Unmasking The Overlap Between Golddigger And Gigabud Android Malware – Cyble

Summary: The Gigabud malware has seen a significant rise in activity since July 2024, utilizing advanced phishing techniques to distribute itself through counterfeit airline applications and targeting users across multiple countries. Analysis indicates a strong connection between Gigabud and Golddigger malware, suggesting a coordinated effort by the same threat actor.

Threat Actor: Unknown | Gigabud
Victim: Various | Gigabud victims

Key Point :

  • Gigabud malware is now impersonating legitimate airline applications to distribute its malicious payload.
  • The malware’s targeting has expanded to include countries such as Bangladesh, Indonesia, Mexico, South Africa, and Ethiopia.
  • There are significant code similarities between Gigabud and Golddigger malware, indicating they share the same threat actor.
  • The latest version of Gigabud includes over 30 API endpoints, enhancing its functionality and capabilities.
  • Phishing sites mimicking official pages have been identified as a primary distribution method for Gigabud malware.

Key Takeaways

  • Since July 2024, there has been a noticeable surge in the detection of a new variant of Gigabud malware. This uptick indicates an escalation in the malware’s distribution and impact. 
  • Gigabud is now using sophisticated phishing tactics, distributing its malware by disguising it as legitimate airline applications. These fake apps are being circulated through phishing sites that closely mimic the official Google Play Store, aiming to deceive unsuspecting users. 
  • The scope of Gigabud’s operations has expanded, and it now targets users in a wider range of countries, including Bangladesh, Indonesia, Mexico, South Africa, and Ethiopia. 
  • Analysis reveals significant similarities between Golddigger and Gigabud malware, suggesting that the same Threat Actor (TA) is behind both. This connection points to a shared origin and strategy, reflecting a coordinated approach in their malicious campaigns. 
  • The latest iteration of Gigabud has incorporated over 30 API endpoints, enabling it to support a wide array of new features. This development points to a deliberate effort by the attackers to continuously evolve the malware’s functionality 

Overview 

In January 2023, Cyble Intelligence and Research Labs (CRIL) discovered a Gigabud campaign that was impersonating government entities to target users in Thailand, the Philippines, and Peru. By June 2023, the Golddigger Android Banking Trojan emerged, targeting users in Vietnam by posing as a Vietnamese government entity. 

Recent analysis has revealed that the source code from both Gigabud and Golddigger malware shows significant overlap, indicating that the same TAs are behind both campaigns. 

CRIL has been closely tracking the evolving Gigabud campaign and has observed a strategic expansion in its targeting. Initially focused on regions like Vietnam and Thailand, the malware has now broadened its scope to include new targets in Bangladesh, Indonesia, Mexico, South Africa, and Ethiopia. This broadening of targets highlights an increased scope and sophistication in the TA’s approach. 

Phishing sites impersonating South African and Ethiopian Airlines 

CRIL has identified multiple phishing sites that replicate the Google Play page to distribute Gigabud malware. These sites are designed to deceive users into downloading malicious applications by masquerading as legitimate South African Airways and Ethiopian Airlines. The detection of similar malicious samples originating from South Africa, coupled with the malware’s use of African airline identities, indicates that the TAs have expanded their target list to include both South Africa and Ethiopia.  

Figure 1 – Phishing site distributing fake South African Airways app

Figure 1 – Phishing site distributing fake South African Airways app 

Figure 2 – Phishing site distributing fake Ethiopian Airlines app

Figure 2 – Phishing site distributing fake Ethiopian Airlines app 

Gigabud malware impersonating Mexican Bank and Indonesian Tax Government Entity 

We have observed that certain samples of Gigabud malware are now impersonating the Mexican bank “HeyBanco” by presenting a counterfeit login page. These fraudulent samples, which were also submitted from Mexico to VirusTotal, indicate a new focus of the Gigabud malware on the Mexican region. 

Figure 3 – Fake HeyBanco login page loaded by malware left vs genuine HeyBanco page right

Figure 3 – Fake HeyBanco login page loaded by malware (left) vs genuine HeyBanco page (right) 

Gigabud malware has also been detected impersonating the official “M-Pajak” app, which belongs to the Directorate General of Taxes in Indonesia. These samples mimic the legitimate government application by presenting a counterfeit login page, much like the previously observed MyBanco malicious app. 

Figure 4 – Fake M Pajak login page loaded by malware left vs genuine M Pajak login page right

Figure 4 – Fake M-Pajak login page loaded by malware (left) vs genuine M-Pajak login page (right) 

The figure below illustrates the diverse range of icons employed by Gigabud malware to impersonate legitimate entities.  

