Zimperium has published new findings on a security-critical malware campaign that combines features of two malicious programs. Zimperium researchers’ research shows that both Gigabud and Spynote samples are currently being distributed via domains with similar structures and subdomains.
The aim of the globally coordinated phishing website campaign is to install malicious mobile apps for various financial institutions.
The banking Trojan Gigabud tricks users into sharing sensitive permissions, leading to fraudulent transactions, while the Android malware Spynote allows attackers to take full control of infected mobile devices. Attackers gain remote control capabilities to spy on infected devices, read sensitive user data and steal passwords. The coordinated interaction of Gigabud and Spynote increases the threat level not only for end users, but also for business users working with a compromised device.
Zimperium’s analyses reveal many overlaps between the two malware families. For example, Gigabud and Spynote are distributed via the same domains, suggesting a coordinated approach by the same actors. The threat actors use Spynote to remotely control devices, steal data or track their location. Gigabud, on the other hand, can be used to steal login data from banking apps.
Various financial institutions are affected by the global campaign, with the phishing websites used being disguised as web platforms of major airlines, e-commerce platforms and government agencies. Zimperium identified eleven command-and-control servers and 79 phishing websites copying trusted vendors. The domains trick users into downloading malicious mobile apps or granting extensive permissions that give attackers full access to mobile devices.
Meanwhile, threat actors are increasingly shifting their focus from fake government websites to supposedly legitimate offerings from major financial institutions. Zimperium’s zLabs researchers discovered over 50 mobile banking apps from more than 40 banks and another ten cryptocurrency platforms used in the campaign.
The malware is protected by the “Virbox” packer – the packing program makes detection and analysis more difficult. This advanced obfuscation technique can bypass conventional defenses and increase the effectiveness of the threat.
“The interaction between Gigabud and Spynote documents the growing complexity of mobile malware attacks,” emphasizes Nico Chiaraviglio, Chief Scientist at Zimperium. “Our latest research results also underline the importance of real-time detection technologies that protect mobile devices against rapidly evolving threats.”
(pd/Zimperium)