Android Trojan Targets Banks, Crypto-Currencies, e-Commerce

A recently discovered Android Trojan is targeting the users of a broad range of services, including international banks, crypto-currency services, and e-commerce websites, Group-IB reports.

Dubbed Gustuff, the malware packs fully automated features designed to steal both fiat and crypto currency from victims. It leverages the Accessibility Service and targets the contacts list on infected devices to spread via SMS messages with links to the malicious APK. 

The Trojan includes web fakes to target mobile users of banks such as Bank of America, Bank of Scotland, J.P.Morgan, Wells Fargo, Capital One, TD Bank, PNC Bank, and crypto services such as Bitcoin Wallet, BitPay, Cryptopay, Coinbase. 

Overall, the threat could target the “users of more than 100 banking apps, including 27 in the US, 16 in Poland, 10 in Australia, 9 in Germany, and 8 in India and users of 32 crypto-currency apps,” Group-IB’s security researchers explain in a report shared with SecurityWeek. 

Over time, Gustuff has expanded the list of potential targets, now also targeting fintech companies’ Android programs, users of apps of marketplaces, online stores, payment systems and messengers, including PayPal, Western Union, eBay, Walmart, Skype, WhatsApp, Gett Taxi, Revolut, and others. 

Gustuff, the researchers say, appears designed for mass infection, due to the use of ATS (Automatic Transfer Systems), a unique feature to auto-fill fields in legitimate mobile banking apps, crypto-currency wallets and other apps, which both speeds and scales up thefts. The ATS function leverages the Accessibility Service. 

While Gustuff is not the first Trojan to abuse the Android Accessibility Service to interact with other applications, “the use of this functionality to perform ATS has so far been a relatively rare occurrence,” Group-IB says. 

Gustuff can also display fake push notifications with the legitimate icons of targeted applications, either to serve a fake page and ask for the user’s personal or payment (card/wallet) details, or to launch the legitimate app and automatically fill payment fields for illicit transactions.

The malware also sends information about the infected device to the command and control (C&C) server, can read/send SMS messages, send USSD requests, launch SOCKS5 Proxy, follow links, transfer files (document scans, screenshots, photos) to the C&C server, and reset the device to factory settings.

The Trojan’s author is believed to be a Russian-speaking cybercriminal, but Gustuff operates exclusively on international markets, the security researchers say. Gustuff was first observed on hacker forums in April 2018 as a new version of the AndyBot malware, priced at $800 per month. 

“In Russia, after the owners of the largest Android botnets were arrested, the number of daily thefts decreased threefold, Trojans’ activity became significantly less widespread, and their developers focused to others markets. However some hackers “patch” (modify) the Trojan samples and reuse it in their attacks on users in Russia,” Rustam Mirkasymov, Head of Dynamic Analysis of Malware Department at Group-IB, said. 

Related: Red Alert Android Trojan for Rent at $500 Per Month

Related: Russian Police Arrest Man Involved in Android Banking Trojan Scheme