Light Dark
April 2, 2019 By David Bisson 2 min read

Researchers detected a new Android Trojan called Gustuff that is capable of targeting more than 100 mobile banking apps.

Group-IB discovered that Gustuff infects Android smartphones via SMS messages that contain links to malicious Android Package (APK) files. Once infection is complete, the malware abuses Accessibility Service to leverage its Automatic Transfer Systems feature on an infected device. This capability enables the Android Trojan to bypass security mechanisms when a victim interacts with any of more than 100 banking apps, as well as online stores, payment systems and cryptocurrency services.

Specifically, Gustuff uses fake push notification to steal users’ payment credentials or personal details. It can then potentially use the Accessibility Service to automatically fill payment fields for illicit transactions. At the same time, Gustuff is capable of sending sensitive information about the infected device to its command-and-control (C&C) sever, reading/sending SMS messages and resetting the device to factory settings.

Abusers of Android’s Accessibility Service

There is a history of malware abusing Accessibility Service, a feature designed to assist users with disabilities in their interactions with Android devices. Back in July 2017, for instance, Kaspersky Lab observed a Trojan misusing the Android service to gain access to the user interface (UI) of other apps and then steal banking-related information. In December 2018, researchers at ESET discovered a family of malware leveraging Accessibility Service to target users of the Android PayPal app.

These findings come amid a rising prevalence of banking Trojans in general. Over the course of 2018, Kaspersky Lab observed the number of Android users who suffered a banking malware infection more than triple to 1,799,891. These infections took place around the world, though users living in Russia, South Africa and the U.S. were most often affected.

How to Protect Your Organization From Android Trojan Attacks

Security professionals can help defend their organizations from an Android Trojan like Gustuff by training all employees on how to best protect sensitive information, including any data stored on mobile devices. This means enforcing strong password policies and teaching all users, including executives, about what these requirements entail.

Additionally, organizations should enforce layered security controls such as multifactor authentication throughout the workplace and for remote workers.

 |  |  |  |  |  |  |  |  |  |  |  |  |  | 
David Bisson
Contributing Editor

More from

April 25, 2024

NIST’s role in the global tech race against AI

4 min read - Last year, the United States Secretary of Commerce announced that the National Institute of Standards and Technology (NIST) has been put in charge of launching a new public working group on artificial intelligence (AI) that will build on the success of the NIST AI Risk Management Framework to address this rapidly advancing technology.However, recent budget cuts at NIST, along with a lack of strategy implementation, have called into question the agency’s ability to lead this critical effort. Ultimately, the success…

April 24, 2024

Researchers develop malicious AI ‘worm’ targeting generative AI systems

2 min read - Researchers have created a new, never-seen-before kind of malware they call the "Morris II" worm, which uses popular AI services to spread itself, infect new systems and steal data. The name references the original Morris computer worm that wreaked havoc on the internet in 1988.The worm demonstrates the potential dangers of AI security threats and creates a new urgency around securing AI models.New worm utilizes adversarial self-replicating promptThe researchers from Cornell Tech, the Israel Institute of Technology and Intuit, used what’s…

April 23, 2024

Passwords, passkeys and familiarity bias

5 min read - As passkey (passwordless authentication) adoption proceeds, misconceptions abound. There appears to be a widespread impression that passkeys may be more convenient and less secure than passwords. The reality is that they are both more secure and more convenient — possibly a first in cybersecurity.Most of us could be forgiven for not realizing passwordless authentication is more secure than passwords. Thinking back to the first couple of use cases I was exposed to — a phone operating system (OS) and a…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2024 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature