GoldDigger Android trojan targets Vietnamese banking apps, code contains hints of wider targets

Singapore-based infosec outfit Group-IB on Thursday released details of a new Android trojan that exploits the operating system's accessibility features to steal info that enables theft of personal information.

The security research outfit wrote that the trojan, named GoldDigger, currently targets Vietnamese banking apps – but includes code suggesting its developers plan wider attacks. Between June 2023, when it spotted GoldDigger, and late August, Group-IB identified 51 financial organization applications targeted by the trojan. The security form is unsure how many devices have been infected, or how much money has been stolen.

The malware makes its way onto devices after users visit fake websites that manipulate them into downloading the app. Once installed, GoldDigger requests access to Android’s Accessibility Service – the feature designed to assist users with disabilities by allowing apps to interact with each other and modify the user interface.

Permission to use the Accessibility Service means GoldDigger can monitor and manipulate a device's functions and view personal information such as banking app credentials and the content of SMS messages, and send that info to command-and-control servers. A code snippet found by the researchers suggests the malware attempts to bypass two factor authentication, and is designed to fool banking apps that it is making legitimate transactions.

• Kremlin-backed Sandworm strikes Android devices with data-stealing Infamous Chisel
• Russia throws founder of infosec biz Group-IB in the clink for treason
• Probe reveals previously secret Israeli spyware that infects targets via ads
• Suspected bank-infecting OPERA1ER crime boss cuffed

"We have not confirmed that the Trojan operators use these capabilities at the time of writing. However, based on the behavior of other known Trojans similar to GoldDigger, we don't think they differ significantly," explained Group-IB.

"We are definitely observing a significant increase in the Android malware strains abusing the Accessibility Service. For Android malware trends, there is a noticeable shift away from the traditional use of web fakes," Sharmine Low, malware analyst at Group-IB, told The Register. Low said using the Accessibility Function was a "much more invasive approach compared to generating individual web fake files for each specific target."

GoldDigger's developers have left clues that their ambitions may reach beyond Vietnam. The malware includes translations in Chinese and Spanish, suggesting that countries where those languages are spoken may be next in line as targets.

One way the security firm noted the malware could be prevented – aside from the usual check for updates, watch out for unusual permissions and adopting fraud protection services – is to keep the "Install from Unknown Sources" setting disabled by default on Android devices. Only if the setting is enabled can APKs from sources outside Google Play Store be installed. ®