{
	"id": "4233a930-89c0-4ec6-b60d-514c3f89e6a3",
	"created_at": "2026-04-06T15:53:24.886028Z",
	"updated_at": "2026-04-10T13:11:20.322156Z",
	"deleted_at": null,
	"sha1_hash": "8ab254a8f9ee9fd19ede2918c3f27b49fb786a8e",
	"title": "Breaking down Gigabud banking malware with Fraud Matrix | Group-IB Blog",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 131399,
	"plain_text": "Pavel Naumov\r\nGlobal Senior Security Researcher\r\nFHP\r\nArtem Grischenko\r\nJunior Malware Analyst, Threat\r\nIntelligence team\r\nBreaking down Gigabud banking\r\nmalware with Group-IB Fraud\r\nMatrix\r\nUncover the disruptive nature of Gigabud malware and take proactive measures to mitigate the\r\nassociated risks\r\nAugust 14, 2023 · min to read · Fraud Protection\r\n← Blog\r\nhttps://www.group-ib.com/blog/gigabud-banking-malware/\r\nPage 1 of 21\n\nBanking malware Fraud Protection Gigabud\r\nIntroduction\r\nMalware continues to evolve as a persistent threat to organizations worldwide. And while antivirus\r\ntechnologies strive to improve their malware detection capabilities, threat actors are actively\r\nattempting to create malicious software that can evade detection.\r\nA powerful strategy to overcome the challenge is transitioning from traditional signature-based\r\ndetection to advanced analysis techniques, which effectively prevent malware incidents. Here’s a\r\ndetailed analysis of how Group-IB experts recently dismantled a disruptive banking trojan.\r\nIn September 2022, the Group-IB team received a request from its customer, a Thailand-based\r\nfinancial organization, to investigate a malware sample targeting its clients and customers in the\r\nAsia-Pacific region. After the sample analysis, the experts concluded that the malware was a\r\npreviously undocumented Android Remote Access Trojan (RAT). In January 2023, cybersecurity\r\nresearchers named this trojan Gigabud after the application’s certificate issuer name.\r\nOne of Gigabud RAT’s unique features is that it doesn’t execute any malicious actions until the\r\nuser is authorized into the malicious application by a fraudster, as will be shown in the Distribution\r\nsection (figure 3), which makes it harder to detect. Instead of using HTML overlay attacks, Gigabud\r\nRAT gathers sensitive information primarily through screen recording.\r\nhttps://www.group-ib.com/blog/gigabud-banking-malware/\r\nPage 2 of 21\n\nThe Group-IB team continued investigating this highly active strain and identified another malware\r\nsample within the Gigabud family that doesn’t have RAT capabilities – codenamed Gigabud.Loan,\r\nwhich is a fake loan application that exfiltrates user-input data.\r\nActive since at least July 2022, Gigabud.Loan has been masquerading as applications of fictional\r\nfinancial institutions from Thailand, Indonesia, and Peru. It is worth noting that the versions of\r\nGigabud previously described by security researchers combine the functionalities of RAT and\r\nFake Loan. Both Gigabud RAT and Gigabud.Loan have the same architecture and share the same\r\ncertificate, which is why Group-IB researchers attribute them to the same Gigabud family.\r\nFrom 2022 to 2023, Group-IB detected more than 400 Gigabud.RAT samples and more than 20\r\nGigabud.Loan samples based on VirusTotal hunting rules. Considering the high activity of the\r\nGigabud malware family, the blog aims to equip organizations and the community with valuable\r\ninsights into the Gigabud trojan’s functionality and the topography of attacks.\r\nThe blog extends an in-depth analysis of the fraud techniques employed by Gigabud mapped using\r\nthe Group-IB Fraud Matrix, which can help guide mitigation techniques enforced by different anti-fraud teams and CTI analysts.\r\nKey findings\r\nGigabud.Loan targeted account holders of more than 99 financial institutions in Thailand,\r\nIndonesia, Vietnam, the Philippines, and Peru.\r\nhttps://www.group-ib.com/blog/gigabud-banking-malware/\r\nPage 3 of 21\n\nFraud Matrix: Decoding Gigabud\r\nTo facilitate the understanding of an emerging threat and its various phases, Group-IB Fraud Matrix\r\nanalyzes fraudulent schemes and outlines techniques used by fraudsters at each stage. Based on\r\nthe MITRE® model, the Fraud Matrix is a critical source of intelligence against fraud with deep\r\ninsights into schemes, modus operandi, and recommendations for an organization’s most robust\r\ndefense measures.\r\nFraud Matrix analysis allows teams to identify, classify, and index new and existing fraud types to\r\nprovide a better understanding of how this particular trojan operates, as well as its potential risks to\r\ntarget organizations and their customers.