Inside money, markets, and big tech

New Android malware targets 32 cryptocurrency apps and 100 international banks

Gustuff is out to steal your cryptocurrency (and your fiat!)

A brand-new generation of Trojan horse malware for Android phones has been revealed, tailored specifically towards stealing fiat and digital assets from customers of top international banks and cryptocurrency exchanges.

Cybersecurity firm Group-IB, which found the malware (already named “Gustuff”), warn it comes with fully automated (and unique) functionality aimed at “mass infections and maximum profit for its operators.” Until now, this Trojan has never been reported or analyzed.

Gustuff is said to come with a raft of “web fakes” that mimick apps to phish for sensitive data (like usernames and passwords) from unsuspecting users, who are tricked into using Gustuff’s versions instead. Users of 32 cryptocurrency apps like Coinbase, BitPay, and Bitcoin Wallet are targeted specifically.

Web fakes for leading banks like J.P. Morgan, Wells Fargo, and Bank of America are included. 27 Apps specific to the US were spotted, 16 in Poland, 10 in Australia, nine in Germany, as well as eight in India.

Gustuff also “supports” payment systems and messenger services PayPal, Revolut, Western Union, eBay, Walmart, Skype, and WhatsApp.

Gustuff spreads itself via links sent via SMS

Group-IB labelled Gustuff a “weapon of mass infection,” particularly as it uses SMS messages with links to load malicious Android package kit files. As soon as an Android device is hit, a remote server automatically spreads the Trojan further through its contact lists or related server database.

Its creator(s) even built special “Automatic Transfer Systems” (ATS) to speed and scale the thefts. ATS autofills fields in legitimate  apps with malicious data during normal use (eg: replacing bank details with those related to the attackers).

To make this work, Gustuff uses Android‘s accessibility features designed for users living with disabilities. Group-IB noted the use of ATS helped by Android’s Accessibility Service makes it a relatively rare occurrence.

“Using the Accessibility Service mechanism means that the Trojan is able to bypass security measures used by banks to protect against older generation of mobile Trojans and changes to Google’s security policy introduced in new versions of the Android OS,” said Group-IB. “Moreover, Gustuff knows how to turn off Google Protect; according to the Trojan’s developer, this feature works in 70 percent of cases.”

The extent of Gustuff’s tricks is no joke. Push notifications featuring legitimate icons are said to appear. If they are clicked, either a web fake for the app is downloaded (in which a user could enter their sensitive data) or Gustuff will maliciously fill payment fields automatically to trigger illicit transactions at the server‘s command.

“The malware is also capable of sending information about the infected device to the C&C server [the hackers], reading/sending SMS messages, sending USSD requests, launching SOCKS5 Proxy, following links, transferring files (including document scans, screenshots, photos) to the C&C server, and resetting the device to factory settings,” warned researchers.

Companies can do more to protect against Gustuff

Group-IB was able to trace Gustuff back to posts on hacker forums starting in April 2018. The posts advertised the Trojan as a “serious product for individuals with skills and experience,” which could be leased for $800 per month.

Gustuff was pitched as the successor to the AndyBot malware, which has been plaguing Android phones and stealing money using web fakes that pretend to be mobile apps in much the same way since November 2017.

The firm’s analysts also noted that although this Trojan was created by a Russian-speaking cybercriminal named “Bestoffer,” it operates exclusively with international markets.

“All new Android Trojans offered on underground forums, including Gustuff, are designed to be used mainly outside Russia, and target customers of international companies,” said Rustam Mirkasymov, Group-IB’s head of dynamic malware analysis.

“In Russia, after the owners of the largest Android botnets were arrested, the number of daily thefts decreased threefold, Trojans’ activity became significantly less widespread, and their developers focused to others markets,” he continued. “However some hackers ‘patch’ (modify) the Trojan samples and reuse it in their attacks on users in Russia.”

In order to avoid Trojans like Gustuff, Group-IB advises users of mobile Android devices should strictly download apps from Google Play. They should also never install apps from insecure third-party stores. “It is important to always install software updates, pay attention to downloaded files’ extensions and of course avoid suspicious SMS links,” Mirkasymov told Hard Fork.

The firm also urged companies to use signature-based detection methods to better protect their clients against malware. These identify customer devices with special “device fingerprints,” and can help detect usage of stolen account credentials from unknown devices.

Did you know? Hard Fork has its own stage at TNW2019, our tech conference in Amsterdam. Check it out.

Published March 28, 2019 — 09:59 UTC