Gigabud Mobile Malware

Gigabud is a threatening Android Remote Access Trojan (RAT) that has been used by threat actors to collect banking credentials and other sensitive information. The Gigabud Mobile Malware masquerades as legitimate banking, shopping, and other applications to gain access to the victim's device. The malware is distributed through deceptive websites and can record the victim's screen by abusing the Accessibility Service. Once installed, Gigabud can be used to spy on victims, collect their data, and even control their devices remotely. Details about the threat were released in a report released by the cybersecurity researchers.

Gigabud Impersonates Government Agencies

The Gigabud RAT malware has been targeting individuals in Thailand since July 2022, and its spread has been increasing each month to other countries, such as Peru and the Philippines. The threatening applications disguise themselves using the icons of government agencies from these countries to trick victims into giving away sensitive information. The corrupted applications also may masquerade as shopping applications, banking loan applications, etc. Some of the confirmed legitimate applications that have been imitated by the Gigabud Android RAT include a Peruvian bank, a Thailand airline, the Department of Special Investigation of Thailand and the Bureau of Internal Revenue Philippines. The malware was initially spread via a compromised phishing website pretending to be an official page for the legitimate airline – Thai Lion Air.

Threatening Capabilities of the Gigabud Mobile Malware

The Gigabud RAT is a threatening mobile malware that attempts to trick users into providing login information such as usernames, passwords and mobile numbers. It does this by displaying fake login screens that mimic the user interface of legitimate applications. This data is then sent to a Command and Control (C&C) server. Additionally, the Gigabud RAT displays fake registration forms to collect ID card information, credit card details and other requested information from victims.

The threat also requests accessibility permissions, which allows it to record the device's screen and display content over other applications. With these permissions granted, the Gigabud RAT can then connect to its C&C server and receive commands that enable it to collect targeted bank details, send text messages from the victim's device, open targeted applications and more. Finally, the Gigabud RAT may display fake dialog boxes over legitimate applications to collect sensitive information.

Cybersecurity experts warn that the threat actor responsible for creating Gigabud is constantly working on new versions of this damaging threat that are designed to expand its range of targeted countries. It is likely that more variants of this malware with additional targets and features will be uncovered in the future.