The Updated Gugi Banking Trojan Gets Around Android 6's New Safety Features

Security Precautions Prove No Match for Social Engineering

Security experts often say that no matter what the device, an updated operating system could mean the difference between a smoothly running machine and one that is infested with malware. Even the latest updates can't save you if you're not careful with the links you click on, and the creators of the Gugi Android banking Trojan know it all too well.

Gugi appeared at the end of 2015, and at first, it had the typical characteristics of an SMS Trojan. In May 2016, however, it started overlaying banking applications with phishing pages. Drawing over other apps is one of the common techniques Android malware uses, which is why, earlier this year, Google updated its mobile operating system, which means that apps now need to ask for permissions in order to show messages on top of other applications.

Gugi's creators saw that, and they came up with an updated version of their malware. They are now hard at work spreading it around.

Kaspersky detected a spike in Gugi infections recently. The number of victims rose from less than 1,000 in June to more than 5,000 in August. Almost all of the infected users are located in Russia, and the malware is spread through "You have a new MMS" spam SMS messages.

According to researchers, Gugi's latest incarnation comes as a malicious file named "img[random string of digits].jpg.apk" and once downloaded, it tells the user that it needs additional permissions to work with graphics and windows. Working with graphics and windows isn't really Gugi's intent. The grant button leads the victim to the app overlay permission.

Once it is allowed to draw overlays, it will start asking for all sorts of other permissions. Gugi's ultimate goal is to become the Device Administrator, and it will bombard the screen with requests until it gets what it wants. At this point, rebooting the phone or tablet in Safe Mode and deleting the Trojan is possible. If the victim gives Gugi administrator rights, getting rid of the malware will be much more difficult. Gugi's final task is to collect login credentials and credit card details by drawing fake login and confirmation forms over applications like Google Play.

Gugi's most recent version shows that no matter how many security patches Google releases, the ultimate decision of what should and should not be installed on an Android device is up to the user. And in many cases, fooling the user is easier than fooling the operating system.