{
	"id": "e532a199-ba62-4a61-a9da-a2ad8ba2d0e7",
	"created_at": "2026-04-06T00:18:57.641983Z",
	"updated_at": "2026-04-10T03:21:37.087087Z",
	"deleted_at": null,
	"sha1_hash": "9475abe599f925ffc0a462c11fbd4dd1e6e3f074",
	"title": "Dissecting the new Android Trojan GoldDigger | Group-IB Blog",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1374345,
	"plain_text": "Let's dig deeper: dissecting the\r\nnew Android Trojan GoldDigger\r\nwith Group-IB Fraud Matrix\r\nDelve into the tactics of the GoldDigger Trojan and discover ways to safeguard your customers\r\nOctober 5, 2023 · min to read · Fraud Protection\r\nFraud Protection GoldDigger Trojan\r\nIn August, Group-IB’s Threat Intelligence researchers detected a previously unknown Android\r\nTrojan targeting financial organizations in Vietnam. We codenamed it GoldDigger in reference to a\r\nparticular GoldActivity activity within the APK.\r\n← Blog\r\nhttps://www.group-ib.com/blog/golddigger-fraud-matrix/\r\nPage 1 of 11\n\nWe promptly informed our clients in Vietnam and beyond about our findings. Additionally, our 24/7\r\nCERT-GIB (Group-IB Computer Emergency Response Team) proactively reached out to VNCERT\r\n(Vietnam Computer Emergency Response Team), in accordance with the data-sharing agreement\r\namong APCERT members. CERT-GIB shared the necessary technical information, including\r\nindicators of compromise, so that VNCERT was equipped to take appropriate risk mitigation\r\nmeasures.\r\nThis particular Trojan has been active since at least June 2023. GoldDigger disguises itself as a fake\r\nAndroid application and can impersonate both a Vietnamese government portal and a local energy\r\ncompany. Its main goal is to steal banking credentials. Like many Android Trojans, the malware\r\nabuses Accessibility Service to extract personal information, intercept SMS messages, and perform\r\nvarious user actions. The Trojan also has a remote access capability.\r\nOne of the main features of GoldDigger is its use of an advanced protection mechanism. Virbox\r\nProtector, a legitimate software identified in all discovered samples of GoldDigger, allows the Trojan\r\nto significantly complicate both static and dynamic malware analysis and evade detection. This\r\npresents a challenge in triggering malicious activity in sandboxes or emulators.\r\nThe use of VirBox by banking Trojans is a recent trend. According to Group-IB’s Threat Intelligence\r\nteam, three Android Trojans currently active in the Asia Pacific region, including GoldDigger, are\r\nusing this evasion technique.\r\nAs a result, dynamic analysis of each VirBox-protected sample takes significant time and requires\r\nmanual intervention. Regular updates to VirBox make static analysis of such malware inefficient. The\r\nmain goal of banking Trojans is to infect as many devices as possible and gain access to user\r\naccounts. The most effective way to combat them is with client-side fraud protection solutions that\r\noffer multiple benefits. These include real-time protection, adaptability to evolving threats and, most\r\nimportantly, the ability to rely on behavioral indicators to protect customers.\r\nhttps://www.group-ib.com/blog/golddigger-fraud-matrix/\r\nPage 2 of 11\n\nFigure 1. GoldDigger Profile\r\nAs discovered by Group-IB researchers, the GoldDigger Trojan uses fake applications in Vietnamese\r\nto attack its victims. It has also been found that the Trojan includes language translations for\r\nSpanish and traditional Chinese, which implies that these attacks may potentially extend their reach\r\nbeyond Vietnam, encompassing Spanish-speaking nations and other countries in the APAC region.\r\nGoldDigger is just one of numerous Android malware strains currently active in the Asia-Pacific\r\nregion. Other noteworthy Android malware families currently targeting the region include the\r\nGigabud family, SpyNote, HookBot, PWNDROID4, CraxsRAT, TgToxic, and Anubis (Godfather’s\r\npredecessor), etc. Most of them share common characteristics and tactics that can be analyzed and\r\ncategorized using Group-IB’s proprietary Fraud Matrix, which is an essential element of Group-IB\r\nFraud Protection.