New Android Trojan can infiltrate major international banking apps

“Gustuff” Trojan capable of attacking more than 100 global banking apps, cryptocurrency and marketplace applications, including PayPal and Revolut

An Android Trojan capable of plundering fiat from leading international banks and e-commerce sites has been uncovered by cyber security researchers.

The trojan, named Gustuff, bypasses security measures via the ‘Accessibility Service’ intended to assist people with disabilities. Once infected, it uses automated features to steal fiat and crypto from user accounts en masse.

Cyber security company Group-IB, that uncovered the Trojan on hacker forums in April 2018, said it can target the Android apps of top international banks including Bank of America, Bank of Scotland, J.P.Morgan, Wells Fargo, Capital One, TD Bank, PNC Bank, and crypto services such as Bitcoin Wallet, BitPay, Cryptopay and Coinbase.

Marketplaces, online stores, payment systems and messengers, such as PayPal, Western Union, eBay, Walmart, Skype, WhatsApp, Gett Taxi, and Revolut are also vulnerable.

‘Mass infections for maximum profit’

Gustuff infects Android smartphones when users open links to a malicious APK contained within an SMS. Once infected it spreads through a device’s contact list or server database at the server’s command.

Gustaff uses the Accessibility Service to bypass security measures used by banks to protect against older generation of mobile Trojans and previous changes made to Google’s security policy. Perhaps most alarmingly, Gustuff can turn off Google Protect with a 70 percent success rate, according to its Russian developer.

Like any other Trojan, Gustuff does a good job of making things look as though they are operating as normal. For all of the apps mentioned above, it can display fake push notifications that either click through to a bogus copycat inviting the user to enter personal or payment details, or, the legitimate app itself. This is where things get particularly nasty. At the server’s command – and with the help of the Accessibility Service – Gustuff can automatically fill payment fields for illicit transactions within legitimate apps.

The malware is also capable of sending information about the infected device to the C&C server, reading/sending SMS messages, sending USSD requests, launching SOCKS5 Proxy, following links, transferring files (including document scans, screenshots, photos) to the C&C server, and resetting the device to factory settings.

“Gustuff’s features are aimed at mass infections and maximum profit for its operators,” Group-IB said. “It has a unique feature – ATS (Automatic Transfer Systems), that autofills fields in legitimate mobile banking apps, cryptocurrency wallets and other apps, which both speeds and scales up thefts.”

A team of Group-IB analysts continue to research the Trojan.