Zimperium has uncovered new, critical insights into the Gigabud malware campaign, linking it to the notorious Spynote Android RAT.

First reported by Cyble in August 2024, Zimperium’s zLabs investigation reveals that this well-coordinated global campaign leverages phishing websites with intent to install malicious mobile apps from financial institutions.

Gigabud manipulates users into granting sensitive permissions, leading to fraudulent transactions, while Spynote enables attackers to take full control of infected devices.

This coordinated effort between Gigabud and Spynote signals a heightened threat level in mobile-focused cyber attacks not just for consumers, but the compromised device can result in substantial risk if it is also used for corporate applications.

Key Points:

• Connected Threats: zLabs research shows a strong overlap between Gigabud and Spynote malware families. Domains spreading Gigabud also distributed Spynote, suggesting a coordinated effort by a single threat actor. While Spynote allows attackers to remotely control devices, steal data, record media, and track locations, Gigabud focuses on banking app credential theft. This connection signals a broader and more coordinated threat.
• Global Targets: The campaign impacts financial institutions worldwide, with phishing websites impersonating major airlines, e-commerce platforms, and government services. Zimperium identified 11 command-and-control servers and 79 phishing sites mimicking trusted brands, like Ethiopian Airlines and Vietnamese loan sites. These sites trick users into downloading malicious mobile apps or granting extensive permissions, giving attackers full mobile device access.
• New Focus: New findings suggest a shift in the threat actor’s focus from government impersonations to directly targeting financial institutions. zLabs researchers found that over 50 financial mobile apps, including more than 40 banks and 10 cryptocurrency platforms, were specifically targeted in this campaign. 
• Advanced Obfuscation: The malware is protected by Virbox, a packer that complicates detection and analysis. This advanced obfuscation technique allows the malware to evade traditional defences, increasing the threat’s effectiveness. 

The coordination between Gigabud and Spynote illustrates a significant escalation in mobile-targeted malware campaigns, with threat actors targeting financial institutions globally. The campaign’s scope, use of phishing websites to promote malicious mobile apps, and advanced obfuscation techniques make it difficult for traditional defenses to detect and stop the attacks. 

While this campaign initially targets consumer-focused banking apps, given the sophistication of the malware & spyware being loaded onto the mobile device, it is not unreasonable to suspect that their employer’s corporate applications and data that may also be on the device could also be compromised including credential theft, OTP hijacking and corporate network infiltration. 

As such, Zimperium believes that organisations must prioritise real-time, on-device mobile security measures. 

Given the scale and coordination of this campaign, Zimperium has urged organisations to assess and fortify their mobile security defences to counter this evolving threat.  

“The connection between Gigabud and Spynote demonstrates the growing complexity of mobile malware attacks,” Nico Chiaraviglio, Chief Scientist at Zimperium, said. “Our latest research highlights the critical importance of real-time, on-device detection to protect against these rapidly evolving threats.”

To read more Zimperium news, click here.