Attackers are spreading new Android malware called Gigabud, posing as government agencies, financial companies and other organizations from Thailand, Peru and the Philippines.

Cybercriminals trick victims into downloading malicious apps that mimic government apps, shopping apps, and bank loans. Researchers Cyble discovered that once a user installs a malicious app, it displays a fake login screen that prompts them to enter their mobile number and password.

Working method

• Gigabud uses a server-side validation process to ensure that the phone number entered is up to date;
• From the login screen, the malware sends a fake loan agreement to the victim and notifies them to verify the information;
• Gigabud does not show any malicious activity until the final stage, and then asks the victim for permission to access accessibility features, including permission to record the screen and display over other applications;
• Subsequently, Gigabud abuses accessibility services to collect banking credentials;

The attackers used a phishing site imitating the site of the Department of Special Investigation (DSI) of Thailand, which distributed Gigabud (DSI[.]apk), after which DSI issued a warning in July 2022. In addition, Gigabud has also posed as the Thai Ministry of Finance, the Student Loan Fund, various Thai banks and other institutions. Later, hackers began spreading malware in Peru and the Philippines.

Gigabud operators are actively working to spread their malware to new geographic regions. They adopted a new tactic, a server-side validation process, to avoid detection and keep the campaign alive for a long period of time. Experts suspect that malware operators will continue to expand their targets and capabilities with new options and features in the near future.