New Android banking trojan targets 100 banking apps

A recently discovered Android trojan is now targeting more than 100 banks globally, according to cybersecurity firm Group-IB. The malware, dubbed Gustuff, is also capable of targeting users of cryptocurrency apps, e-commerce websites and payment services such as Western Union, BitPay, Revolut, and PayPal.

Labeled as «weapon of mass infection», Gustuff infects Android smartphones via SMS messages containing a link to a malicious Android package kit file. As soon as a device is hit, a remote server automatically spreads the trojan further through its contact lists or related server database.

  • Gustuff is a new generation of malware complete with fully automated features designed to steal both fiat and cryptocurrency from user accounts en masse, the Group-IB warns.

Typically, Android prevents users from installing apps downloaded from unknown sources. However, this security option is frequently disabled, giving malicious apps easy access.

Exploiting Android’s accessibility services

Gustuff uses social engineering to trick users into giving access to Android’s accessibility services, a feature meant for users with disabilities. This enables hackers to enter or change the values of the text fields in banking apps (and carry out other illicit transactions). Significantly, Gustuff uses an automatic transfer system (ATS) function in conjunction with the accessibility system for auto-filling fields in legitimate mobile banking apps.

  • Gustuff is not the first trojan to successfully bypass security measures against interactions with other apps’ windows using Android’s accessibility services. The major difference is that the ATS function is implemented with the help of the accessibility services, which both speeds and scales up thefts, Rustam Mirkasymov of Group-IB notes. 

Mobile banking users need help to combat malware

Unsanctioned and insecure third-party app sites continue to be by far the biggest source of Android malware. According to Symantec data, there were 27,000 new mobile malware variants in 2017. Cyber-attacks on Android continue to rise. The total count of mobile malware went up by 40% in 2018.

Banks and payment services providers of all sizes should carefully consider how they can increase mobile banking security.

It’s obviously important to encourage your customers to install software updates, pay attention to downloaded files’ extension and avoid suspicious SMS links. But this alone isn’t enough. And while Google does their best to build secure software, hackers always find a way to bypass the system security features.

Protect your banking app with app shielding

Banking apps cannot rely on OS security features alone. To make sure your app is fully secure you need to protect it with advanced hardening capabilities, integrity checks, and proactive anti-tampering features. You need to let the app protect itself by allowing it to identify and block attacks in real time. That’s what app shielding does.