Figure 5 – Icons used by Gigabud malware

Figure 5 – Icons used by Gigabud malware 

Since early June 2024, the distribution of Gigabud malware has significantly increased, signaling an intensified effort by the TA to reach a wider audience. This uptick in activity reflects a strategic expansion of the malware’s deployment aimed at compromising a larger pool of potential victims. The graph below provides a detailed view of the malware’s distribution trends over the past six months. 

Figure 6 – Graph indicating the uptick in Gigabuds activity

Figure 6 – Graph indicating the uptick in Gigabud’s activity 

The next section delves into the technical details of the malware and highlights its similarities with Golddigger. 

Technical Details 

New samples of Gigabud malware have been detected using the Virbox packer and employing evasion techniques by exploiting the zip file format, akin to the methods used by Golddigger malware. The Virbox packer obscures the malware’s true nature, making it more difficult for security solutions to identify and analyze. 

Figure 7 – Using Virbox Packer

Figure 7 – Using Virbox Packer 

Similarities between Gigabud and Golddigger 

Golddigger malware utilized the native .so file named “libstrategy.so” to handle code specific to the user interface elements of targeted banking applications. This file played a crucial role in identifying the UI elements of the banks being targeted. In recent versions of Gigabud, similar source code has been identified, indicating that Gigabud has adopted a comparable approach. 

Figure 8 – Golddigger left and Gigabud Right share similar library

Figure 8 – Golddigger (left) and Gigabud (Right) share similar library 

Upon examining the native files of both Golddigger and Gigabud, we found that Gigabud has incorporated support for two additional banking applications: Yape (com.bcp.innovacxion.yapeapp), a digital payment app from Peru, and Dutch-Bangla Bank Rocket (com.dbbl.mbs.apps.main), a mobile banking app from Bangladesh. 

Figure 9 – Golddiggers target list left Vs Gigabuds target listRight

Figure 9 – Golddigger’s target list  (left) Vs Gigabud’s target list(Right)  

Until now, we have attributed these recent samples to Golddigger based on their common library usage, but further investigation of an unpacked sample indicated that they are actually Gigabud malware. 

In our investigation into the Gigabud campaign, we uncovered an unpacked file distributed through the phishing site “hxxps://airways[.]ajgo[.]cc/assets/images.” Unlike the packed variants, this sample is not packed with the Virbox packer. Nevertheless, it utilizes the same libraries and includes identical classes as those found in the packed versions. 

Figure 10 – Unpacked left Vs. Packed right Gigabud samples

Figure 10 – Unpacked (left) Vs. Packed (right) Gigabud samples 

In our analysis of unpacked samples, we observed that the code from samples identified in 2023 bears striking similarities to the code in more recent variants, particularly in how they display fake bank dialog boxes. The figure below illustrates the code similarities between the old and new variants. 

Figure 11 – The same code present in old and new samples

Figure 11 – The same code present in old and new samples 

In addition to sharing code, recent samples of Gigabud malware are using the Retrofit library for Command and Control (C&C) communication. Our analysis revealed that these recent samples utilize API endpoints that are consistent with those used in earlier versions of Gigabud. This correlation confirms that the new samples are indeed variants of Gigabud malware.  

Figure 12 – Endpoints used in older and new versions of Gigabud

Figure 12 – Endpoints used in older and new versions of Gigabud 

The latest samples of Gigabud malware now feature 32 API endpoints, a substantial increase from the 11 endpoints found in earlier versions. This expansion signifies upgrades and enhancements by the TA over the past year. Below are some of the new endpoints introduced in the most recent version of Gigabud malware. 

Endpoints  Description 
/x/five/upload  Upload recorded face video 
x/common-sms  Upload SMSs 
x/command-screen-up  Sends screen content 
/x/dk-register  Sends stolen bank details 
/x/common-books  Upload contacts 
/x/five/user-upload-batch  Upload files from an infected device 
/x/five/config-list  Receives configuration list 

Although the recent samples predominantly feature code similar to that of Gigabud malware, we discovered that they also incorporate the “libstrategy.so” library and its Java counterpart, “com.strategy.utils,” from Golddigger. This library is critical for the malware, as it includes parsed UI element IDs for various targeted banking applications and the lock pattern windows from settings across different mobile devices. The supported device brands include: 

  • Honor 
  • Infinix 
  • Meizu 
  • Motorola 
  • Oppo 
  • Realme 
  • Samsung 
  • Vivo 
  • OnePlus 
  • Xiaomi 
Figure 13 – Parsed UI element IDs of the lock window in the Strategy native file

Figure 13 – Parsed UI element IDs of the lock window in the Strategy native file 

Figure 14 Parsed UI element IDs of targeted bank applications in the Strategy native file

Figure 14 – Parsed UI element IDs of targeted bank applications in the Strategy native file 

The malware leverages these parsed UI elements to precisely identify and interact with user interface components on the victim’s device. This capability allows it to execute various malicious actions, including locking and unlocking the infected device and targeting specific UI elements related to targeted banking applications to exfiltrate financial information. 

