A new Android banking trojan dubbed ‘Gustuff’ is gaining momentum by Android users in recent months.
Why it matters - This trojan is capable of phishing credentials and stealing funds from over 100 banking apps and 32 cryptocurrency apps.
Who are its targets?
What are its capabilities?
Besides, this Android banking trojan is capable of displaying custom push notifications disguised as an app. Upon clicking the notification, it either opens a webpage containing a phishing form that asks for credentials or opens a legitimate app, where the trojan auto-fills transaction forms and auto-approves fund transfers via the Accessibility service.
How does it exploit the Android Accessibility service
Researchers from Group-IB cybersecurity firm noted that the Gustuff Android banking trojan uses social engineering techniques to trick device owners into giving access to the Android Accessibility service. Accessibility service is for users with disabilities and it can automate various UI interactions and tap screen items on users’ behalf.
Gustuff trojan exploits this service and runs Automatic Transfer Service (ATS). Instead of stealing banking account credentials and then stealing funds, this ATS service allows the trojan to directly make fund transfers from the infected user’s device.
“Gustuff's unique feature is that it is capable of performing ATS with the help of the Accessibility Service. The fact that Gustuff uses [an] ATS makes it even more advanced than Anubis and RedAlert,” Rustam Mirkasymov, Head of Dynamic Analysis of Malware Department at Group-IB told ZDNet.