This nasty Android malware tries to bully its way past Marshmallow security features

Modified malware tries to fight through new Android Marshmallow security features, and gets nasty if you try to get in the way.
Written by Steve Ranger, Global News Director
Image: iStockphoto

The battle between hackers and mobile security continues as cybercriminals attempt to find a way around the tighter app security introduced with Android 6.0.

Kaspersky Lab is warning of a modification to the Gugi banking trojan that tries to force its way past new Android 6.0 Marshmallow security features designed to block phishing and ransomware attacks.

The company said the malware forces users into giving it the right to lay a new interface on top of those used by genuine apps, send and view SMS, make calls, and more. Kaspersky said between April and early August this year there was a ten-fold increase in its number of victims.

The malware aims to steal mobile banking credentials by placing a fake banking app interface on top of a user's genuine app, and then harvesting the log-in details. It also tries to steal credit card details by overlaying the Google Play Store app.

However, late last year attacks like this were made much harder by the arrival of Android 6, which requires apps to get the user's permission to overlay other apps, or to do things like sending text messages or making calls. But the updated version of Gugi has found a way to force users to do what it wants, according to Kaspersky, even if it's not very subtle in how it does it.

The Trojan usually arrives thanks to a spam SMS that encourages users to click on a malicious link, by claiming they have a photo to download. Once installed the malware displays the message: "additional rights needed to work with graphics and windows", with only one button labelled "provide".

If users click on this, they are presented with a screen asking them to authorise app overlay, and then Gugi will block the device screen with a message asking for device administrator rights, and then another asking for permission to send and view SMS and to make calls.

If the trojan does not receive all the permissions it needs, it will completely block the infected device, forcing the user to reboot the device in safe mode and try to uninstall the Trojan. Kaspersky said the vast majority of the attacks are on Russian Android users - but if the technique is successful other gangs will no doubt try to replicate it.

Cybersecurity is a never-ending race said Roman Unucheck, senior malware analyst at Kaspersky Lab. "OS systems such as Android are continuously updating their security features to make life harder for cybercriminals and safer for customers; cybercriminals are relentless in their attempts to find ways around this; and the security industry is equally busy making sure they don't succeed."

Kaspersky said that users should never automatically agree to hand over rights and permissions when an app asks you to do so - think about what is being asked for, and why you are being asked for it, and avoid clicking on links in messages from people you don't know, or in unexpected messages from people you do.

Google told ZDNet: "We appreciate Kaspersky's research and their efforts to keep Android users safe. We're aware of this issue and the apps in question are currently being removed automatically on all devices with Verify Apps enabled. The applications were never published in Google Play."

More on Android

For privacy and security, change these Android settings right now

Android lockscreen bypass: Google patches flaw on Nexus 5X phones

Android 7.0 Nougat: The smart person's guide (TechRepublic)

Google Android Nougat review (CNET)

Editorial standards