Experts in preventing and investigating high-tech crimes and online fraud, Group-IB say Gustuff is a new generation of malware complete with fully automated features designed to “steal both fiat and crypto currency from user accounts en masse”.
To date, Gustaff has never been reported, although the company’s Threat Intelligence system first discovered it on hacker forums in April 2018.
Although the Trojan was developed by a Russian-speaking cybercriminal, Gustuff operates exclusively on international markets. It could potentially target users of more than 100 banking apps, including 27 in the US, 16 in Poland, 10 in Australia, 9 in Germany, and 8 in India and users of 32 cryptocurrency apps.
Alongside JP Morgan, Wells Fargo, Bank of Scotland and Bank of America clients, the cryptocurrency apps that have been targeted, include Coinbase, BitPay, and Bitcoin Wallet. The malware has also targeted payment systems and messenger services such as PayPal, Western Union, eBay and Skype.
Gustuff Not The First Trojan To Bypass security measures Using Android Accessibility
Group-IB warn that Gustuff comes with a unique functionality aimed at “mass infections and maximum profit for its operators”. It infects Android smartphones through SMS with links to malicious Android Package (APK) files, this is what Android use to distribute and install mobile apps on devices.
“When an Android device is infected with a Gustuff, at the server’s command Trojan spreads further through the infected device’s contact list or the server database” said the security experts..
The Trojan uses the Accessibility Service, intended to assist people with disabilities and is equipped with web fakes designed to potentially target users of Android apps.
“Using the Accessibility Service mechanism means that the Trojan is able to bypass security measures used by banks to protect against older generation of mobile Trojans and changes to Google’s security policy introduced in new versions of the Android OS,” said Group-IB.
Gustuff is not the first Trojan to successfully bypass security measures against interactions with other apps’ windows using Android Accessibility Service, but it is a relatively rare occurrence.