Gustuff Android trojan targets crypto apps with unique feature

Getting your Trinity Audio player ready...

Android banking trojans have been around for years. However, the latest one is no ordinary malware. Known as Gustuff, this virus has been around since April 2018. Over that time, it has received plenty of updates, all of which have made it more formidable.

Gustuff targets all forms of financial Android apps, from crypto to payment processors and banks. According to an analysis of the trojan by cyber-security firm Group-IB, it can access over 100 banking apps. The analysis, which Group-IB shared with tech outlet ZDNet, also revealed that Gustuff can access over 32 crypto apps.

Some of the banking apps on its radar include Bank of America, TD Bank, Wells Fargo, JPMorgan Chase and Bank of Scotland. In crypto, the most targeted apps are Coinbase, BitPay and Cryptopay, with 29 others also on its radar. Gustuff can also access other payment and messaging apps such as Western Union, PayPal, Revolut, Walmart and Skype.

Just like most of its counterparts, Gustuff uses social engineering to lure its users into granting it access. It does this through the use of the Android Accessibility feature. This feature is meant to assist people with disabilities navigate their Android phones easily. Therefore, it can automate various tasks as well as tap on the screen on the user’s behalf.

However, after accessing the victim’s phone, Gustuff deviates from the norm. For most malware, they use fake login pages and steal a user’s credentials. The criminals then use these credentials to access their victim’s accounts on another computer.

Not Gustuff. The trojan is able to perform an ‘Automatic Transfer Service’, a term that pertains to banking malware. This means that it gets to complete transactions on the victim’s Android device. Using the Android Accessibility feature, it opens apps, fills in credentials and performs all sorts of transactions.

Granted, malware that performs ATS transactions is not unheard of. However, previously, this type of malware only targeted Windows users. Gustuff is the first malware program that performs ATS transactions on an Android mobile device.

Lethal as it is, Gustuff hasn’t been all that popular. For one, it hasn’t been able to bypass Google’s security scans like some of the major players in the field. This has denied it access to the Google Play Store, greatly limiting its market. Currently, it relies on SMS spam on which the criminals embed the links to the malware’s APK installation file.

Gustuff also has other features which further make it more dangerous. It can collect information such as photos and videos from a victim’s phone. It can also turn off Google Play Protect, a security feature that protects users from malware on the Play Store. Its most uncanny feature is the ability to reset the phone to factory settings, erasing all data if its operator fears that the trojan has been discovered.