A new variant of the Gugi mobile banking Trojan can bypass two of the security features that Google has included in Android 6.0, Kaspersky security researchers say.
Detected as Trojan-Banker.AndroidOS.Gugi.c, the threat includes mechanisms that allow it to bypass both the permission-based app overlays in Android 6 and the dynamic permission requirement for dangerous in-app activities such as SMS or calls. What is most interesting about the malware, however, is that it doesn’t leverage vulnerabilities to perform the bypass, but employs social engineering instead.
The Gugi Trojan is being distributed mainly through SMS spam that tricks users into accessing phishing webpages by telling them they received a MMS-photo accessible via an included link. However, as soon as the user clicks on the link, the malware is downloaded onto the device instead, and the victim is infected.
To perform its nefarious activity on the infected device, the Trojan needs to overlay banking apps and the Google Play Store app with its own phishing windows, which allow it to steal user credentials and credit card details. However, Android 6 requires for applications to request permission to overlay their windows over other apps, and Gugi has found a way to receive this permission by forcing users to grant it.
First, the user is presented with a warning window: “Additional rights needed to work with graphics and windows” that has a single button: “Provide.” When clicking on this button, the victim is presented with a dialog box that authorizes the app overlay (“drawing over other apps”).
As soon as the Trojan receives the permission, it blocks the device by displaying its own window on top of all other windows and dialogues. The window includes a single “Activate” button, providing users with no other option but to enable other dangerous permissions for the malware, Kaspersky’s Roman Unuchek explains.
“Once the user presses this button they will receive a continuous series of requests for all the rights the Trojan is looking for. They won’t get back to the main menu until they have agreed to everything. For example, following the first click of the button, the Trojan will ask for Device Administrator rights. It needs this for self-defense because it makes it much harder for the user to uninstall the app,” the researcher continues.
After receiving device admin rights, Gugi asks permissions to send and view SMS messages and to make calls. The Trojan has to ask for these permissions the first time it attempts to perform a dangerous operation on the compromised device running Android 6, something that it didn’t have to do on previous operating system versions, where all permissions were granted at installation.
The malware asks for each permission until the user agrees and, if it doesn’t receive all of the permissions it is looking for, it completely blocks the infected device. According to Kaspersky’s researcher, the only manner in which the user can use the device is to reboot it in safe mode and try to uninstall the Trojan.
Once it has bypassed Android 6’s defense mechanisms, the malware behaves like other mobile banking Trojan does: it overlays applications to steal credentials from people using mobile banking. Other functionality worth mentioning includes the use of the Websocket protocol, and the malware’s ability to steal SMS and contacts, to makes USSD requests, and to send SMS by command from the command and control server.
The Gugi family of Android malware first emerged in December 2015, while the new variant was observed in June 2016. At the moment, the malware is mainly focused on infecting users in Russia (more than 93% of attacked users live in this country), but researchers say that it is trending up at the moment, as the number of infections increased ten-fold from April to August.
According to a recently released report from Nokia, Smartphone malware infections increased by 96% over the year to April 2016, with smartphones accounting for 78% of all mobile infections.