Gugi banking Trojan outwits security features of Android 6

Malware bypasses security measures to steal user credentials and sniff out banking details of naive users that grant permission without realising what they've done

 The Trojan manages to steal bank details from a mobile app by overlaying banking apps with phishing windows in order to steal user credentials for mobile banking.
The Trojan manages to steal bank details from a mobile app by overlaying banking apps with phishing windows in order to steal user credentials for mobile banking.

Researchers have discovered a modified version of the banking Trojan Gugi that bypasses security features of Android designed to block phishing and ransomware attacks.


According to a blog post by Roman Unuchek, senior malware analyst at Kaspersky, the malware is from the Trojan-Banker.AndroidOS.Gugi family, which has existed since December 2015. The modified version, Trojan-Banker.AndroidOS.Gugi.c, was discovered in June 2016.


The Trojan manages to steal bank details from a mobile app by overlaying banking apps with phishing windows in order to steal user credentials for mobile banking. It also overlays the Google Play Store app to steal credit card details.


It gets the overlay permission it needs by forcing users to grant this permission. It then uses that to block the screen while demanding ever more dangerous access.


While Android 6 should prevent such attacks, if users grant permission for the Trojan to overlay other apps, then it's game over.


The malware spreads through SMS spam that takes users to phishing webpages with the text “Dear user, you receive MMS-photo! You can look at it by clicking on the following link”. Clicking on the link initiates the download of the Gugi Trojan onto the user's Android device.


This then authorises app overlay, blocks the screen asking for 'Trojan Device Administrator' rights, and then finally asks permission to make calls and SMS.


If a user denies permission at any time, the Trojan then blocks the device completely. In such a case the user's only option is to reboot the device in safe mode and try to uninstall the Trojan.


The firm said the Trojan is becoming popular with criminals; it saw a tenfold increase in infections between April and August. However, the Gugi Trojan mainly attacks users in Russia: more than 93 percent of attacked users to date are based in that country.


“Cyber-security is a never-ending race. OS systems such as Android are continuously updating their security features to make life harder for cyber-criminals and safer for customers. Cyber-criminals are relentless in their attempts to find ways around this, and the security industry is equally busy making sure they don't succeed. The discovery of the modified Gugi Trojan is a good example of this. In exposing the threat, we can neutralise it, and help to keep people, their devices and their data safe,” said Unucheck.


Chris Hodson, EMEA CISO at Zscaler, told SCMagazineUK.com that in the case of Gugi, social engineering is coming via a spam SMS message. “Security professionals have a duty of care to educate users. SMS messages from an unknown number should always be treated with caution,” he said.


“Business policies need to restrict the downloading of applications from anywhere other than trusted app stores. The majority of Android malware is still delivered from third-party app stores. In the case of Gugi, once installed, the options for revoking the malware's rights are limited. Users are forced to either 'accept' or have their device bricked. With these advanced forms of mobile malware, it is imperative that security controls exist to prevent the user from downloading the malware payload in the first place; even better, we'd like to leverage threat intelligence information to block access to the URL in the first place. As I call out below, this is becoming harder-and-harder.”


Daniel Padon, mobile threat researcher at Check Point, told SC that as protections develop, malware quickly follows. “Malware have found ways to circumvent even the newest Android security features and continue to do so at record speed. To stay protected, organisations should implement advanced security measures capable to detect and block zero-day attacks based on static and dynamic analysis.”