Group-IB claims. The malware disguises itself as a fake Android app and can impersonate both a Vietnamese government portal and a local energy company.
The main goal of the Android bug is to steal banking credentials. Just like many other Android Trojans, the malware abuses Accessibility Service to extract personal information, intercept SMS messages, and perform various user actions. GoldDigger also has a remote access capability.
How the malware remains undetectable
One of the main features of GoldDigger is its use of an advanced protection mechanism. Virbox Protector, a legitimate software, was identified in all discovered samples of GoldDigger. This software allows the trojan to significantly complicate both static and dynamic malware analysis and evade detection. This presents a challenge in triggering malicious activity in sandboxes or emulators.
The use of VirBox by banking trojans is a recent trend. As per Group-IB’s Threat Intelligence team, three Android Trojans currently active in the Asia Pacific region, including GoldDigger, are using this evasion technique.
Researchers discovered that the GoldDigger Trojan uses fake apps in Vietnamese to attack its victims. The trojan also includes language translations for Spanish and traditional Chinese. This shows that these attacks may potentially extend their reach beyond Vietnam, encompassing Spanish-speaking nations and other countries in the APAC region.
The report notes that GoldDigger spreads via fake websites disguised as Google Play pages and fake corporate websites in Vietnam. The trojan’s operators are likely distributing the links to these websites via smishing or traditional phishing methods. These websites include links that will download malicious Android apps. However, the malware needs the “Install from Unknown Sources” function to be enabled on a victim’s device to be downloaded and installed.