TL;DR: Cybersecurity firm Group-IB has identified a new Android Trojan called “GoldDigger” that specifically targets over 50 Vietnamese banking apps, electronic wallets, and cryptocurrency wallets. The Trojan, active since at least June 2023, impersonates Vietnamese government portals and an energy company, using the Android Accessibility service to steal personal information, banking credentials, intercept SMS messages, and perform various user actions. The number of affected devices and the stolen amount remain undisclosed. Group-IB promptly informed their Threat Intelligence customers and notified the Governmental National CERT of Vietnam (VNCERT).
Cybersecurity firm Group-IB has uncovered a new Android Trojan named “GoldDigger,” targeting users of over 50 Vietnamese banking applications, electronic wallets, and cryptocurrency wallets. This threat, active since at least June 2023, masquerades as both a Vietnamese government portal and an energy company. By exploiting the Android Accessibility service, GoldDigger extracts personal data, steals banking app credentials, intercepts SMS messages, and executes various actions on the device. The scale of impact and stolen funds remain undisclosed.
Upon discovering the GoldDigger threat, Group-IB’s Threat Intelligence unit promptly notified their customers and informed the Governmental National CERT of Vietnam (VNCERT). This Android Trojan was first identified in June 2023. It operates through deceptive websites, mimicking Google Play Store pages and fake company sites, some even featuring fabricated user reviews and Vietnamese emblems to appear authentic.
GoldDigger operates in two strains, one posing as a Vietnamese government portal and the other as a local energy sector company. After installation, it gains Accessibility Service access, allowing it to monitor and manipulate the device’s functions. The Trojan targets 51 applications from Vietnamese financial organizations, along with e-wallets and cryptocurrency apps. Captured data, including logins and passwords, is then sent to command-and-control servers. Notably, GoldDigger employs Virbox Protector, a legitimate software, to obfuscate and encrypt its code, making it more challenging to analyze.
“While currently focused on Vietnam, GoldDigger includes translations to Spanish and traditional Chinese. This suggests potential expansion to Spanish and Chinese-speaking countries,” warns Anh Le, Group-IB’s Business Development Manager in Vietnam. Users are urged to update their devices, download applications exclusively from the Google Play Store, and monitor app permissions. For added security, companies can explore Group-IB’s Fraud Protection solution, employing machine learning to detect suspicious behavior and potential threats like GoldDigger.
