Gigabud¶
Gigabud is an Android banking RAT from the GoldFactory threat group, the same Chinese-speaking cybercrime operation behind GoldPickaxe and GoldDigger. Cyble first documented Gigabud in January 2023 after observing it impersonating government agencies and banking apps across Southeast Asia, with activity dating back to at least July 2022. Unlike most banking trojans that rely on HTML overlay attacks for credential theft, Gigabud uses screen recording as its primary data capture mechanism, allowing it to record everything the victim does within targeted banking applications. A September 2024 investigation by Zimperium zLabs revealed that Gigabud shares distribution infrastructure with SpyNote, with both families protected by the Virbox packer, indicating coordinated deployment by the same threat actor.
Overview¶
| Attribute | Details |
|---|---|
| First Seen | July 2022 |
| Status | Active, under continued development |
| Type | Banking RAT, credential stealer |
| Attribution | GoldFactory group (Chinese-speaking threat actors) |
| Aliases | Gigabud RAT, Gigabud.Loan (data-theft variant), Gigaflower (successor) |
| Target Region | Southeast Asia (Thailand, Vietnam, Philippines, Indonesia), Peru, expanding globally |
| Distribution | Phishing sites impersonating government agencies, banks, and loan apps |
| Notable Feature | Screen recording for credential capture instead of overlay attacks |
Origin and Lineage¶
Gigabud belongs to the GoldFactory threat group's malware ecosystem, which includes several related Android banking trojan families. Cyble's August 2024 analysis established clear code-level overlap between Gigabud and GoldDigger, confirming shared authorship. Both families use the native library libstrategy.so for interacting with UI elements of targeted banking applications, and both adopted the Virbox packer for protection.
| Family | Relationship |
|---|---|
| GoldDigger | Shares code overlap, common libstrategy.so library, and Virbox packer usage. Android banking trojan targeting Vietnamese banks. |
| GoldPickaxe | Sibling family from GoldFactory. Introduced facial biometric theft for deepfake-based bank verification bypass. Has both Android and iOS variants. |
| GoldDiggerPlus | Enhanced GoldDigger variant with real-time voice communication during active device compromise. |
| SpyNote | Shared distribution infrastructure. Zimperium identified 79 phishing sites and 11 C2 servers distributing both Gigabud and SpyNote. |
| Gigaflower | Pre-release successor variant discovered by Group-IB in testing infrastructure. Likely next evolution of the Gigabud line. |
Distribution¶
| Vector | Details |
|---|---|
| Phishing sites | Fake websites impersonating Google Play Store listings, government portals, and banking apps |
| Smishing | SMS messages with links to phishing sites, often under the pretext of tax audits or refund claims |
| Social engineering | Links distributed via instant messengers and social media |
| Fake loan apps | Gigabud.Loan variant poses as fictitious financial institutions offering loans |
| Government impersonation | Apps disguised as official government agency tools |
Gigabud distribution is regionally tailored. In Thailand, operators impersonate the Department of Special Investigation (DSI) and revenue agencies. The DSI itself issued a warning in July 2022 about phishing sites impersonating its website and distributing the RAT. The Thailand Telecommunication Sector CERT (TTC-CERT) separately discovered the malware distributed as "Revenue.apk" and published a technical advisory in September 2022.
In the Philippines, the malware impersonates banking apps. In Peru, it poses as government tax agencies. Distribution infrastructure has expanded significantly since mid-2024, with Zimperium documenting 79 phishing sites across a coordinated campaign targeting users globally.
Capabilities¶
Gigabud.RAT¶
| Capability | Implementation |
|---|---|
| Screen recording | Primary credential capture method, records victim activity within banking apps |
| Accessibility service abuse | Enables screen recording, gesture simulation, and UI interaction |
| Remote device access | Full remote control of victim device through gesture simulation (TouchAction) |
| Automated payments | Performs transactions from victim's device via accessibility-driven gestures |
| 2FA bypass | Intercepts authentication codes and performs gestures to complete verification flows |
| Clipboard manipulation | Replaces bank card numbers in clipboard with attacker-controlled numbers |
| Credential harvesting | Captures login credentials through screen recording rather than overlay injects |
| Delayed malicious execution | Does not execute malicious actions until the user is authorized into the app, evading sandbox analysis |
Screen Recording vs. Overlay Attacks¶
Gigabud's use of screen recording instead of HTML overlay attacks is a deliberate design choice. Most Android banking trojans display fake login screens (overlays) on top of legitimate banking apps to capture credentials. Gigabud instead records the victim's screen while they interact with the real banking app. This approach has trade-offs:
- Captures credentials entered into the actual banking app, not a fake copy
- Records the full session including navigation, account details, and balance information
- Avoids the need to maintain overlay inject templates for each target bank
- Pairs with remote device access to allow operators to take over mid-session
- Less susceptible to overlay detection mechanisms that some banking apps implement
Gigabud.Loan¶
Gigabud.Loan is a stripped-down variant that lacks RAT capabilities entirely. It operates as a data harvester disguised as fake loan applications from fictitious financial institutions. The Loan variant shares the same architecture and code-signing certificate as Gigabud.RAT.
| Data Collected | Details |
|---|---|
| Personal information | Full name, identity number |
| Identity documents | Photos of national identity documents, digital signatures |
| Financial data | Bank card information, income details |
| Background information | Education, employment |
Group-IB detected more than 400 Gigabud.RAT samples and more than 20 Gigabud.Loan samples between 2022 and 2023.
