Unmasking the Overlap Between Golddigger and Gigabud Android Malware
Key Takeaways
- Since July 2024, there has been a noticeable surge in the detection of a new variant of Gigabud malware. This uptick indicates an escalation in the malware’s distribution and impact.
- Gigabud is now using sophisticated phishing tactics, distributing its malware by disguising it as legitimate airline applications. These fake apps are being circulated through phishing sites that closely mimic the official Google Play Store, aiming to deceive unsuspecting users.
- The scope of Gigabud’s operations has expanded, and it now targets users in a wider range of countries, including Bangladesh, Indonesia, Mexico, South Africa, and Ethiopia.
- Analysis reveals significant similarities between Golddigger and Gigabud malware, suggesting that the same Threat Actor (TA) is behind both. This connection points to a shared origin and strategy, reflecting a coordinated approach in their malicious campaigns.
- The latest iteration of Gigabud has incorporated over 30 API endpoints, enabling it to support a wide array of new features. This development points to a deliberate effort by the attackers to continuously evolve the malware’s functionality
Overview
In January 2023, Cyble Intelligence and Research Labs (CRIL) discovered a Gigabud campaign that was impersonating government entities to target users in Thailand, the Philippines, and Peru. By June 2023, the Golddigger Android Banking Trojan emerged, targeting users in Vietnam by posing as a Vietnamese government entity.
Recent analysis has revealed that the source code from both Gigabud and Golddigger malware shows significant overlap, indicating that the same TAs are behind both campaigns.
CRIL has been closely tracking the evolving Gigabud campaign and has observed a strategic expansion in its targeting. Initially focused on regions like Vietnam and Thailand, the malware has now broadened its scope to include new targets in Bangladesh, Indonesia, Mexico, South Africa, and Ethiopia. This broadening of targets highlights an increased scope and sophistication in the TA’s approach.
Phishing sites impersonating South African and Ethiopian Airlines
CRIL has identified multiple phishing sites that replicate the Google Play page to distribute Gigabud malware. These sites are designed to deceive users into downloading malicious applications by masquerading as legitimate South African Airways and Ethiopian Airlines. The detection of similar malicious samples originating from South Africa, coupled with the malware’s use of African airline identities, indicates that the TAs have expanded their target list to include both South Africa and Ethiopia.
Figure 1 – Phishing site distributing fake South African Airways app
Figure 2 – Phishing site distributing fake Ethiopian Airlines app
Gigabud malware impersonating Mexican Bank and Indonesian Tax Government Entity
We have observed that certain samples of Gigabud malware are now impersonating the Mexican bank “HeyBanco” by presenting a counterfeit login page. These fraudulent samples, which were also submitted from Mexico to VirusTotal, indicate a new focus of the Gigabud malware on the Mexican region.
Figure 3 – Fake HeyBanco login page loaded by malware (left) vs genuine HeyBanco page (right)
Gigabud malware has also been detected impersonating the official “M-Pajak” app, which belongs to the Directorate General of Taxes in Indonesia. These samples mimic the legitimate government application by presenting a counterfeit login page, much like the previously observed MyBanco malicious app.
Figure 4 – Fake M-Pajak login page loaded by malware (left) vs genuine M-Pajak login page (right)
The figure below illustrates the diverse range of icons employed by Gigabud malware to impersonate legitimate entities.
Figure 5 – Icons used by Gigabud malware
Since early June 2024, the distribution of Gigabud malware has significantly increased, signaling an intensified effort by the TA to reach a wider audience. This uptick in activity reflects a strategic expansion of the malware’s deployment aimed at compromising a larger pool of potential victims. The graph below provides a detailed view of the malware’s distribution trends over the past six months.
Figure 6 – Graph indicating the uptick in Gigabud’s activity
The next section delves into the technical details of the malware and highlights its similarities with Golddigger.
Technical Details
New samples of Gigabud malware have been detected using the Virbox packer and employing evasion techniques by exploiting the zip file format, akin to the methods used by Golddigger malware. The Virbox packer obscures the malware’s true nature, making it more difficult for security solutions to identify and analyze.
Figure 7 – Using Virbox Packer
Similarities between Gigabud and Golddigger
Golddigger malware utilized the native .so file named “libstrategy.so” to handle code specific to the user interface elements of targeted banking applications. This file played a crucial role in identifying the UI elements of the banks being targeted. In recent versions of Gigabud, similar source code has been identified, indicating that Gigabud has adopted a comparable approach.
Figure 8 – Golddigger (left) and Gigabud (Right) share similar library
Upon examining the native files of both Golddigger and Gigabud, we found that Gigabud has incorporated support for two additional banking applications: Yape (com.bcp.innovacxion.yapeapp), a digital payment app from Peru, and Dutch-Bangla Bank Rocket (com.dbbl.mbs.apps.main), a mobile banking app from Bangladesh.
Figure 9 – Golddigger’s target list (left) Vs Gigabud’s target list(Right)
Until now, we have attributed these recent samples to Golddigger based on their common library usage, but further investigation of an unpacked sample indicated that they are actually Gigabud malware.
In our investigation into the Gigabud campaign, we uncovered an unpacked file distributed through the phishing site “hxxps://airways[.]ajgo[.]cc/assets/images.” Unlike the packed variants, this sample is not packed with the Virbox packer. Nevertheless, it utilizes the same libraries and includes identical classes as those found in the packed versions.
Figure 10 – Unpacked (left) Vs. Packed (right) Gigabud samples
In our analysis of unpacked samples, we observed that the code from samples identified in 2023 bears striking similarities to the code in more recent variants, particularly in how they display fake bank dialog boxes. The figure below illustrates the code similarities between the old and new variants.
