Android banking trojan ‘Gustuff’ targets over 100 banking apps and 32 cryptocurrency apps

• Gustuff Android banking trojan uses social engineering techniques to trick device owners into giving access to the Android Accessibility service.
• Instead of phishing banking account credentials and then stealing funds, this ATS service allows the trojan to directly make fund transfers from the infected user’s device.

A new Android banking trojan dubbed ‘Gustuff’ is gaining momentum by Android users in recent months.

Why it matters - This trojan is capable of phishing credentials and stealing funds from over 100 banking apps and 32 cryptocurrency apps.

Who are its targets?

• Gustuff has the ability to target international banks such as Bank of America, Bank of Scotland, J.P.Morgan, Wells Fargo, Capital One, TD Bank, and PNC Bank.
• The Android banking trojan can also target cryptocurrency apps such as BitPay, Cryptopay, Coinbase, and Bitcoin Wallet.
• It can also steal credentials from various Android payment apps and messaging apps such as PayPal, Western Union, eBay, Walmart, Skype, WhatsApp, Gett Taxi, Revolut, and more.

What are its capabilities?

• This trojan can disable Google Play Protect security feature of the Google Play Store.
• Gustuff can collect data such as documents, photos, and videos from infected apps.
• It has the ability to reset an Android device to factory settings.

Besides, this Android banking trojan is capable of displaying custom push notifications disguised as an app. Upon clicking the notification, it either opens a webpage containing a phishing form that asks for credentials or opens a legitimate app, where the trojan auto-fills transaction forms and auto-approves fund transfers via the Accessibility service.

How does it exploit the Android Accessibility service

Researchers from Group-IB cybersecurity firm noted that the Gustuff Android banking trojan uses social engineering techniques to trick device owners into giving access to the Android Accessibility service. Accessibility service is for users with disabilities and it can automate various UI interactions and tap screen items on users’ behalf.

Gustuff trojan exploits this service and runs Automatic Transfer Service (ATS). Instead of stealing banking account credentials and then stealing funds, this ATS service allows the trojan to directly make fund transfers from the infected user’s device.

• Using the Android Accessibility service, Gustuff implements an ATS system on the user’s device.
• The ATS implemented on the user’s device will open the apps and fills in the required details and credentials.
• It then auto-approves the fund transfer on its own.

“Gustuff's unique feature is that it is capable of performing ATS with the help of the Accessibility Service. The fact that Gustuff uses [an] ATS makes it even more advanced than Anubis and RedAlert,” Rustam Mirkasymov, Head of Dynamic Analysis of Malware Department at Group-IB told ZDNet.

Worth noting

• Group-IB researchers noted that Gustuff was never deployed inside apps that are available for download in the Google Play Store.
• The only way attackers distribute Gustuff is via SMS spam message that includes links to the trojan’s APK installation file.