The Stack Archive

Gugi banking Trojan bypasses Android security features

Wed 7 Sep 2016

Mobile banking

Security analysts at Kaspersky Lab have discovered an evolved version of the Gugi banking Trojan, which is able to bypass the new security capabilities of Android 6.

According to the security firm, the modified Trojan is capable of skipping past the platform’s phishing and ransomware blocking features by positioning itself as an overlay to legitimate Android apps.

The Trojan belongs to a family called Trojan-Banker.AndroidOS.Gugi, which has existed since December last year. This latest modification, Trojan-Banker.AndroidOS.Gugi.c, was uncovered in June 2016. The infection seeks to steal a user’s mobile banking credentials by overlaying genuine finance apps with phishing malware. The Trojan is also able to steal credit card details by overlaying the Google Play app.

Gugi can also send and write SMS messages, and make calls among other malicious activities.

Kaspersky senior malware analyst Roman Unucheck explained that OS systems such as Android have to continually update security features to prevent cyberattacks, and increase safety for their customers. ‘Cybercriminals are relentless in their attempts to find ways around this, and the security industry is equally busy making sure they don’t succeed,’ he said.

Although Android 6 was built to stop such attacks, users are still able to grant permissions for the evolved Gugi Trojan. The scam works by sending an SMS with a phishing link which installs the Trojan. It then requests access rights in a pop-up reading: ‘Additional rights needed to work with graphics and windows’, with a single response button available – ‘Provide’.

If the user denies permission at any time, the Trojan blocks the entire device. While users can boot into safe mode to uninstall the malware, Kaspersky Lab explained that this process will have been made more difficult if the user has already given administrator rights.

The security firm noted that while the majority of Gugi attacks (93%) have taken place in Russia, the infections are likely to spread globally.


Android cybercrime malware news
Send us a correction about this article Send us a news tip