New Threat Research: The Client/Server Relationship — A Match Made In Heaven 

Read Threat Research


Gustuff Android Banking Trojan

The Gustuff banking trojan has returned with a new set of features targeting Android phones and tablets. Soon after the initial launch, which Cisco Talos first reported on in April, the developers started changing the distribution hosts and later disabled its Command and Control (C2) infrastructure. The newest version of Gustuff no longer contains hardcoded package names, which reduces the static footprint when compared to previous versions and makes detection more difficult. On the capability side, the addition of a “poor man’s scripting engine” based on JavaScript provides the operator with the ability to execute scripts while its internal commands are backed by the power of JavaScript language. The first version of Gustuff was based on an older banking trojan called “Marcher” that has been active for a few years. Gustuff has lost some of its similarities from Marcher, displaying changes in its methodology after infection. Today, Gustuff primarily relies on malicious SMS messages to infect users, currently targeting users in Australia. Gustuff can dynamically load webviews targeting specific domains based on the receiving commands. During the process, it can also fetch the required injection from a remote server. The trojan can block a number of anti-virus and anti-malware software to prevent detection, and it has been seen asking victims for updated credit card information that it steals. The new version does not have the commands and code related to the SOCKS server or proxy, as opposed to the earlier version. This is believed to allow cybercriminals behind Gustuff to perform activities on the UI of the infected device.


Analyst Notes

The primary method to block this trojan is to prevent the installation of apps downloaded from websites or via SMS messages, and require all apps to come through a trusted store (such as Google Play). Bank customers should always enable two-factor authentication (2FA) on banking or cryptocurrency apps whenever available; this prevents an attacker who has obtained a bank customer’s password from logging in unless they also have control over the customer’s phone. Owners of smartphones should also have anti-malware programs on their devices and keep them updated. Even though Gustuff has anti-malware software blocking capabilities, malware detection programs are constantly providing their clients with updates to further protect them.