Coordinated global mobile malware campaign targets banking apps and cryptocurrency platforms

(Image credit: Shutterstock)

Phishing websites impersonate trusted brands to deceive users
Advanced obfuscation techniques evade traditional security measures
Real-time detection is crucial for mobile security defence, experts warn

A coordinated mobile malware campaign has been found targeting financial institutions worldwide, experts have warned.

Zimperium's zLabs research team found the campaign leveraged two dangerous malware families, Gigabud and Spynote, to compromise mobile devices and target banking apps.

More than 50 financial mobile apps, including 40 banks and 10 cryptocurrency platforms, have been targeted in this sophisticated malware campaign.

Global malware campaign

While Gigabud primarily focuses on stealing banking app credentials through phishing websites and malicious apps, Spynote allows attackers to take full control of infected devices, and is capable of stealing data, recording media, tracking locations, and remotely controlling devices.

Domains distributing Gigabud were also found to be spreading Spynote, indicating a coordinated, large-scale effort to exploit mobile device vulnerabilities. Together, these malware strains pose a serious risk to both personal and corporate data, signalling a more complex mobile cyber threat.

The campaign’s reach is global, affecting financial institutions in several countries, as Zimperium discovered 11 command-and-control servers and 79 phishing websites impersonating brands such as Ethiopian Airlines, Vietnamese financial platforms, popular ecommerce sites, and even government services.

The attackers have specifically targeted mobile banking apps to gain unauthorized access to sensitive information, including login credentials, banking details, and transaction histories.

The Gigabud - Spynote campaign makes use of advanced obfuscation techniques to evade traditional security measures. The malware is packed using Virbox, a tool designed to conceal malicious code, making it harder for traditional detection methods to identify and analyze the malware.

Though the campaign primarily targets consumer-focused mobile banking apps, the level of access that Gigabud and Spynote achieve raises concerns for corporate security. Many users have both personal and work-related applications on the same mobile devices, so if a personal device is compromised, sensitive corporate applications and data, including credentials and two-factor authentication methods, could also be at risk.

Given the global scale of this campaign and the heavy focus on financial apps, Zimperium urges both consumers and organizations to take immediate steps to protect themselves.

Companies need to ensure that they have real-time, on-device mobile security measures capable of detecting and stopping advanced threats, and need to educate employees about the risks of downloading apps from unofficial sources, clicking on suspicious links, and granting unnecessary permissions is crucial to mitigating the risks of mobile malware.

“The connection between Gigabud and Spynote demonstrates the growing complexity of mobile malware attacks. Our latest research highlights the critical importance of real-time, on-device detection to protect against these rapidly evolving threats," noted Nico Chiaraviglio, Chief Scientist at Zimperium.