Gustuff has gained steam over the course of the last year, receiving numerous updates that have propelled its capabilities to high levels. It can be put in the same category as other well-known threats such as Anubis, BankBot, Exobot, LokiBot, and Red Alert. Aside from phishing for credentials, Gustuff is unique because of one special ability. Social engineering is used by the trojan to gain access to the Android Accessibility service, which essentially allows for users with certain disabilities to approve of automation for specific UI interactions. While it is not uncommon for other Android banking malware to abuse the service by placing fake login pages on top of banking apps or giving itself admin rights, Gustuff does things slightly different. It uses the Accessibility Service to allow for Automatic Transfer Services which gives the ability to take money straight from the victim’s device. Essentially, Gustuff can open specific apps, fill out forms, provide transaction credentials, and approve the transfer of funds. Some of the targeted institutions are Bank of America, Bank of Scotland, J.P. Morgan, Wells Fargo, Capital One, TD Bank, PNC, as well as crypto apps like BitPay, Cryptopay, Coinbase, and Bitcoin Wallet. Although unique, it is not as popular as its rivals based on the fact is has not been able to be placed in the Google Play Store because it cannot get through Googles security scans. The most common way it is being distributed is through SMS Spam. Other than its ATS feature, Gustuff can also place custom push notifications that pose as any app on a targeted device.
Written by: Nataliia Zdrok, Threat Intelligence Analyst at Binary Defense Russia’s invasion of Ukraine increased