Android Malware: Golddigger & Gigabud Target Airline Customers

A surge in Gigabud malware detections since July 2024 indicates an intensified campaign, leveraging sophisticated phishing tactics to distribute itself via disguised airline apps on fake Google Play Store replicas. 

Expanding its geographic reach to include Bangladesh, Indonesia, Mexico, South Africa, and Ethiopia, Gigabud demonstrates a coordinated approach with Golddigger malware, suggesting a common threat actor. 

The malware’s expanded functionality through over 30 API endpoints signifies a continuous evolution of its capabilities. 

Gigabud, an Android banking trojan initially targeting Southeast Asia, has evolved, sharing code with the Golddigger malware and expanding its reach to include Bangladesh, Indonesia, Mexico, South Africa, and Ethiopia. 

Phishing sites distributing fake Ethiopian Airlines apps 

Threat actors behind Gigabud deploy phishing sites impersonating legitimate entities, such as South African and Ethiopian airlines, to distribute malicious apps disguised as official applications. 

The overlap in code between Gigabud and Golddigger suggests a shared infrastructure or development team, potentially enabling the threat actors to rapidly develop and deploy new malware variants.

Gigabud malware has expanded its targeting to Mexico, impersonating the HeyBanco bank with a fraudulent login page. These malicious samples, originating from Mexico and detected on VirusTotal, suggest a concentrated effort to target Mexican users. 

Additionally, the malware has been observed mimicking the Indonesian tax government entity, M-Pajak, indicating a broader geographic scope for the Gigabud threat. 

 Fake HeyBanco login page loaded by malware (left) vs genuine HeyBanco page (right)

It has expanded its deception tactics by impersonating the Indonesian tax authority’s M-Pajak app, mirroring the previously observed MyBanco phishing scheme. 

The malware employs a variety of icons to mimic legitimate entities, showcasing its adaptability and intent to socially engineer victims into downloading malicious applications, which highlights the malware’s growing sophistication and broadening target audience. 

Icons used by Gigabud malware 

The malware distribution has sharply increased since June 2024, suggesting a deliberate effort to expand the victim pool, which indicates a strategic shift by the threat actor towards wider dissemination of the malware.

Researchers at CRIL identified new Gigabud malware strains using Virbox Packer, a technique similar to Golddigger malware, to obfuscate the code and bypass detection, which makes it harder for security tools to analyze the malware’s true functionality.  

Using Virbox Packer 

Similarities in the source code between Gigabud and the “libstrategy.so” library used by Golddigger suggest Gigabud has adopted a similar method for targeting specific UI elements within banking apps, likely to steal financial information. 

Researchers analyzed unpacked samples of Gigabud malware and found strong evidence that it shares functionalities and code with Golddigger malware, including identical class usage, similar code for displaying fake bank dialogs, and consistent C&C communication endpoints using the Retrofit library. 

While the latest Gigabud targets new banking apps like Yape and Dutch-Bangla Bank Rocket, it also incorporates the “libstrategy.so” library from Golddigger, enabling it to parse UI elements for various targeted banking apps and device lock screens across different phone brands. 

It allows Gigabud to perform malicious actions like unlocking the device and stealing passwords, suggesting a high likelihood that the same threat actor is behind both the Golddigger and Gigabud campaigns. 

Also Read:

Kaaviya
Kaaviyahttps://cyberpress.org/
Kaaviya is a Security Editor and fellow reporter with Cyber Press. She is covering various cyber security incidents happening in the Cyber Space.

Recent Articles

Related Stories

LEAVE A REPLY

Please enter your comment!
Please enter your name here