The malware contains Spanish and Chinese text, suggesting that users of other countries could be targeted next.

A new Android-based trojan that specifically targets users of over 50 Vietnamese banking applications, electronic wallets, and cryptocurrency wallets has been spotted and named by cyber researchers.

Active since at least June 2023, the trojan — codenamed GoldDigger — spoofs a Vietnamese government portal and an energy company, while abusing the Accessibility functions in the Android operating system to extract personal information, steal banking app credentials, intercept SMS messages, and perform various user actions.

The initial mechanism involved cybercriminals using phishing tactics to lure potential victims to more than 10 fake websites posing as Google Play Store pages and fake company websites. To appear more convincing, some of the fake websites included user reviews and the emblem of Vietnam. These sites were designed to deceive users into downloading the malicious GoldDigger APK. Within the code of this package is a Android Activity class called ‘GoldActivity’, thus inspiring researchers to give the trojan the codename GoldDigger.

After being installed and launched, GoldDigger requests access to the smart device’s Accessibility Service, an Android feature designed to assist users with disabilities by allowing apps to interact with each other and modify the user interface. By abusing this feature, the malware can monitor and manipulate some of the device’s advanced or exclusive functions.

Other GoldDigger traits

Two different strains of GoldDigger have since been discovered: one that impersonated a Vietnamese governmental portal, and another imitating a Vietnamese energy sector company.

Due to the users granting Accessibility permissions to the trojan, the latter can monitor events linked to 51 targeted applications of Vietnamese financial organizations, as well as e-wallets and crypto apps. After capturing user input (such as logins and passwords), GoldDigger exfiltrates the data to command-and-control servers.

Another notable feature of GoldDigger is that it tries to evade detection and reverse engineering by researchers with Virbox Protector, a legitimate software that provides advanced obfuscation and encryption.

The number of infected devices and the amount stolen remains unknown, but, according to Anh Le, Business Development Manager, Group-IB (Vietnam) — the firm that discovered GoldDigger and reported its findings to Governmental National CERT of Vietnam (VNCERT): “At the moment, GoldDigger is primarily focusing on targets in Vietnam (but)in addition to Vietnamese, the malware included language translations to Spanish and traditional Chinese. The cybercriminals may have plans to further extend GoldDigger’s reach to Spanish and Chinese-speaking countries in the near future.”