Gustuff Description

Gustuff is a new Android malware threat that was detected by the researchers at Group-IB. According to their findings, Gustuff is a new automated banking Trojan capable of targeting over 100 banking applications and 32 cryptocurrency applications. Further analysis revealed that out of the potential targets, 27 applications were located in the US, 9 in Germany, 8 in India, 16 in Poland and 10 in Australia. The latest version of the Trojan has expanded functionality and also targets users with installed PayPal, Skype, eBay, Walmart, Western Union, etc.

This malware infiltrates the victim's phone through an SMS message that contains links to the Trojan's Android Package (APK) files. Once inside the device, the malware can spread further through the user’s contact list in an attempt to retrieve as much as it can in as little time as possible. The Trojan bypasses the security systems of its targets by exploiting the Android’s Accessibility Service, which intended function is to help people with disabilities use their phones more comfortably, to interact with the windows of legitimate applications.

Gustuff is also capable of creating fake push notifications with legitimate icons. One of the possible outcomes of clicking on these notifications is that a fake Web notification will be downloaded on the infected device prompting the user to enter the requested payment details. The Trojan has access to Web fakes of some of the biggest banks in the world such as J.P Morgan, Wells Fargo, TD Bank, Bank of America, Bank of Scotland and others.

The Trojan can control a multitude of functions of the infected device. It can send information to its C&C (Command & Control) server, read and send SMS messages, transfer files such as screenshots and pictures to its servers, and reset the device to factory settings.