\r\nLet’s look at the specific tactics and techniques employed by the Gigabud family:\r\nThe targets were individuals lured into filling out a bank card application form to obtain a low-interest loan.\r\nThe victims are convinced to provide personal information during the application process.\r\nGigabud.RAT targeted at least 25 companies, financial institutions, and government departments\r\nacross Thailand, Peru, the Philippines, Indonesia, and Vietnam. The malware aimed to mimic\r\nthese companies, possibly to deceive users.\r\nGigabud’s feature TouchAction, abuses accessibility service, as shown in Figure 8. With screen\r\ncapturing, Gigabud is a powerful remote device access tool allowing the threat actor to access\r\nthe victim’s account. It allows the threat actor to perform gestures on the user’s device. This\r\nleads to the possibility of evading defense, authentication (including two-factor\r\nauthentication), and creating automated payments from the victim’s device.\r\nA new password-stealing module was discovered, specifically designed to target banking\r\napplications.\r\nhttps://www.group-ib.com/blog/gigabud-banking-malware/\r\nPage 4 of 21\n\nFigure 1: Visual representation of Gigabud’s TTPs in the Fraud Matrix\r\nHere’s a breakdown of Gigabud techniques in resource development, trust abuse, end-user\r\ninteraction, credential access, account access, and defense evasion tactics.\r\nDistribution\r\nBoth Gigabud.Loan and Gigabud.RAT spread via phishing websites in Thailand, Indonesia,\r\nVietnam, the Philippines, and Peru. The links are delivered to the victim through smishing via instant\r\nmessengers, SMS, or social networks where fraudsters push the victims to visit the phishing\r\nwebsites, complete a tax audit and get a tax refund. Those websites show links to download\r\nmalicious Android applications and impersonate government and financial institutions (Figure 2).\r\nThese applications are hosted on consonant domains.\r\nFigure 2.1: Example of phishing websites spreading Gigabud malware\r\nhttps://www.group-ib.com/blog/gigabud-banking-malware/\r\nPage 5 of 21\n\nHowever, in the case of Gigabud.Loan, the threat actors use not only phishing websites but deliver\r\nthe APK files directly through instant messengers as illustrated in the video, screenshot from that is\r\nshown below (Figure 3):\r\nFigure 3: Example of phishing in messengers\r\nAndroid devices allow users to install apps from third-party sources except official app stores.\r\nHowever, the devices have the “Install from Unknown Sources” setting disabled by default as a\r\nsecurity measure that prevents app installations from unknown sources. Additionally, applications\r\nthat aim to install additional applications on the device can request the\r\n“REQUEST_INSTALL_PACKAGES” permission, categorized as high-risk by Google. This permission\r\nallows apps to bypass the “Install from Unknown Sources” setting and allow APK installations\r\noutside the Google Play Store.\r\nhttps://www.group-ib.com/blog/gigabud-banking-malware/\r\nPage 6 of 21\n\nThe phishing victims are frequently tricked into granting the “REQUEST_INSTALL_PACKAGES”\r\npermission for browsers, email clients, etc., on their Android devices, allowing malicious APKs to be\r\ninstalled. Gigabud also leverages phishing techniques to deceive users into unwittingly providing\r\nthe necessary permissions for the trojan’s installation.\r\nThis combination of social engineering and permission exploitation underscores the significance of\r\nuser awareness and caution when encountering unexpected or suspicious requests, safeguarding\r\nagainst the potential infiltration of dangerous malware.\r\nProactive Mitigation Steps\r\nWe advise organizations to educate their customers about not enabling “Install from Unknown\r\nSources” and resorting to caution when granting the “REQUEST_INSTALL_PACKAGES” permission\r\nto apps, as these actions can expose Android devices to potential security risks, including malware\r\nand data privacy concerns. Group-IB Fraud Protection’s Android SDK detects these risks on users’\r\ndevices. Read more about the tool’s common malware detection techniques here.\r\nGigabud.RAT and Gigabud.Loan share similarities in terms of how they are distributed. Other attack\r\nstages differ. Let’s look at them more closely now.