Malware has proven to a blessedly small but still persistent-as-a-mosquito problem on Android. Hackers frequently target known weak points in the operating system to take advantage of users, and more often than not, accessibility software is exploited. Recently, cybersecurity researchers Group-IB have attributed a spate of financially-driven hacks across Southeast Asia and Central America to the Gigabud Random Access Trojan (RAT), on Android devices.
This malwarefirst appeared in Thailand, according to Group-IB’s recent report. In July 2022, Thai Android users received emails and SMS messages that linked to a fake version of Thai Lion Air’s website. The baited users downloaded malicious software, authorized it to access their devices and granted it various permissions to qualify for a loan. Gigabud RAT variants incentivize users to download the malware in different ways in different contexts, but the Thai Lion Air case illustrates the basic formula.
Unsurprisingly, information the users submitted to the fake website didn’t go to Thai Lion Air. Instead, that went to a server run by the people who circulated the Gigabud RAT malware. Russian hackers deployed asimilar data-syphoning systemlast year. Once installed, such malware can do more than relay data. Thanks to hooking in to Android’s accessibility services, the software can stealthily interact with other apps, harvest data from them, and even mess with what you’ve got saved to the clipboard.
Importantly, this malware doesn’t do anything nefarious untilafteruse and accessibility permissions are granted, making it difficult to track. Once installed, Gigabud RAT malware can largely interact with your phone’s software as if you were doing it yourself, opening the door for exploits with authentication or even transferring funds.
Given all of this complex functionality, bad actors using Gigabud RAT to perpetrate frauds tend to favor passive information gleaning techniques to collect sensitive data where possible, such as keystroke logging and screen recording. This, too, minimizes detectability.
Group-IB reports detecting over 400 instances of Gigabud RAT in the wild, active in over 5 countries. Threat actors have deployed it in schemes to impersonate over 25 companies and government agencies. These findings signify a startling growth rate and geographic spread since researchers first identified the distinct Gigbabud malware family last year.
Android 14will upgrade the protection of the Accessibility API, which should make the type of security breaches executed by malware like the Gigabud RAT, Nexus, and Cereberus more difficult. Google Play recentlypulled the iRecorder Screen Recorder appfrom the Play Store due to related vulnerability concerns. Hopefully better scanning techniques help keep apps like that away from users in the first place.
