Gustuff Android Malware Attacks Banking and Cryptocurrecny Apps
A new malware, Gustuff, is spreading across Android phones and phishing for financial credentials from banking and cryptocurrency apps. Trojan horse malware Gustuff infects Android devices and impersonates baking apps to steal money from unsuspecting users. So far, the malware targets 100 banks and 32 cryptocurrency apps. It also uses the phone’s contact list and messaging apps to infect more devices. The malware was discovered by Russian cybersecurity firm Group IB.
Gustuff malware phishes account credentials and creates fraudulent bank transactions by impersonating over 100 banking apps and 32 cryptocurrency apps. Banks targeted by the malware include Bank of America, Bank of Scotland, J.P.Morgan, Wells Fargo, Capital One, TD Bank, and PNC Bank. Cryptocurrency apps are not immune to this malware. Thirty-two cryptocurrency apps are also targeted by Gustuff including BitPay, Cryptopay, Coinbase, and Bitcoin Wallet. The malware also hacks other Android payment and messaging apps including PayPal, Western Union, eBay, Walmart, Skype, WhatsApp, Gett Taxi, Revolut as well as others.
The malware is spread through app download sites, unofficial marketplaces, and via text messages. As soon as a new device is infected, the malware uses the contact list to infect other devices.
The malware can also rest the phone back to factory settings.
Gustuff Malware Steals Money from Apps
Gustuff malware uses SMS messages as part of a social engineering attack to infect more devices. Once infected it tricks the device owner into giving it permission to use the phone’s Android Accessibility service and gives itself admin rights. These Accessibility services are an aid intended for use by people with disabilities. The accessibility features automate various screen interactions and tap screen choices on the user’s behalf.
“Using the Accessibility Service mechanism means that the Trojan is able to bypass security measures used by banks to protect against older generation of mobile Trojans and changes to Google’s security policy introduced in new versions of the Android OS,” said Group-IB. “Moreover, Gustuff knows how to turn off Google Protect; according to the Trojan’s developer, this feature works in 70 percent of cases.”
The malware then shows fake login pages on top of other legitimate apps. It can autofill fields in legitimate banking apps with its own data during normal use. For example, a transfer can be directed to another bank Account or cryptocurrency wallet.
The trojan malware can send push notifications to the device and impersonate any app. When the user selects the fake app, Gustuff opens a spoofed web page that phishes the login credentials. In other cases, when the user opens the legitimate app, the malware autofills the transaction information and uses the Accessibility service to automatically approve a money transfer to the hacker’s financial account.
How Gustuff Malware Infects Phones
Gustuff malware uses web fakes which are fraudulent copies of real apps created by hackers to emulate the real apps. The spoofed web fakes look identical to their legitimate counterparts. Users are fooled into using the fake app because it looks just like their real banking app. When they enter their usernames and passwords, the information is stolen by the malware and sent to hackers.
Banking apps for major organizations like J.P. Morgan, Wells Fargo, and Bank of America are targeted by this malware and its web fakes. Twenty-seven apps targeted at US users were discovered. In addition, 16 apps specific to Poland, ten targeted at Australian users, nine for Germany, and eight in India are also spreading. Gustuff malware also spoofs payment apps PayPal, Revolut, and Western Union. Shopping apps eBay and Walmart as well as messaging apps Skype, and WhatsApp are also targeted. In total, there are over 100 spoofed apps in use by Gustuff malware.
How to Stop Malware
The best way to protect your devices from hackers is to only download apps from official app stores like Google Play or the iTunes store. Do not click on any suspicious links in emails or messages, even if they are from people you know. Malware messages originate from a friend’s infected phone and will appear legitimate.
