Threat Watch

Gustuff Banking Trojan Targeting More Than 125 Android Apps

Gustuff has gained steam over the course of the last year, receiving numerous updates that have propelled its capabilities to high levels. It can be put in the same category as other well-known threats such as Anubis, BankBot, Exobot, LokiBot, and Red Alert. Aside from phishing for credentials, Gustuff is unique because of one special ability. Social engineering is used by the trojan to gain access to the Android Accessibility service, which essentially allows for users with certain disabilities to approve of automation for specific UI interactions. While it is not uncommon for other Android banking malware to abuse the service by placing fake login pages on top of banking apps or giving itself admin rights, Gustuff does things slightly different. It uses the Accessibility Service to allow for Automatic Transfer Services which gives the ability to take money straight from the victim’s device. Essentially, Gustuff can open specific apps, fill out forms, provide transaction credentials, and approve the transfer of funds. Some of the targeted institutions are Bank of America, Bank of Scotland, J.P. Morgan, Wells Fargo, Capital One, TD Bank, PNC, as well as crypto apps like BitPay, Cryptopay, Coinbase, and Bitcoin Wallet. Although unique, it is not as popular as its rivals based on the fact is has not been able to be placed in the Google Play Store because it cannot get through Googles security scans. The most common way it is being distributed is through SMS Spam. Other than its ATS feature, Gustuff can also place custom push notifications that pose as any app on a targeted device.

ANALYST NOTES

Users should be aware of SMS scams and their capabilities. If users receive a message that from an unknown sender that contains a link, that link should not be followed. Apps should exclusively be downloaded from the Google Play Store since Gustuff is not currently being seen in it. Companies should also implement signature-based detection methods which is an added layer of security that identify legitimacy through device fingerprints.