The darknet has a new soldier in the form Gustuff, a new Android trojan that has targeted over 125 cryptocurrency and banking apps.
Gustuff has been in existence since April 2018 and stands with Anubis, Red Alert, and BankBot as one of the deadliest threats to the financial space. Cybersecurity firm Group-IB suggests that Gustuff can uncover login credentials and automate transactions for a variety of banking and crypto apps including Capital One, Wells Fargo, PNC Bank, Coinbase, and Bitcoin Wallet. It’s also been known to target credentials for other payment and messaging apps, including Western Union, PayPal, Walmart, and Skype.
Gustuff operates predominantly by taking over the Android Accessibility service. Designed for persons with disabilities, the service can tap screen items and automate interactions for users who can’t do this themselves.
Rustam Mirkasymov – head of dynamic analysis of the malware department at Group-IB – says this behavior isn’t surprising for most trojans, but Gustuff has a trait that seemingly makes it more dangerous:
“Trojans that use [the] accessibility service is not a rare occurrence. Gustuff’s unique feature is that it performs ATS with the help of the accessibility service. The fact that Gustuff uses [an] ATS makes it even more advanced than Anubis and RedAlert.”
ATS stands for automatic transfer service. Transactions occur through infected computers when ATS is utilized, meaning Gustuff doesn’t need to find login credentials that it would then use to steal funds. Instead, it simply infects a computer or mobile device and fills in the credentials on its own from there, allowing financial transfers to take place.
Gustuff can allegedly turn off the security feature Google Play Protect and show “custom push notifications” that pose as certain apps which can steal login information. It can gather data from documents, videos and photos, and is reportedly capable of resetting electronic devices to their original factory settings to hide its presence.
The good news is that Gustuff’s popularity hasn’t swelled, having never been uploaded to apps on the Google Play Store. Thus far, Group-IB says the trojan has primarily been distributed through SMS spam, which houses links to its installation files.
Regardless of what we’d like to think, the cryptocurrency world is still wrought with individuals and products that pose malicious intent. The potential hacks of cryptocurrency exchanges like CoinBene and DragonEx in recent days suggest that safety and privacy in the digital currency world aren’t quite what they should be, but analysts say there are ways to stay protected.
Group-IB has commented that if users wish to avoid trojans like Gustuff, they should limit their downloads to apps strictly available via Google Play, as Gustuff has been unable to bypass Google’s security scans. Users should never download apps from third-party stores and should always enable signature modes for their devices. This ensures that if login credentials are ever stolen, they can eventually be traced back to the devices from which the thefts may have occurred.
Last modified: July 3, 2020 11:52 AM UTC