Gustuff is a mobile Android trojan discovered by Group-IB approximately one year ago, however it has had a few upgrades, increasing its effectiveness. It spreads via text message and contains a link to a malicious Android Package Kit (APK) file. These APK files are used to distribute and install mobile apps on Android devices. Gustuff is targeting over 125 banking, IM, and cryptocurrency apps to include Wells Fargo, Capital One, TD Bank, PayPal, Western Union, and WhatsApp, to name a few. Like other banking trojans, Gustuff uses Android Accessibility Services to interact with other applications. However, Gustuff is using a new tactic, coupling this feature with Automatic Transfer Systems (ATS), which auto-fills fields in legitimate banking apps, allowing the trojan to conduct illicit transactions and money transfers on its own. This method increases the speed of theft and appears to be designed for mass infection. The malware can also farm information of the infected device, read and send texts, transfer files, and send these to the Command and Control (C2) server. The trojan can then reset the device to factory settings, obfuscating its presence.

Reporting and Technical Details

  • March 2019: Gustuff Trojan - use of Android Accessibility Services and Automatic Transfer Systems (Group-IB)