Gustuff, a vicious Trojan horse created by a Russian-speaking cybercriminal known as “Bestoffer”, is now attacking Android smartphones with the sole aim of stealing users’ cryptos and fiat contained in the apps, reports TNW on March 28, 2019.
Weapon of Mass Infection
Touted as a “weapon of mass infection,” Gustuff is reportedly designed to mimic legit cryptocurrency and banking apps to steal the passwords and other sensitive details of victims.
Reportedly, Gustuff targets users of at least 32 cryptocurrency apps, including Coinbase and BitPay and it also creates malicious web versions of top U.S. financial institutions like J.P. Morgan, Wells Fargo, Bank of America (BOA) and others.
Specifically, the report also notes that 27 instances of Gustuff have been discovered in the U.S., 16 in Poland, 10 in Australia, nine in Germany and eight in India.
Sadly, the Gustuff malware has also created fake versions of apps such as Skype, WhatsApp, Revolut, Western Union, eBay and Walmart.
How it Works; Preventive Measures
The Gustuff malware reportedly loads malicious Android package kit files on affected devices via links embedded in SMS messages.
Once the Gustuff Trojan successfully gets into a device, a remote server swiftly spreads the infection to the victim’s contact lists.
The entire process is facilitated by Automatic Transfer Systems (ATS) whose primary aim is to speed up the attack and replace the legitimate sensitive data of users (such as passwords, bank details e.t.c) with information of the fraudsters that own Gustuff.
That’s not all, Gustuff also takes advantage of Android’s Accessibility Service, which is specially designed to make it possible for people with disabilities to use smartphones, to weaken the security features on the devices and simplify its operation.
Explaining further, Group-IB, the researchers that spotted Gustuff stated:
“with the Accessibility Service mechanism, Gustuff can bypass security measures employed by banks to protect against older versions of Trojans and change to Google’s security policy integrated into new iterations of the Android OS.”
The team has also revealed that Gustuff is capable of triggering push notifications with the genuine icons of apps installed on affected devices and once the user clicks it, a fake version of the app is downloaded or Gustuff could carry out other serious financial activities to the detriment of the victim.
“The malware can potentially send information about the infected device to the C&C server [the hackers], automatically read/send SMS messages, transfer files (including scanned financial documents and photos), follow links and even reset the smartphone to factory settings,”
To avoid getting infected, Group-IB has reportedly advised users of Android-powered mobile phones to download apps only from Google Play and avoid installing apps from insecure third-party stores.
It is also important to pay proper attention to SMS links and avoid clicking on suspicious ones.