How does GoldDigger Android malware steal your money?

GoldDigger, a new Android malware, is targeting more than 50 Vietnamese financial apps, including banking applications, e-wallets, and cryptocurrency wallets. The primary objective of this Trojan, dubbed “GoldDigger” by experts at Group-IB Threat Intelligence division, is to unauthorizedly transfer funds. The malware exploits Android Accessibility services to illegally obtain personal data, intercept text messages, and perform various unauthorized actions.

The rise of digital finance has brought convenience and global reach, but it is not without its drawbacks. Cybercriminals are taking advantage of the easy access to exploit and benefit from unsuspecting users in this growing digital domain. Group-IB first discovered GoldDigger in June 2023 and quickly notified its Threat Intelligence clients. The Group-IB Computer Emergency Response Team (CERT-GIB) also informed the official Vietnam National CERT (VNCERT) and launched a public awareness campaign.

GoldDigger uses fake websites that mimic Google Play Store pages and legitimate company sites to trick visitors into downloading the malware. These sites are designed to appear authentic, including user testimonials and Vietnamese emblems. Once activated, GoldDigger obtains permission to access Android Accessibility Services, which it then uses to monitor and modify device functions. It can obtain confidential data such as passwords, read text messages, mimic user behavior, and steal login details. It specifically targets over 51 Vietnamese financial apps and e-wallets, forwarding the stolen data to its command center.

To protect against unauthorized account access, strong passwords and multi-factor authentication (MFA) are critical. Using complex passwords with a mix of capital letters, numbers, and symbols can enhance security. Additionally, enabling MFA adds an extra layer of defense, making it more difficult for unauthorized access. Tools like Google Authenticator, Authy, or hardware tokens such as YubiKey can be used for MFA.

What makes GoldDigger unique is its use of Virbox Protector, a legitimate software specializing in obfuscation and advanced data encryption. This makes it challenging for cybersecurity experts to decipher the malware’s code and detect its presence. However, the Group-IB Fraud Protection suite has the capabilities to spot GoldDigger.

GoldDigger initially focuses its attention on the Vietnamese target but also has Spanish and traditional Chinese linguistic versions. This suggests that the malware may expand its operations to target Spanish and Chinese speaking countries.

Another threat in the Android malware landscape is Nexus, a botnet that has been in operation since June 2022. Nexus can secretly record user keystrokes, override two-factor authentication systems, and disable SMS-based 2FA. It infiltrates Android devices by masquerading as a genuine app and is available on dubious third-party Android app stores.

The consequences of a security breach in digital finance can be significant, including reduced user trust, migration to more secure platforms, regulatory fines, legal challenges, compensation costs, and damage to reputation. As the digital financial world expands, it is crucial to understand these challenges and actively work towards mitigating them to ensure security for individuals and businesses alike.