Gugi is an Android mobile banking Trojan that typically spreads through SMS spam directing users to websites encouraging the user to click a malicious link to supposedly view an MMS photo. After the user clicks the link, the Gugi Trojan is downloaded onto the Android device. Gugi overlays banking apps as well as the Google Play Store in order to steal account credentials. Android 6 implemented a security feature that required apps to ask permission before allowing apps to overlay other apps. The Trojan bypasses this protection by forcing users to grant the access by displaying a window stating that additional rights are necessary in order to work properly. Once the user clicks the button to provide these accesses, the user will be displayed a dialog box that authorizes the app overlay. Gugi then continues to request more permissions until it has full control of the device. If the user denies a request, the Trojan will block the device, at which point the user needs to reboot the device in safe mode in order to attempt to uninstall the Trojan. The Gugi Trojan mainly targets users in Russia; however, the Trojan is gaining in popularity and may soon be seen targeting elsewhere.


  • September 2016: Kaspersky Lab discovers a modified version of the Gugi Banking Trojan. (Kaspersky)
  • September 2016: Gugi evolves to bypass Android 6 security feature. (SecureList)

Technical Details

  • SecureList provides additional technical details as well as history of the Gugi Trojan, here.
One example of the Gugi variant. Image Source: SecureList

One example of the Gugi variant. Image Source: SecureList

Android MalwareNJCCICGugi