The Gustuff banking trojan has returned with a new set of features targeting Android phones and tablets. Soon after the initial launch, which Cisco Talos first reported on in April, the developers started changing the distribution hosts and later disabled its Command and Control (C2) infrastructure. The newest version of Gustuff no longer contains hardcoded package names, which reduces the static footprint when compared to previous versions and makes detection more difficult. On the capability side, the addition of a “poor man’s scripting engine” based on JavaScript provides the operator with the ability to execute scripts while its internal commands are backed by the power of JavaScript language. The first version of Gustuff was based on an older banking trojan called “Marcher” that has been active for a few years. Gustuff has lost some of its similarities from Marcher, displaying changes in its methodology after infection. Today, Gustuff primarily relies on malicious SMS messages to infect users, currently targeting users in Australia. Gustuff can dynamically load webviews targeting specific domains based on the receiving commands. During the process, it can also fetch the required injection from a remote server. The trojan can block a number of anti-virus and anti-malware software to prevent detection, and it has been seen asking victims for updated credit card information that it steals. The new version does not have the commands and code related to the SOCKS server or proxy, as opposed to the earlier version. This is believed to allow cybercriminals behind Gustuff to perform activities on the UI of the infected device.