\r\nIn light of GoldDigger’s current activity and potential expansion, we have decided to take a close\r\nlook at the Trojan’s tactics, in accordance with Group-IB’s Fraud Matrix. Based on the MITRE®\r\nmodel, Group-IB Fraud Matrix is a unique framework that analyzes and categorizes fraudulent\r\nschemes and outlines techniques used by fraudsters at each stage. The Matrix is a critical\r\nintelligence source against fraud with deep insights into schemes, modus operandi, as well as\r\nrecommendations that can ensure your organization is equipped with the most robust defense\r\nmeasures.\r\nhttps://www.group-ib.com/blog/golddigger-fraud-matrix/\r\nPage 3 of 11\n\nIn addition to an in-depth analysis of GoldDigger’s fraud techniques, the post includes a list of\r\nindicators of compromise (IOCs), making it a valuable resource for anti-fraud teams and CTI\r\nanalysts.\r\nLet’s look at GoldDigger’s fraud techniques more closely.\r\nFigure 2. Visual representation of GoldDigger’s TTPs in the Fraud Matrix of the Group-IB Fraud\r\nProtection interface\r\nDistribution of malware\r\nGoldDigger spreads via fake websites masquerading as Google Play pages and fake corporate\r\nwebsites in Vietnam. The Trojan’s operators most likely distributed the links to these websites\r\nthrough smishing or traditional phishing. Those websites include links to download malicious\r\nAndroid applications (Figure 3).\r\nhttps://www.group-ib.com/blog/golddigger-fraud-matrix/\r\nPage 4 of 11\n\nFigure 3. Fake website distributing GoldDigger\r\nAll Android devices have an “Install from Unknown Sources” setting disabled by default to\r\nprevent app installations from third-party sources. If the “Install from Unknown Sources” setting is\r\nenabled, APKs from sources other than the Google Play Store can be installed.\r\nGoldDigger requires that the “Install from Unknown Sources” function is enabled on a victim’s\r\ndevice to be downloaded and installed.\r\nProactive Mitigation Steps\r\nWe advise organizations to educate their customers about not enabling the “Install from Unknown\r\nSources” function as these actions can expose Android devices to potential security risks. Group-IB\r\nFraud Protection’s Android SDK detects applications installed from unauthorized and unknown\r\nsources that request suspicious permissions. Read more about the tool’s powerful malware\r\ndetection techniques here.\r\nLet’s look at GoldDigger’s other techniques now.\r\nhttps://www.group-ib.com/blog/golddigger-fraud-matrix/\r\nPage 5 of 11\n\nTrust Abuse Tactic: Accessibility Service\r\nWhen launched, the GoldDigger Trojan asks the user to enable Accessibility Service.\r\nAndroid’s accessibility services are intended to assist users with disabilities in operating their\r\ndevices. These services offer capabilities such as screen reading, magnification, gesture-based\r\ncontrols, speech-to-text, haptic feedback, and others. Regrettably, certain banking Trojans, such as\r\nGustuff and Gigabud, are exploiting this feature.\r\nGranting Accessibility Service permissions to GoldDigger enables it to gain full visibility into user\r\nactions and interact with user interface elements. This means it can see the victim’s balance, harvest\r\nthe second credential issued for two-factor authentication, and implement keylogging functions,\r\nallowing it to capture credentials. GoldDigger monitors 51 financial apps, e-wallets, and crypto\r\napps in Vietnam. All this data is exfiltrated to command-and-control (C\u0026C) servers. An example is\r\nshown in Figure 4 below.\r\nFigure 4. Implementing Capture Credentials in GoldDigger\r\nBy abusing the Accessibility Service, GoldDigger ensures a range of intrusive capabilities. We have\r\nnot confirmed that the Trojan operators use these capabilities at the time of writing. However, based\r\non the behavior of other known Trojans similar to GoldDigger, we don’t think they differ\r\nsignificantly. This includes the ability to simulate user interactions enabling device remote access,\r\nessentially providing it with a backdoor into the user’s system. Figure 5 is a code snippet from the\r\ngestures dispatcher, which performs device screen unlock. Additionally, it enables authentication\r\nbypass, including the 2nd-factor bypass, allowing GoldDigger to perform payment creation from a\r\nlegitimate device.