\r\nGigabud.RAT\r\nThe Gigabud.RAT is a trojan that mimics legitimate apps, including government and financial\r\ninstitution applications, and abuses screen capturing and keylogger techniques as part of the\r\ncapture credentials technique to access credentials and other sensitive information.\r\nAdditionally, it can bypass authentication and 2nd factors, replace bank card numbers in\r\nclipboards, and perform automated payments through the victim’s device remote access.\r\nWhen the user opens the Gigabud trojan that masquerades as a legitimate application, it presents\r\nthe login activity (Figure 4).\r\nhttps://www.group-ib.com/blog/gigabud-banking-malware/\r\nPage 7 of 21\n\nFigure 4: Gigabud.RAT login page example\r\nhttps://www.group-ib.com/blog/gigabud-banking-malware/\r\nPage 8 of 21\n\nWhen the user passes the Login form, Gigabud requests two 6-digit invitation codes that are\r\nmentioned on Figure 3 from the user as shown below. With this extra step, fraudsters can verify the\r\nvictim, making it more difficult for research by malware analysts, and seek to trick users into\r\nbelieving that they are dealing with a legitimate application.\r\nFigure 5: 6-digit invitation code pages example\r\nAs a result, Gigabud opens a fake “Activation” page. This activity contains one button, which only\r\nfunctions to pass on the “Permission Request” page (Figure 6). There are several options on the\r\n“Permission Request” page, and the exact number depends on the sample. They are primarily used\r\nfor:\r\ninstalling the Add-On application\r\ngranting permission to use Accessibility Service\r\nhttps://www.group-ib.com/blog/gigabud-banking-malware/\r\nPage 9 of 21\n\nWhen the user grants these permissions, the Gigabud can then perform all its malware capabilities.\r\nFigure 6: Gigabud.RAT Activation and Permissions request pages\r\nWhen all the necessary permissions are granted, the “Wait” page is opened. This activity contains an\r\nendless loading animation and the text “Please Wait for Information.”\r\ngranting permission to Start Screen Recording\r\ngranting permission to display the application over other apps\r\nhttps://www.group-ib.com/blog/gigabud-banking-malware/\r\nPage 10 of 21\n\nhttps://www.group-ib.com/blog/gigabud-banking-malware/\r\nPage 11 of 21\n\nFigure 7: Gigabud.RAT “Wait” page example\r\nScreen Capture\r\nScreen capturing has been used in legitimate software applications and malware. Legitimate use\r\ncases include screen recording apps, remote access apps, and productivity tools that allow users to\r\ncapture and share their screen activity for various purposes – from content creation to\r\ntroubleshooting and remote support. These applications often utilize high-level libraries, but\r\nultimately, screen capturing is implemented using the underlying mechanisms of Android, such as\r\nvirtual displays and MediaProjection API.\r\nHowever, this same feature is also exploited by malware to steal sensitive user information, such as\r\nlogin credentials and personal data. To mitigate this risk, Android has implemented runtime\r\npermission that requires users to grant access to screen recorders, enabling users to control and\r\nmonitor screen-capturing activities on their devices.\r\nGroup-IB Fraud Protection’s SDK can detect active screen capturing on Android devices, as\r\nshown in the video below. Group-IB’s Threat Intelligence team found a Gigabud sample with some\r\ndebug activities and patched it to show one of them instead of the login activity.\r\nAccessibility Service to perform gestures\r\nplay_arrow\r\nhttps://www.group-ib.com/blog/gigabud-banking-malware/\r\nPage 12 of 21\n\nAccessibility services, in the context of Android, refers to a system feature designed to assist users\r\nwith disabilities in effectively interacting with their devices. Accessibility services provide enhanced\r\nfunctionalities and modifications to the user interface, allowing individuals with visual, auditory,\r\nphysical, or cognitive impairments to navigate, interact, and utilize their Android devices more easily.\r\nThese services can offer features like screen reading, magnification, gesture-based controls,\r\nspeech-to-text, haptic feedback, and more. Accessibility services are crucial in promoting inclusivity,\r\nempowering users with disabilities to access and engage with their devices, applications, and digital\r\ncontent, thereby fostering greater independence and usability.\r\nHowever, accessibility services, similar to screen capturing, are now being leveraged as a means of\r\nexploitation by threat actors by several banking trojans, such as Gustuff and Gigabud. From the\r\nbanking anti-fraud point of view, devices with accessibility services should be marked because they\r\ncan be treated as an indicator of compromise.