Gustuff Android malware from Russia with love.
Group-IB, a cybersecurity firm, has discovered a new breed of Trojan horse malware called Gustuff, which specifically targets Android phones to steal banking credentials and digital assets of users. The malware targets customers of cryptocurrency exchanges and mainstream international banks.
As per the analysis of Group-IB, the malware is equipped with a unique, automated function that can distribute mass infections to earn maximum profit for the attackers. This malware has been around for one year but this is the very first time that this malware has been identified and evaluated by a cybersecurity firm.
Unsurprisingly, cybercriminals are trying to use Gustuff at the best of their ability. In the past one year during which the malware has been active, it has been updated repeatedly and has now become quite s a sophisticated piece of malware in terms of attack tactics, features, and capabilities. It has now become quite similar to notorious malware like LokiBot, Exobot, Anubis, Red Alert, and BankBot, etc.
Group-IB explained that Gustuff is capable of phishing as well as automate the transactions of more than 100 banking apps including TD Bank, Bank of America, Bank of Scotland, Wells Fargo, PNC Bank, and Capital One and around 32 cryptocurrency apps, for instance, Coinbase, Bitcoin Wallet, and BitPay. Furthermore, the Trojan can extract Android payment and messaging apps credentials including Western Union, PayPal, eBay, Skype, WhatsApp, Walmart, Revoult, and Gett Taxi.
To target victims, Gustuff uses social engineering tactics for luring them into providing access to the Android Accessibility service. This service is created for disabled users and serves as a helpful tool to automate a variety of UI interactions. It can also tap the screen on behalf of the user. However, such a harmless service is exploited by a majority of Android banking malware to acquire admin rights and displaying fake login pages.
But the way Gustuff exploits this service is entirely different because contains web fakes to imitate the apps for accessing sensitive data like login credentials. It contains web fakes for 27 apps in the US, 8 in India, 16 in Poland, 9 in Germany, and 10 in Australia while all the leading banks’ customers are targeted through these web fakes.
Moreover, the malware uses SMS messages containing URLs that load infected Android package kit documents and when an Android phone is attacked the Trojan is automatically launched from a remote server. To ensure speedy extraction of money, the attackers have designed Automatic Transfer Systems that autofills legit app fields with data related to the attackers.
In a detailed report, Group-IB explained the workings and evasion tactics of the malware:
“Using the Accessibility Service mechanism means that the Trojan is able to bypass security measures used by banks to protect against the older generation of mobile Trojans and changes to Google’s security policy introduced in new versions of the Android OS. Moreover, Gustuff knows how to turn off Google Protect; according to the Trojan’s developer, this feature works in 70 percent of cases.”
The malware also sends the information acquired from the infected device to a C&C server. It sends “reading/sending SMS messages, sending USSD requests, launching SOCKS5 Proxy, following links, transferring files (including document scans, screenshots, photos) to the C&C server, and resetting the device to factory settings.”
The malware is available for lease at $800 per month. Group-IB claims that the malware is the creation of a Russian-speaking hacker Bestoffer and is specifically designed to target international markets.
The firm’s analysts also noted that although this Trojan was created by a Russian-speaking cybercriminal named “Bestoffer,” it operates exclusively with international markets. Organizations are asked to use signature-based detection methods to ensure optimal protection of their customers from the malware.