\r\nhttps://www.group-ib.com/blog/golddigger-fraud-matrix/\r\nPage 6 of 11\n\nFigure 5. Automated device screen unlock\r\nConclusion\r\nBanking malware such as GoldDigger often exploits accessibility services or permissions to carry\r\nout fraudulent activities. To combat this, Group-IB Fraud Protection’s SDK is able to detect\r\nGoldDigger using a combination of rules, including the detection of accessibility service abuse,\r\nremote access capabilities, and abnormal behavior, as well as spotting applications installed from\r\nunauthorized sources that request suspicious permissions, and a range of other relevant indicators.\r\nGroup-IB Fraud Protection’s SDK can be easily added to any application to prevent fraud schemes\r\nthat rely on this popular technique, whether they are known or zero-day malware on end-user\r\ndevices.\r\nUser Behavior Monitoring can be employed to recognize an imposter by gaining a deep\r\nunderstanding of the way genuine users interact with your applications. The system monitors key\r\nuser behavior indicators such as speed of movement and pressure on-screen navigation.\r\nIncorporating these capabilities can strengthen your defenses against most malware attacks.\r\nhttps://www.group-ib.com/blog/golddigger-fraud-matrix/\r\nPage 7 of 11\n\nFigure 6. Malware detection with User Behavior Monitoring by Group-IB Fraud Protection\r\nFind out more on how to detect different types of banking malware old or new on our malware\r\ndetection blog.\r\nIndicators of Compromise\r\nNetwork\r\nIOC Description\r\ncskh[.]evnspa[.]cc Malware delivery site\r\nFile SHA256 arrow_drop_down\r\nhttps://www.group-ib.com/blog/golddigger-fraud-matrix/\r\nPage 8 of 11\n\ncskh[.]evnspc[.]cc Malware delivery site\r\ncskh[.]evnspe[.]cc Malware delivery site\r\ncskh[.]evnspo[.]cc Malware delivery site\r\ncskh[.]evnspr[.]cc Malware delivery site\r\nviet[.]cgovn[.]cc Malware delivery site\r\nviet[.]egovn[.]cc Malware delivery site\r\nviet[.]gdtgovn[.]com Malware delivery site\r\nShare this article\r\nFound it interesting? Don't hesitate to share it to wow your friends or colleagues\r\nResources\r\nResearch Hub\r\nSuccess Stories\r\nKnowledge Hub\r\nCertificates\r\nProducts\r\nThreat Intelligence\r\nFraud Protection\r\nManaged XDR\r\nhttps://www.group-ib.com/blog/golddigger-fraud-matrix/\r\nPage 9 of 11\n\nWebinars\r\nPodcasts\r\nTOP Investigations\r\nRansomware Notes\r\nAI Cybersecurity Hub\r\nAttack Surface Management\r\nDigital Risk Protection\r\nBusiness Email Protection\r\nCyber Fraud Intelligence\r\nPlatform\r\nUnified Risk Platform\r\nIntegrations\r\nPartners\r\nPartner Program\r\nMSSP and MDR Partner\r\nProgram\r\nTechnology Partners\r\nPartner Locator\r\nCompany\r\nAbout Group-IB\r\nTeam\r\nCERT-GIB\r\nCareers\r\nInternship\r\nAcademic Aliance\r\nSustainability\r\nMedia Center\r\nContact\r\nSubscription plans Services Resource Center\r\nhttps://www.group-ib.com/blog/golddigger-fraud-matrix/\r\nPage 10 of 11\n\nAPAC: +65 3159 3798\r\nEU \u0026 NA: +31 20 226 90 90\r\nMEA: +971 4 568 1785\r\ninfo@group-ib.com\r\n© 2003 – 2026 Group-IB is a global leader in the fight against cybercrime, protecting customers\r\naround the world by preventing breaches, eliminating fraud and protecting brands.\r\nTerms of Use Cookie Policy Privacy Policy\r\nSubscribe to stay up to date with the\r\nlatest cyber threat trends\r\nContact\r\nhttps://www.group-ib.com/blog/golddigger-fraud-matrix/\r\nPage 11 of 11",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.group-ib.com/blog/golddigger-fraud-matrix/"
	],
	"report_names": [
		"golddigger-fraud-matrix"
	],
	"threat_actors": [],
	"ts_created_at": 1775434737,
	"ts_updated_at": 1775791297,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/9475abe599f925ffc0a462c11fbd4dd1e6e3f074.pdf",
		"text": "https://archive.orkl.eu/9475abe599f925ffc0a462c11fbd4dd1e6e3f074.txt",
		"img": "https://archive.orkl.eu/9475abe599f925ffc0a462c11fbd4dd1e6e3f074.jpg"
	}
}