\r\nOne of Gigabud’s features TouchAction, abuses accessibility service, as shown in Figure 8. With\r\nscreen capturing, Gigabud is a powerful remote device access tool allowing the threat actor to\r\naccess the victim’s account. It allows the threat actor to perform gestures on the user’s device.\r\nThis leads to the possibility of evading defense, authentication (including two-factor\r\nauthentication), and creating automated payments from the victim’s device.\r\nFigure 8: “TouchAction” service\r\nhttps://www.group-ib.com/blog/gigabud-banking-malware/\r\nPage 13 of 21\n\nReal-time detection of accessibility service abuse is one key feature of Group-IB Fraud Protection’s\r\nSDK that can easily be added to any application. This helps prevent fraud schemes that rely on this\r\npopular technique by known and zero-day malware on end-user devices.\r\nAccessibility Service as a keylogger\r\nThe latest Gigabud versions contain another feature that abuses accessibility services – a new\r\nkeylogging module that allows preparing the specific password-stealing scheme for each targeted\r\nbanking application. Our Threat Intelligence team suggests that this module is being tested by the\r\nmalware developers now, and Gigabud will contain more modules to steal data from different\r\nbanking applications. The identified Gigabud samples currently have a password-stealing handler\r\nfor only one banking app.\r\nhttps://www.group-ib.com/blog/gigabud-banking-malware/\r\nPage 14 of 21\n\nFigure 9: Fragment of keylogger implementation\r\nAs we can see in the Figure 9 screenshot, the keylogger feature is implemented using an\r\naccessibility service. Group-IB Fraud Protection’s SDK can be leveraged to detect if the accessibility\r\nservice is enabled on the user’s device.\r\nGigabud.Loan\r\nThe Gigabud.Loan is a fake loan version of Gigabud that only exfiltrates user-input data and has\r\nno RAT capabilities. It abuses the user’s trust by impersonating a non-existing financial institution\r\nto collect personal information such as full name, identity number, national identity document\r\nphoto, digital sign, education, income info, bank card information, and phone number to obtain a\r\nloan.\r\nThe fake loan request is a fraud technique where fraudsters pose as lenders and request money\r\nfrom individuals disguised as loan providers. Fraudsters typically use various methods to target\r\nvictims, such as sending unsolicited emails or making phone calls, and other deceptive tactics to\r\nconvince their victims to send them money.\r\nIn a typical fake loan request fraud scenario, the fraudster may ask victims to pay upfront fees or\r\nprovide personal information, such as bank account numbers or social security numbers to process\r\nthe loan application. They may promise low-interest rates or guaranteed approval to entice victims\r\ninto sending money or providing sensitive information. However, once the victims take action, the\r\nscammers disappear, and the victims are left without a loan and may suffer financial losses.\r\nAfter the user opens Gigabud.Loan, the application shows activity with login and registration forms\r\n(Figure 10, Screen – 1). The user can register with a phone number and an SMS invite code. Then\r\nGigabud shows activity with a credit offer (Figure 10, Screen 2) and requests the user’s personal\r\ninformation (Figure 10, Screen – 3, 4) before providing a fake loan contract. After all personal data is\r\nsubmitted, the credit contract can be received. Gigabud.Loan views formatted contract as a loan\r\nrequest result presented in Figure 7.\r\nhttps://www.group-ib.com/blog/gigabud-banking-malware/\r\nPage 15 of 21\n\nFigure 10: Fake loan request stages\r\nFigure 11. Fake loan contract example\r\nDetect and defend against Gigabud malware\r\nhttps://www.group-ib.com/blog/gigabud-banking-malware/\r\nPage 16 of 21\n\nWith the Gigabud malware getting more adaptive and effective in its attack tactics, and expanding\r\nits target range, adding new modules in recent samples, building advanced evasion techniques; it is\r\nimperative to stay vigilant and have proactive cybersecurity measures to defend against the\r\nmalware.\r\nFor financial organizations\r\nFor end-users\r\nIf your device has been infected, do the following:\r\nIn cases of fake loan request fraud, users can take the following steps.