Android Trojan Gustuff Targets Banking and IM Apps

An Android banking trojan known as Gustuff is spreading via text message and contains a link to a malicious Android Package Kit (APK) file. These APK files are used to distribute and install mobile apps on Android devices. Gustuff has targeted over 125 banking, IM, and cryptocurrency apps to include Wells Fargo, Capital One, TD Bank, PayPal, Western Union, and WhatsApp, to name a few. The cybersecurity firm, Group-IB, identified the trojan approximately one year ago; however, Gustuff has had a few upgrades, increasing its effectiveness. Like other banking trojans, Gustuff uses Android Accessibility Services to interact with other applications. However, Gustuff is using a new tactic, coupling this feature with Automatic Transfer Systems (ATS), which auto-fills fields in legitimate banking apps, allowing the trojan to conduct illicit transactions and money transfers on its own. This method increases the speed of theft and appears to be designed for mass infection. The malware can also farm information of the infected device, read and send text messages, transfer files, and send these to the Command and Control (C2) server. The trojan can then reset the device to factory settings, obfuscating its presence. The NJCCIC highly advises Android users to download apps only from the official Google Play app store, as the malware currently appears to be unable to bypass the security features. We recommend users install software updates as they become available, pay special attention to downloaded file extensions and permission requests when installing, and avoid suspicious SMS links.