Figure 11 – The same code present in old and new samples
In addition to sharing code, recent samples of Gigabud malware are using the Retrofit library for Command and Control (C&C) communication. Our analysis revealed that these recent samples utilize API endpoints that are consistent with those used in earlier versions of Gigabud. This correlation confirms that the new samples are indeed variants of Gigabud malware.
Figure 12 – Endpoints used in older and new versions of Gigabud
The latest samples of Gigabud malware now feature 32 API endpoints, a substantial increase from the 11 endpoints found in earlier versions. This expansion signifies upgrades and enhancements by the TA over the past year. Below are some of the new endpoints introduced in the most recent version of Gigabud malware.
| Endpoints | Description |
| /x/five/upload | Upload recorded face video |
| x/common-sms | Upload SMSs |
| x/command-screen-up | Sends screen content |
| /x/dk-register | Sends stolen bank details |
| /x/common-books | Upload contacts |
| /x/five/user-upload-batch | Upload files from an infected device |
| /x/five/config-list | Receives configuration list |
Although the recent samples predominantly feature code similar to that of Gigabud malware, we discovered that they also incorporate the “libstrategy.so” library and its Java counterpart, “com.strategy.utils,” from Golddigger. This library is critical for the malware, as it includes parsed UI element IDs for various targeted banking applications and the lock pattern windows from settings across different mobile devices. The supported device brands include:
- Honor
- Infinix
- Meizu
- Motorola
- Oppo
- Realme
- Samsung
- Vivo
- OnePlus
- Xiaomi
Figure 13 – Parsed UI element IDs of the lock window in the Strategy native file
Figure 14 – Parsed UI element IDs of targeted bank applications in the Strategy native file
The malware leverages these parsed UI elements to precisely identify and interact with user interface components on the victim’s device. This capability allows it to execute various malicious actions, including locking and unlocking the infected device and targeting specific UI elements related to targeted banking applications to exfiltrate financial information.
Figure 15 – Usage of parsed elements and methods from Strategy native file to unlock device and steal password
The analysis of recent Gigabud samples suggests that the same TA is behind both Golddigger and Gigabud, using common modules in their tools. The Strategy native file is one example of how the TA used a common file and embedded it in two different malware strains to carry out attacks. Additionally, the use of a packer, phishing themes, and impersonation of legitimate entities further indicates that the same threat actor is behind the campaign.
Conclusion
Our investigation reveals a significant overlap between Golddigger and Gigabud malware, indicating that the same TA is behind both. The recent surge in Gigabud samples, along with the use of common libraries and techniques, underscores the actor’s evolving tactics and expanded targeting. With the incorporation of new features and an increased range of targeted regions, including Bangladesh, Indonesia, Mexico, South Africa, and Ethiopia, the threat landscape continues to shift. The shared code, similar phishing schemes, and impersonation tactics further confirm the connection between these malware strains, highlighting the need for heightened vigilance and advanced defensive measures against these persistent threats.
Our Recommendations
We have listed some essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the best practices given below:
- If possible, activate biometric security measures like fingerprint or facial recognition to unlock your mobile device.
- Exercise caution when it comes to opening links received via SMS or emails on your phone.
- Confirm that Google Play Protect is turned on for Android devices.
- Be mindful when granting permissions.
- Keep your devices, operating systems, and applications up to date.
MITRE ATT&CK® Techniques
| Tactic | Technique ID | Procedure |
| Defense Evasion (TA0030) | Masquerading: Match Legitimate Name or Location (T1655.001) | Malware masquerading legitimate entities |
| Persistence (TA0028) | Event-Triggered Execution: Broadcast Receivers (T1624.001) | Malware has implemented a broadcast receiver to monitor screen actions |
| Discovery (TA0032) | System Information Discovery (T1426) | The malware collects basic device information. |
| Discovery (TA0032) | File and Directory Discovery (T1420) | Malware collects files from external storage |
| Defense evasion (TA0030) | Hide Artifacts: Suppress Application Icon (T1628.001) | Malware can hide icon |
| Collection (TA0035) | Protected User Data: Contact List (T1636.003) | The malware collects contacts from the infected device |
| Collection (TA0035) | Protected User Data: SMS Messages (T1636.004) |
Steals SMSs from the infected device |
| Collection (TA0035) | Access Notifications (T1517) | Malware monitors notification |
| Collection (TA0035) | Input Capture: Keylogging (T1417.001) | Malware steals credentials using keylogging |
| Collection (TA0035) | Screen Capture (T1513) | Malware can record screen |
| Command and Control (TA0037) | Application Layer Protocol: Web Protocols (T1437) | Malware uses HTTPS protocol for C&C communication |
| Exfiltration (TA0036) | Exfiltration Over C2 Channel (T1646) | Sending exfiltrated data over C&C server |
Indicators of Compromise (IOCs)
| Indicators | Indicator Type | Description |
| d19a134f8e4961ec53e53fc21b3606063d821579ef4427ddaac011c7624b0af4 327c041ba063d32e7378483aa7ebdf73ea6787db 4d1d13cb7ce979cdb3a22838c8885794 |
SHA256 SHA1 MD5 |
Gigabud unpacked sample |
| b700cee5e89305186b65a7c42c545263b3c11587ac1feb91fc3747353bde59e9 2337bf80e136ee99ee59096081d7a937fd79adc3 853c98feaec405722c8353ff2d697f9e |
SHA256 SHA1 MD5 |
Packed Gigabud sample |
| rpc.nafe3[.]xyz | Domain | C&C server |
| hxxps://airways.ajgo[.]cc/ hxxps://ethiopian[.]zkgo.cc hxxps://dstv[.]atferu.com |
URL | Phishing URL |
The post Unmasking the Overlap Between Golddigger and Gigabud Android Malware appeared first on Cyble.
React to this headline:
