Gustuff android trojan leverages dodgy SMSes related to financial organizations to infect Australians

• The new Android-based campaign is used to steal credentials from customers and businesses.
• Researchers believe that the domains used in the campaign have been active at least since November 2018.

A new report has revealed that cybercriminals are using the infamous Gustuff Android trojan to infect about Australian users. The new Android-based campaign is used to steal credentials from customers and businesses.

How does it propagate - According to the report from Cisco’s Talos Intelligence, the malware’s primary infection vector is SMS. These SMSes bear dodgy links. Once the victim clicks on these URLs, the C2 server checks if the mobile device meets the criteria to download the malware. If the device fails to meet the criteria, it redirects the victim to a second server to receive a copy of the Gustuff malware.

Researchers believe that the domains used in the campaign have been active at least since November 2018.

What’s the trick - Talos researchers noted that a set of 189 logos belonging to different Australian banks and cryptocurrency exchanges have been used in the campaign. These logos are leveraged by the malware to create overlay applications of respective banking firms and later ask users for their login credentials.

What are its functionalities - Once the malware becomes active on a victim’s phone, it receives different commands to perform malicious activities. This includes:

• Exfiltrating phone numbers that are in the contact list;
• Collecting a list of installed apps;
• Changing the settings of the device and more.

Talos suggests that while Gustuff is currently targeting Australian financial institutions, there is an indication that the threat actors can expand this attack globally.