Threat actors are distributing a new Android malware, named Gigabud, impersonating government agencies, financial institutions, and other organizations from Thailand, Peru, and the Philippines. 

Gigabud's trap

The attackers trick victims into downloading malicious apps mimicking government apps, shopping apps, and banking loan apps. Cyble researchers revealed that once a user installs a malicious app, it displays a legitimate-looking login screen that prompts it to enter its mobile number and password.

Modus operandi

  • Gigabud leverages a server-side verification process to ensure that the mobile number entered during registration is legitimate.
  • From the login screen, the malware sends the victim a fake loan contract and notifies them to confirm the information.
  • The malware does not show any malicious activity until the final stage and finally requests the victim to grant Accessibility permissions, including permission for screen recording and screen overlay.
  • Subsequently, it starts abusing Accessibility Services to steal banking credentials and request permission to display over other apps. 

Thailand as prime target

The threat actors were using a phishing site impersonating the website of the Department of Special Investigation (DSI) Thailand and spreading Gigabud (DSI[.]apk), after which the DSI issued a warning in July 2022.
  • In September 2022, the Thailand Telecommunication Sector Cert (TTC-Cert) discovered a file named Revenue[.]apk, believed to be part of the same campaign, and issued a technical advisory on its behavior.
  • Additionally, the malware impersonated the Ministry of Finance, the Student Loan Fund, the Government Savings Bank, the Islamic Bank of Thailand, the Government Housing Bank, the Excise Department, the Government Lottery Office, Kasikornbank Thailand, Advice (an IT company), Thai Lion Air, and Shopee Thailand.

Other countries in the foray

  • Later on, threat actors began distributing the malware in various countries, such as Peru and the Philippines.
  • The malware disguised itself as an app from SUNAT (Peru) and the Bureau of Internal Revenue (the Philippines) and financial institutions such as Banco de Comercio (Peru).

Wrapping up

Gigabud operators are working actively to spread their malware to new geographical regions. They adopted new tactics such as a server-side verification process to keep evading detection and sustain the campaign for an extended period. Experts suspect that the malware operator will continue to expand its targets and capabilities with new variants in the near future as well.
Cyware Publisher