Gustuff Android banking trojan targets 125+ banking, IM, and cryptocurrency apps

Gustuff also possesses a feature unique among all Android banking trojans.
Written by Catalin Cimpanu, Contributor

An Android banking trojan is starting to gain popularity on the cybercriminal underworld. Named Gustuff, the trojan has been around for almost a year, during which time it slowly received updates over updates, becoming a powerhouse in terms of features and targeting capabilities.

This Android banking trojan now joins the ranks of similar top-tier threats, such as Anubis, Red Alert, Exobot, LokiBot, and BankBot.

According to an analysis of Gustuff shared with ZDNet by cyber-security firm Group-IB, Gustuff can phish credentials and automate bank transactions for over 100 banking apps and 32 cryptocurrency apps.

Targets include known banks such as Bank of America, Bank of Scotland, J.P.Morgan, Wells Fargo, Capital One, TD Bank, and PNC Bank, but also cryptocurrency apps such as BitPay, Cryptopay, Coinbase, and Bitcoin Wallet.

In addition, the trojan can also phish credentials for various other Android pyment and messaging apps, such as PayPal, Western Union, eBay, Walmart, Skype, WhatsApp, Gett Taxi, Revolut, and others.

Gustuff's unique trick

Under its hood, Gustuff operates like all the other Android banking trojans on the market. It uses social engineering to trick users into giving it access to the Android Accessibility service, a feature meant for users with disabilities and a powerful tool that can automate various UI interactions and tap screen items on the user's behalf.

Most Android banking malware uses this service to give itself admin rights and show the fake login pages on top of other apps. However, Gustuff abuses this service differently, and in a more complex and devious way than all its competitors.

"Trojans that use [the] Accessibility Service is indeed not a rare occurrence," Rustam Mirkasymov, Head of Dynamic Analysis of Malware Department at Group-IB told ZDNet yesterday. "Gustuff's unique feature is that it is capable of performing ATS with the help of the Accessibility Service."

An ATS is a term specific to the banking --and banking malware-- sector. It stands for Automatic Transfer Service. When used in the context of malware, it refers to a banking trojan's ability to make transactions from an infected user's computer, rather than stealing their account credentials and then using those credentials to steal money via other computers/smartphones.

Basically, thanks to the Android Accessibility service, Gustuff has implemented an ATS system right on the user's phone. It can open apps, fill in credentials and transaction details, and approve money transfers on its own.

Banking trojans meant to infect Windows computers have been doing this for years, with the help of services like VNC, but ATSes are still a rare occurrence for Android banking trojans.

"The fact that Gustuff uses [an] ATS makes it even more advanced than Anubis and RedAlert," Mirkasymov told ZDNet.

Not on the Google Play Store yet

But while the trojan is more advanced than most of its competition, it has not been that popular. Gustuff was never deployed inside apps uploaded on the official Google Play Store, as it currently appears to be unable to bypass Google's security scans --unlike most of its rivals.

Currently, the only way threat actors have been seen distributing the trojan has been through SMS spam that carries links to the trojan's APK installation file, Group-IB said.

The trojan has been on the market since April 2018, when its author first started advertising it on a well-known forum for Russian-speaking cybercriminals.

Gustuff ad
Image: ZDNet

Other Gustuff features

Besides having built an Accessibility Service-powered ATS, Gustuff also has other features. According to its ad, Gustuff can also turn off Google Play Protect, a security feature of the Google Play app --which according to its author, works in 70 percent of cases.

The trojan is also able to show custom push notifications that can pose as any app, but when clicked, open either a web page showing a phishing form to steal login credentials for a specific service, or they open the legitimate app, where the trojan auto-fills transaction forms and uses the Accessibility service to automatically approve funds transfers.

Last, but not least, the trojan can also collect data from infected devices, such as documents, photos, and videos, if necessary. Its most insidious feature is Gustuff's ability to reset a device to factory settings, in case trojan operators fear their presence on the device would ever be discovered.

Many of 2018's most dangerous Android and iOS security flaws still threaten your mobile security

Related malware and cybercrime coverage:

Editorial standards