Figure 15 – Usage of parsed elements and methods from Strategy native file to unlock device and steal password

Figure 15 – Usage of parsed elements and methods from Strategy native file to unlock device and steal password 

The analysis of recent Gigabud samples suggests that the same TA is behind both Golddigger and Gigabud, using common modules in their tools. The Strategy native file is one example of how the TA used a common file and embedded it in two different malware strains to carry out attacks. Additionally, the use of a packer, phishing themes, and impersonation of legitimate entities further indicates that the same threat actor is behind the campaign. 

  

Conclusion 

Our investigation reveals a significant overlap between Golddigger and Gigabud malware, indicating that the same TA is behind both. The recent surge in Gigabud samples, along with the use of common libraries and techniques, underscores the actor’s evolving tactics and expanded targeting. With the incorporation of new features and an increased range of targeted regions, including Bangladesh, Indonesia, Mexico, South Africa, and Ethiopia, the threat landscape continues to shift. The shared code, similar phishing schemes, and impersonation tactics further confirm the connection between these malware strains, highlighting the need for heightened vigilance and advanced defensive measures against these persistent threats. 

Our Recommendations 

We have listed some essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the best practices given below:  

  • If possible, activate biometric security measures like fingerprint or facial recognition to unlock your mobile device. 
  • Exercise caution when it comes to opening links received via SMS or emails on your phone. 
  • Confirm that Google Play Protect is turned on for Android devices. 
  • Be mindful when granting permissions. 
  •  Keep your devices, operating systems, and applications up to date. 

MITRE ATT&CK® Techniques 

Tactic  Technique ID  Procedure 
Defense Evasion (TA0030)  Masquerading: Match Legitimate Name or Location (T1655.001 Malware masquerading legitimate entities 
Persistence (TA0028)  Event-Triggered Execution: Broadcast Receivers (T1624.001 Malware has implemented a broadcast receiver to monitor screen actions 
Discovery (TA0032)  System Information Discovery (T1426 The malware collects basic device information. 
Discovery (TA0032)  File and Directory Discovery (T1420 Malware collects files from external storage 
Defense evasion (TA0030)  Hide Artifacts: Suppress Application Icon (T1628.001)   Malware can hide icon 
Collection (TA0035)  Protected User Data: Contact List (T1636.003 The malware collects contacts from the infected device 
Collection (TA0035)  Protected User Data: SMS Messages 
(T1636.004
Steals SMSs from the infected device 
Collection (TA0035)  Access Notifications (T1517 Malware monitors notification 
Collection (TA0035)  Input Capture: Keylogging (T1417.001 Malware steals credentials using keylogging 
Collection (TA0035)  Screen Capture (T1513 Malware can record screen 
Command and Control (TA0037)  Application Layer Protocol: Web Protocols (T1437 Malware uses HTTPS protocol for C&C communication 
Exfiltration (TA0036)  Exfiltration Over C2 Channel (T1646 Sending exfiltrated data over C&C server 

Indicators of Compromise (IOCs) 

Indicators  Indicator Type  Description 
d19a134f8e4961ec53e53fc21b3606063d821579ef4427ddaac011c7624b0af4 
327c041ba063d32e7378483aa7ebdf73ea6787db 
4d1d13cb7ce979cdb3a22838c8885794 
SHA256 
SHA1 
MD5 
Gigabud unpacked sample 
b700cee5e89305186b65a7c42c545263b3c11587ac1feb91fc3747353bde59e9 
2337bf80e136ee99ee59096081d7a937fd79adc3 853c98feaec405722c8353ff2d697f9e 
SHA256 
SHA1 
MD5  
Packed Gigabud sample 
rpc.nafe3[.]xyz  Domain  C&C server 
hxxps://airways.ajgo[.]cc/ 
hxxps://ethiopian[.]zkgo.cc 
hxxps://dstv[.]atferu.com 
URL  Phishing URL 

Source: https://cyble.com/blog/unmasking-the-overlap-between-golddigger-and-gigabud-android-malware