A new mobile Android Trojan, dubbed Gustuff, uses Accessibility Services, intended to assist people with disabilities, to autofill banking apps among others.
In a press statement discoverers Group-IB describe Gustuff as a new generation of malware complete with fully automated features designed to steal both fiat and crypto currency from user accounts en masse.
The Trojan appears intended to target customers of international banks, users of cryptocurrency services, ecommerce websites and marketplaces as it comes equipped with web fakes designed to potentially target users of 100 banking apps, including 27 in the US, 16 in Poland, 10 in Australia, 9 inGermany, and 8 in India and users of 32 cryptocurrency apps. These include the Android apps of Bank of America, Bank of Scotland, J.P.Morgan, Wells Fargo, Capital One, TD Bank, PNC Bank, and crypto services such as Bitcoin Wallet, BitPay, Cryptopay, Coinbase etc.
Initially designed as a classic banking Trojan, GroupIB adds that in its current version, Gustuff has significantly expanded the list of potential targets; in addition to banking, crypto services and fintech companies’ Android programs, it also targets users of apps of marketplaces, online stores, payment systems and messengers, such as PayPal, Western Union, eBay, Walmart, Skype, WhatsApp, Gett Taxi, Revolut etc.
It is reported to infect Android smartphones through SMS with links to a malicious Android Package (APK) file, the package file format used by the Android operating system for distribution and installation of applications. "When an Android device is infected with a Gustuff, at the server’s command Trojan spreads further through the infected device’s contact list or the server database. Gustuff’s features are aimed at mass infections and maximum profit for its operators - it has a unique feature - ATS (Automatic Transfer Systems), that autofills fields in legitimate mobile banking apps, cryptocurrency wallets and other apps, which both speeds and scales up thefts."
The analysis by Group-IB of the Trojan found that the ATS function is implemented with the help of the Accessibility Service, which is intended for people with disabilities.
After being uploaded to the victim’s phone, the Gustuff uses the Accessibility Service to interact with elements of other apps’ windows including cryptocurrency wallets, online banking apps, messengers etc. At the server’s command, Gustuff is able to change the values of the text fields in banking apps. Using the Accessibility Service mechanism means that the Trojan is able to bypass security measures used by banks to protect against an older generation of mobile Trojans and changes to Google’s security policy introduced in new versions of the Android OS. Moreover, Gustuff knows how to turn off Google Protect; according to the Trojan’s developer, this feature works in 70 percent of cases.
Gustuff is also able to display fake push notifications with legitimate icons of the apps mentioned above. Clicking on fake push notifications has two possible outcomes: either a web fake downloaded from the server pops up and the user enters the requested personal or payment (card/wallet) details; or the legitimate app that purportedly displayed the push notification opens - and Gustuff at the server’s command and with the help of the Accessibility Service, can automatically fill payment fields for illicit transactions.
The malware is also capable of sending information about the infected device to the C&C server, reading/sending SMS messages, sending USSD requests, launching SOCKS5 Proxy, following links, transferring files (including document scans, screenshots, photos) to the C&C server, and resetting the device to factory settings.
Pavel Krylov, head of Secure Bank at Group-IB advises: "Signature-based detection methods should be complemented with user and application behaviour analytics. Effective cyber-defence should also incorporate a system of identification for customer devices (device fingerprinting) to be able to detect usage of stolen account credentials from unknown devices. Another important element is cross-channel analytics that help to detect malicious activity in other channels."
Although the Trojan was developed by a Russian-speaking cyber-criminal, Gustuff operates exclusively on international markets.
Group-IB’s Threat Intelligence system first discovered Gustuff on hacker forums in April 2018. According to its developer, nicknamed Bestoffer, Gustuff became the new, updated version of the AndyBot malware. The price for leasing the "Gustuff Bot" was US$800 (£600) per month.