A recent news report reveals that GigaBud malware has been targeting more than 99 financial institutions in several Asian and South American countries, including Thailand, Indonesia, Vietnam, the Philippines, and Peru. This Android Remote Access Trojan (RAT) has been active since July 2022 and poses a significant threat to users in these regions.
Upon investigation, experts discovered another malware variant called “GigaBud.Loan,” which masquerades as a fake loan application. In addition to targeting financial institutions, GigaBud also focused on government departments, using their platforms to mimic at least 25 financial institutions. By doing so, the malware aimed to gather personal information from unsuspecting victims.
Threat actors behind GigaBud have combined the functionalities of a RAT and fake loans in previous versions. This allows the malware to perform gestures on the user’s device, evade defense mechanisms, and even create automated payments. This sophisticated approach demonstrates the high level of expertise possessed by the attackers.
To distribute GigaBud malware, threat actors employ various tactics. They host GigaBud.Loan and GigaBud.RAT on phishing websites and share the links through Smishing campaigns. These links are also spread through social networks, enticing victims to visit the phishing websites. Furthermore, threat actors deliver malicious APK files to victims through these phishing campaigns.
While Android devices typically block third-party application installations as a security measure, these malicious APK files exploit the “REQUEST_INSTALL_PACKAGES” request. This request bypasses the “Install from Unknown sources” setting, which has been categorized as high-risk by Google. In this way, GigaBud effectively bypasses security measures and infiltrates victims’ devices.
GigaBud.RAT, the trojan disguised as a legitimate app, can capture screenshots and log keystrokes to obtain sensitive information such as login credentials. It can also bypass authentication and two-factor authentication, replace bank card numbers copied to the clipboard, and even make automatic payments from the victim’s device through remote access. The capabilities of GigaBud.RAT make it a dangerous threat to the financial security of Android users.
On the other hand, GigaBud.Loan presents itself as a fake loan application without the remote access capabilities of GigaBud.RAT. This variant pretends to be a financial institution, collecting personal information from victims under the pretext of processing a loan. In some cases, the fake loan requests may even ask for upfront fees or request personal information such as bank account numbers, further exploiting unsuspecting victims.
To protect themselves from the GigaBud malware, users are advised to exercise caution when installing applications from third-party sources. It is crucial to only download apps from legitimate app markets to minimize the risk of infection. Additionally, staying informed about the latest cybersecurity news can help users remain vigilant and proactive in protecting their devices and personal information.
In conclusion, the GigaBud malware poses a significant threat to Android users in several Asian and South American countries. This advanced RAT, disguised as a legitimate app or a fake loan application, targets both financial institutions and government departments. By combining remote access capabilities with the deception of a loan application, GigaBud malware can capture sensitive information and execute unauthorized transactions. Users must remain vigilant and take appropriate measures to protect themselves against this emerging threat.