Security researchers have discovered a new Android trojan named Gustuff targeting international banks, cryptocurrency services, e-commercial websites and marketplaces.
The Gustuff malware was first spotted on hacker forums in April 2018 and was discovered by security researchers at cybersecurity firm Group-IB.
The malware contains a fully automated feature capable of stealing both flat and cryptocurrency from user accounts and infects through SMS containing links to malicious Android Package (APK) file.
According to researchers, the malware has a unique feature called ATS (Automatic Transfer Systems). The ATS autofills fields in legitimate mobile banking apps and other applications and helps in speeding up the process.
The ATS feature is implemented with the help of Accessibility Service which is intended to help people with disabilities.
“Gustuff is not the first Trojan to successfully bypass security measures against interactions with other apps’ windows using Android Accessibility Service. That being said, the use of the Accessibility Service to perform ATS has so far been a relatively rare occurrence.”
The malware also uses this feature to interact with other applications windows such as banking apps, cryptocurrency wallets.
The malware is capable of changing the values of text fields and fill in payment fields used by banking applications.
Researchers also noted that the malware is also capable of bypassing security measures used by banks to protect against older malware and turn off google protect.
The malware also displays fake push notifications with legitimate icons of the apps.
Clicking the fake notification will either pop up a previously download a fake app or a legitimate app will be opened, and the malware will automatically fill the fields and steal the money.
The malware is also capable of reading and sending messages, sending USSD requests, launching SOCKS5 Proxy, following links, transferring files such as document scans, screenshots, photos and device information to the C&C server and resetting the device to factory settings.
Researchers also noted that although the malware is developed Russian speaking cybercriminals, it mainly targeted users outside Russia.
You may be interested in reading:New Zero-day flaw in Google Chrome Discovered Actively Exploited in the Wild