Technical Details¶
Accessibility Service Abuse¶
Gigabud's core functionality depends on the Android Accessibility Service. The TouchAction feature abuses accessibility to simulate user gestures on the device, enabling:
- Screen recording of banking app sessions
- Automated gesture sequences to complete transactions
- Navigation through banking app interfaces on behalf of the operator
- Bypassing authentication steps including 2FA prompts
Delayed Execution¶
A distinctive characteristic of Gigabud is its delayed malicious execution. The RAT does not activate malicious functionality until the victim has been authenticated into the fake application by a fraudster on the other end. This makes automated sandbox detection significantly harder, as the malware appears benign during initial analysis windows.
Shared Infrastructure with SpyNote¶
Zimperium's September 2024 investigation uncovered that Gigabud and SpyNote share distribution infrastructure:
| Finding | Details |
|---|---|
| Phishing sites | 79 identified, distributing both families |
| C2 servers | 11 shared command-and-control servers |
| Targeted apps | 50+ financial apps (40+ banks, 10 cryptocurrency platforms) |
| Packer | Both families protected by Virbox packer |
| Code overlap | Code similarities between SpyNote and Gigabud samples suggest shared authorship |
This infrastructure overlap indicates Gigabud is deployed alongside SpyNote in coordinated campaigns, with the banking RAT and the general-purpose RAT serving complementary roles.
Anti-Analysis¶
| Technique | Details |
|---|---|
| Virbox packer | Commercial packer providing DEX encryption, native code protection, anti-debugging, and anti-emulator checks |
| Delayed execution | Malicious behavior requires operator interaction, bypassing automated sandbox analysis |
| ZIP format exploitation | Evasion techniques exploiting the zip file format, shared with GoldDigger variants |
libstrategy.so |
Native library handling UI interaction logic, harder to analyze than Dalvik bytecode |
Packer/Protection¶
| Packer | Details |
|---|---|
| Virbox | Commercial packer providing DEX encryption, native code protection, anti-debugging, and anti-emulator checks |
Permissions¶
| Permission | Purpose |
|---|---|
| BIND_ACCESSIBILITY_SERVICE | Core dependency for screen recording, gesture simulation, and UI interaction |
| SYSTEM_ALERT_WINDOW | Display overlay elements during credential capture |
| READ_SMS | Intercept SMS for 2FA bypass |
| RECEIVE_SMS | Real-time SMS interception |
| READ_PHONE_STATE | Device fingerprinting |
| INTERNET | C2 communication |
| RECEIVE_BOOT_COMPLETED | Persistence across reboots |
Target Regions and Campaigns¶
| Period | Targets | Activity |
|---|---|---|
| July 2022 | Thailand | First campaigns impersonating DSI and revenue agencies. DSI issues public warning. |
| September 2022 | Thailand | TTC-CERT discovers "Revenue.apk" variant and publishes advisory |
| Late 2022 | Thailand, Peru, Philippines | Expansion to impersonate banking and government apps in new regions |
| January 2023 | Thailand, Peru, Philippines | Cyble publishes first public analysis |
| August 2023 | Thailand, Vietnam, Philippines, Indonesia, Peru | Group-IB publishes comprehensive analysis documenting 400+ RAT samples and 20+ Loan samples |
| August 2024 | Expanding globally | Cyble documents code overlap between Gigabud and GoldDigger. New variants using Virbox packer detected. |
| September 2024 | 50+ financial institutions worldwide | Zimperium reveals shared infrastructure with SpyNote, 79 phishing sites, 11 C2 servers |
| June-July 2024 onward | Bangladesh, Indonesia, Mexico, South Africa, Ethiopia | Significant surge in new Gigabud variants and distribution volume |
| Late 2024-2025 | Southeast Asia | Group-IB uncovers GoldFactory deploying modified banking apps, driving 11,000+ infections. Pre-release Gigaflower successor variant found in testing infrastructure. |
Related Families¶
| Family | Relationship |
|---|---|
| GoldPickaxe | Sibling within GoldFactory ecosystem. Both target Southeast Asian banking, but GoldPickaxe focuses on biometric theft for deepfake fraud rather than screen recording. |
| GoldDigger | Direct code overlap with Gigabud, shared libstrategy.so native library, and common Virbox packer usage. Predecessor within the GoldFactory group. |
| SpyNote | Shared distribution infrastructure (79 phishing sites, 11 C2 servers). Both protected by Virbox packer. SpyNote provides general RAT capabilities alongside Gigabud's banking-focused functionality. |
References¶
- Gigabud RAT: New Android RAT Masquerading as Government Agencies - Cyble (January 2023)
- Breaking down Gigabud banking malware with Group-IB Fraud Matrix - Group-IB (August 2023)
- Overlap Between Golddigger & Gigabud Android Malware - Cyble (August 2024)
- A Network of Harm: Gigabud Threat and Its Associates - Zimperium (September 2024)
- Gold Rush is back to APAC: Group-IB unveils first iOS trojan stealing your face - Group-IB
- Gigabud RAT Android Banking Malware Targets Institutions Across Countries - The Hacker News
- Gigabud - Malpedia