\r\nImplement a user session monitoring system such as Fraud Protection to detect the presence of\r\nmalware and block anomalous sessions before the user enters any personal information.\r\nEducate your clients about the risks of Gigabud malware. This includes teaching them to spot\r\nfake websites and malicious apps and protecting their passwords and personal information.\r\nAs for fake loan requests, actively inform your customers through educational materials, such\r\nas brochures, website content, and FAQs to verify the legitimacy of loan offers and lenders.\r\nUse a Digital Risk Protection platform that detects the illegitimate use of your logos, trademarks,\r\ncontent, and design layouts across your digital surface.\r\nBe careful about the links you click on. Gigabud malware is often spread through malicious links\r\nin emails, text messages, and social media posts.\r\nTread with caution when downloading third-party applications\r\nCheck what permissions an application requests before installing it.\r\nUse a VPN when connecting to public Wi-Fi. This will help protect your device from malware that\r\nmay be lurking on public networks.\r\nBack up your data regularly to minimize the damage if your device is infected with malware.\r\nUse reputable antivirus software to detect and remove Gigabud malware if it does manage to\r\ninfect your device.\r\nDisable network access.\r\nFreeze any bank accounts that your device has accessed.\r\nContact experts to receive detailed information about the risks that the malware could pose to\r\nyour device.\r\nVerify the lender’s legitimacy before you apply for a loan. You can check the lender’s website for\r\na physical address and phone number, and also check with Ombudsman Services to see if any\r\nhttps://www.group-ib.com/blog/gigabud-banking-malware/\r\nPage 17 of 21\n\nAny question about our products and\r\nservices, or pricing?\r\nBuild malware intelligence and activate end-user protection with Group-IB's stack of\r\nnext-gen solutions\r\nMore on malware:\r\nShare this article\r\nFound it interesting? Don't hesitate to share it to wow your friends or colleagues\r\ncomplaints have been filed against the lender.\r\nAvoid paying the fees upfront. it is less likely for legitimate lenders to ask you to pay any upfront\r\nfees before you receive a loan.\r\nLegitimate lenders will not use high-pressure tactics to pressure you into taking out a loan. It is\r\nlikely a scam if a lender pressures you to take out a loan.\r\nSchedule a demo\r\nGigabud RAT: New Android RAT Masquerading as Government Agencies\r\nBad behaviour: How to detect banking malware\r\nHi-tech Crime Trends 2022/2023\r\nGodfather: A banking Trojan that is impossible to refuse\r\nhttps://www.group-ib.com/blog/gigabud-banking-malware/\r\nPage 18 of 21\n\nhttps://www.group-ib.com/blog/gigabud-banking-malware/\r\nPage 19 of 21\n\nResources\r\nResearch Hub\r\nSuccess Stories\r\nKnowledge Hub\r\nCertificates\r\nWebinars\r\nPodcasts\r\nTOP Investigations\r\nRansomware Notes\r\nAI Cybersecurity Hub\r\nProducts\r\nThreat Intelligence\r\nFraud Protection\r\nManaged XDR\r\nAttack Surface Management\r\nDigital Risk Protection\r\nBusiness Email Protection\r\nCyber Fraud Intelligence\r\nPlatform\r\nUnified Risk Platform\r\nIntegrations\r\nPartners\r\nPartner Program\r\nMSSP and MDR Partner\r\nProgram\r\nTechnology Partners\r\nPartner Locator\r\nCompany\r\nAbout Group-IB\r\nTeam\r\nCERT-GIB\r\nCareers\r\nInternship\r\nAcademic Aliance\r\nSustainability\r\nMedia Center\r\nContact\r\nSubscription plans Services Resource Center\r\nhttps://www.group-ib.com/blog/gigabud-banking-malware/\r\nPage 20 of 21\n\nAPAC: +65 3159 3798\r\nEU \u0026 NA: +31 20 226 90 90\r\nMEA: +971 4 568 1785\r\ninfo@group-ib.com\r\n© 2003 – 2026 Group-IB is a global leader in the fight against cybercrime, protecting customers\r\naround the world by preventing breaches, eliminating fraud and protecting brands.\r\nTerms of Use Cookie Policy Privacy Policy\r\nSubscribe to stay up to date with the\r\nlatest cyber threat trends\r\nContact\r\nhttps://www.group-ib.com/blog/gigabud-banking-malware/\r\nPage 21 of 21",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.group-ib.com/blog/gigabud-banking-malware/"
	],
	"report_names": [
		"gigabud-banking-malware"
	],
	"threat_actors": [],
	"ts_created_at": 1775490804,
	"ts_updated_at": 1775826680,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/8ab254a8f9ee9fd19ede2918c3f27b49fb786a8e.pdf",
		"text": "https://archive.orkl.eu/8ab254a8f9ee9fd19ede2918c3f27b49fb786a8e.txt",
		"img": "https://archive.orkl.eu/8ab254a8f9ee9fd19ede2918c3f27b49fb786a8e.jpg"
	}
}