Threat Management, Malware, Security Strategy, Plan, Budget

Gustuff banking trojan disables Google Protect and Accessibility Service mode

An Android trojan dubbed Gustuff is capable of targeting more than 1,000 global banking apps, cryptocurrency and marketplace applications.

Group-IB researchers uncovered the malware that casts a wide net and  is complete with fully automated features designed to steal both fiat and crypto currency from user accounts by leveraging a device’s Accessibility Service mode to bypass security bank features.

Gustuff has the potential to target users of more than 100 banking apps and is equipped with phishing pages to designed to trick Android users surfing the apps of major banks, including Bank of America, Bank of Scotland, J.P.Morgan, Wells Fargo, Capital One, TD Bank and PNC Bank as well as crypto services such as Bitcoin Wallet, BitPay, Cryptopay and  Coinbase, researchers said in the report.

The malware is capable of sending information about the infected device to the C&C server, reading/sending SMS messages, sending USSD requests, launching SOCKS5 Proxy, following links, transferring files (including document scans, screenshots, photos) to the C&C server, and resetting the device to factory settings.

The trojan’s developer advertises. the malware as having the ability  to disable Google Protect using a feature that works 70 percent of the time.

Gustuff also has a unique feature - ATS (Automatic Transfer Systems), that autofills fields in legitimate mobile banking apps, cryptocurrency wallets and other apps, which both speeds and scales up thefts, and is able to display fake push notifications with legitimate icons

The malware was developed by a Russian-speaking developer, operates exclusively on the international market and is designed to be used mainly outside of Russia and target customers of international companies.

“All new Android Trojans offered on underground forums, including Gustuff, are designed to be used mainly outside Russia, and target customers of international companies,” said Rustam Mirkasymov, Group-IB's head of dynamic analysis of malware department .

“In Russia, after the owners of the largest Android botnets were arrested, the number of daily thefts decreased threefold, Trojans’ activity became significantly less widespread, and their developers focused to other markets,” he said.

He added that some threat actors “patch” (modify) the trojan samples and reuse it in their attacks on users in Russia.

Ultimately, researchers said, companies need to use signature-based detection methods and that an effective cyber defense should also incorporate a system of identification for customer devices.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.