Gustuff banking trojan targets Android cryptocurrency and banking apps

by Ugnius Kiguolis - - 2019-03-30

Android banking trojan targets 130 cryptocurrency and banking applications and steals funds

Gustuff - Android trojan targeting banking apps Gustuff targets financial information and can access data from more than 32 Android cryptocurrency and 100 banking applications.

Android banking trojan Gustuff reportedly has stolen funds from more than 130 applications.^[1] The information includes banking details and cryptocurrency. This malware has a unique feature which allows making banking transactions automatically. This way Gustuff stole details from more than 100 banking apps internationally and stole cryptocurrency from 32 crypto applications.

Bank of America, Bank of Scotland, J.P.Morgan, Wells Fargo, Capital One, TD Bank and other banks became the target of this attack. Also, users of apps like Bitpay, Bitcoin Wallet and Coinbase fell victims in the campaign. The classical banking trojan became popular due to the updates and the feature that the list of targets included PayPal, eBay, Walmart and Skype, WhatsApp.^[2]

Group-IB report about newly discovered Gustuff states:

Initially designed as a classic banking Trojan, in its current version, Gustuff has significantly expanded the list of potential targets, which now includes, besided banking, crypto services and fintech companies’ Android progarms, users of apps of marketplaces, online stores, payment systems and messengers, such as PayPal, Western Union, eBay, Walmart, Skype, WhatsApp, Gett Taxi, Revolut etc.

Continuous updating and unique features made Gustuff popular

First Gustuff was spotted in 2018, around April and promoted as an upgraded version of AndyBot banking trojan. Developers distributed this trojan in Russian-speaking cybercriminal forums but expanded to the rest of the world with Gustuff trojan campaigns. This subscription-based threat sells for a monthly payment of $800.

Right now malware includes the code that assures to target top international banks all over the world and search for cryptocurrency wallet applications and services. According to security researcher reports, Gustuff's lists of apps include 27 banks from the U.S, 16 banks in Poland, ten banks from Australia, nine from Germany and eight from India.

Most of Android banking trojans use the Android Accessibility service to give themselves admin rights and fake logins on other apps. Gustuff uses this feature in a more complex way – performing ATS with the help of the Accessibility Service.^[3]

Automatic Transfer Service is used by banking malware to make transactions from an infected computer instead of stealing account details and then using them to steal money via other devices. This way Gustuff can make transactions immediately after infiltration by filling un the required information and approving money transfers.

Other Android trojan Gustuff features

Gustuff can automatically change text fields on targeted apps, fill them with needed data and interact with screens for other Android apps on compromised devices by using Android Accessibility services. This feature initially is used to help disabled people to use Android phones, devices and applications.

However, this purpose that Gustuff uses helps to bypass protections and Google's security policy. Also, the additional feature allows a trojan to turn off Google Play Protect that is built-in as an anti-malware program on Android OS.

Gustuff spreads by sending text messages with a link to its APK installation file. It scans the contact list of the already compromised device and sends out these messages automatically. Also, a database on C & C server is used to distribute this malware.^[4]

What makes Gustuff even more dangerous than other trojans is the ability to collect information like photos or videos from victims' phone.^[5] It also can reset the device to factory settings and erase all data stored on the system.

The trojan aimed to perform mass infections so that developers can get maximum profit, so security researchers advise companies to take precautionary measures, as the Head of Secure Bank, Pavel Krylov states:

In order to better protect their clients against mobile Trojans, the companies need to use complex solutions which allow to detect and prevent malicious activity without additional software installation for end-user. Signature-based detection methods should be complemented with user and application behaviour analytics.

About the author

Ugnius Kiguolis - The mastermind

Ugnius Kiguolis is a professional malware analyst who is also the founder and the owner of 2-Spyware. At the moment, he takes over as Editor-in-chief.

Contact Ugnius Kiguolis
About the company Esolutions

References

^ Catalin Cimpanu. Gustuff Android banking trojan targets 125+ banking, IM, and cryptocurrency apps. ZDNet. Technology news and reviews.
^ Group-IB uncovers Android Trojan named «Gustuff» capable of targeting more than 100 global banking apps, cryptocurrency and marketplace applications. Group-IB. Cybersecurity products and services provider.
^ Duncan Riley. Gustuff Android malware targets 125+ banking and cryptocurrency apps. Siliconeangle. Latest news.
^ Command and Control [C&C] Server. TrendMicro. Enterprise cybersecurity solutions.
^ Steve Kaaru. Gustuff Android trojan targets crypto apps with unique feature. Coingeek. Bitcoina nd cryptocurrency news.