Hackers are selling and using a potentially devastating “new generation of (Trojan) malware” called Gustuff to hijack bank, cryptocurrency, remittance, and payment details and accounts of Android users, cybersecurity firm Group IB reports.
Notably, the malware exploits Android Accessibility Service features designed to help disabled individuals use a device.
Group IB says the malware shows capabilities that far exceed those of previous versions:
“Initially designed as a classic banking Trojan, in its current version, Gustuff has significantly expanded the list of potential targets, which now includes, besides banking, crypto services and fintech companies’ Android programs, users of apps of marketplaces, online stores, payment systems and messengers, such as PayPal, Western Union, eBay, Walmart, Skype, WhatsApp, Gett Taxi, Revolut etc.”
The Trojan malware Gustuff Bot can be leased on the Dark Net for $800 a month.
Rustam Mirkasymov, Head of Dynamic Analysis of Malware Department at Group-IB told Crowdfund Insider that an Android user does not have to be actively engaging with accessibility features to be affected by Gustuff:
“By default, Android prevents installing downloaded applications from unknown sources. However, many people disable this security option, so, once installed, Gustuff prompts the user to grant permission to use Accessibility Service(s). Once you have granted the request, Gustuff can use Accessibility Service to perform ATS (automatic transfer systems) and other C&C (botnet and control) commands.”
Other malware has exploited accessibility features, the researchers say, though occurrence thereof is still fairly uncommon:
“Gustuff is not the first Trojan to successfully bypass security measures against interactions with other apps’ windows using Android Accessibility Service. That being said, the use of the Accessibility Service to perform ATS has so far been a relatively rare occurrence.
According to Group IB, once an Android device is infected by Gustuff malware:
“…(the)Trojan spreads further through the infected device’s contact list or the server database. Gustuff’s features are aimed at mass infections and maximum profit for its operators — it has a unique feature — ATS (Automatic Transfer Systems), that autofills fields in legitimate mobile banking apps, cryptocurrency wallets and other apps, which both speeds and scales up thefts.”
Analyzed samples of Gustuff show, “the Trojan is equipped with web fakes designed to potentially target users of Android apps of top international banks including Bank of America, Bank of Scotland, J.P.Morgan, Wells Fargo, Capital One, TD Bank, PNC Bank, and crypto services such as Bitcoin Wallet, BitPay, Cryptopay, Coinbase etc.”
A “web fake” is a fake website that mimics a real site and is designed to steal login credentials. Once those credentials are obtained, for a period of time, hackers likely have full sway over whatever accounts are managed at relevant real financial sites.
It appears that the Accessibility Service feature is used as a type of back- door access, “to interact with elements of other apps’ windows including cryptocurrency wallets, online banking apps, messengers etc.”
Certain malware is called ‘Trojan” because it can be used to usher in and lay the groundwork for a whole slew of subsequent malware exploits:
“The Trojan can perform a number of actions, for example, at the server’s command, Gustuff is able to change the values of the text fields in banking apps. Using the Accessibility Service mechanism means that the Trojan is able to bypass security measures used by banks to protect against older generation of mobile Trojans and changes to Google’s security policy introduced in new versions of the Android OS. Moreover, Gustuff knows how to turn off Google Protect; according to the Trojan’s developer, this feature works in 70% of cases.”
Gustuff malware can also reportedly generate, “fake push notifications with legitimate icons of the apps mentioned above,” meaning it can prompt unsuspecting users to furnish financial account login/card/wallet details and, “can automatically fill payment fields for illicit transactions.”
The malware can also collect and transmit information from the device including reading/sending SMS messages, transferring files (including document scans, screenshots, photos) and can also reset devices to factory settings.
Group IB says Gustuff malware emanates from Russia, but is largely deployed outside the country.