Security Experts:

Connect with us

Hi, what are you looking for?


Mobile & Wireless

Android Trojan Targets Banks, Crypto-Currencies, e-Commerce

A recently discovered Android Trojan is targeting the users of a broad range of services, including international banks, crypto-currency services, and e-commerce websites, Group-IB reports.

A recently discovered Android Trojan is targeting the users of a broad range of services, including international banks, crypto-currency services, and e-commerce websites, Group-IB reports.

Dubbed Gustuff, the malware packs fully automated features designed to steal both fiat and crypto currency from victims. It leverages the Accessibility Service and targets the contacts list on infected devices to spread via SMS messages with links to the malicious APK. 

The Trojan includes web fakes to target mobile users of banks such as Bank of America, Bank of Scotland, J.P.Morgan, Wells Fargo, Capital One, TD Bank, PNC Bank, and crypto services such as Bitcoin Wallet, BitPay, Cryptopay, Coinbase. 

Overall, the threat could target the “users of more than 100 banking apps, including 27 in the US, 16 in Poland, 10 in Australia, 9 in Germany, and 8 in India and users of 32 crypto-currency apps,” Group-IB’s security researchers explain in a report shared with SecurityWeek

Over time, Gustuff has expanded the list of potential targets, now also targeting fintech companies’ Android programs, users of apps of marketplaces, online stores, payment systems and messengers, including PayPal, Western Union, eBay, Walmart, Skype, WhatsApp, Gett Taxi, Revolut, and others. 

Gustuff, the researchers say, appears designed for mass infection, due to the use of ATS (Automatic Transfer Systems), a unique feature to auto-fill fields in legitimate mobile banking apps, crypto-currency wallets and other apps, which both speeds and scales up thefts. The ATS function leverages the Accessibility Service. 

While Gustuff is not the first Trojan to abuse the Android Accessibility Service to interact with other applications, “the use of this functionality to perform ATS has so far been a relatively rare occurrence,” Group-IB says. 

Gustuff can also display fake push notifications with the legitimate icons of targeted applications, either to serve a fake page and ask for the user’s personal or payment (card/wallet) details, or to launch the legitimate app and automatically fill payment fields for illicit transactions.

The malware also sends information about the infected device to the command and control (C&C) server, can read/send SMS messages, send USSD requests, launch SOCKS5 Proxy, follow links, transfer files (document scans, screenshots, photos) to the C&C server, and reset the device to factory settings.

The Trojan’s author is believed to be a Russian-speaking cybercriminal, but Gustuff operates exclusively on international markets, the security researchers say. Gustuff was first observed on hacker forums in April 2018 as a new version of the AndyBot malware, priced at $800 per month. 

“In Russia, after the owners of the largest Android botnets were arrested, the number of daily thefts decreased threefold, Trojans’ activity became significantly less widespread, and their developers focused to others markets. However some hackers “patch” (modify) the Trojan samples and reuse it in their attacks on users in Russia,” Rustam Mirkasymov, Head of Dynamic Analysis of Malware Department at Group-IB, said. 

Related: Red Alert Android Trojan for Rent at $500 Per Month

Related: Russian Police Arrest Man Involved in Android Banking Trojan Scheme

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

Mobile & Wireless

Infonetics Research has shared excerpts from its Mobile Device Security Client Software market size and forecasts report, which tracks enterprise and consumer security client...

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.

Mobile & Wireless

Critical security flaws expose Samsung’s Exynos modems to “Internet-to-baseband remote code execution” attacks with no user interaction. Project Zero says an attacker only needs...

Mobile & Wireless

The February 2023 security updates for Android patch 40 vulnerabilities, including multiple high-severity escalation of privilege bugs.

Mobile & Wireless

Two vulnerabilities in Samsung’s Galaxy Store that could be exploited to install applications or execute JavaScript code by launching a web page.

Mobile & Wireless

South Dakota Gov. Kristi Noem says her personal cell phone was hacked and linked it to the release of documents by the January 6...