On March 28, international cybersecurity firm Group-IB published a report on a new type of Android trojan that targets global banking apps and cryptocurrency and marketplace applications.
According to the report, the new malware, dubbed Gustuff, was developed by a "Russian-speaking cybercriminal" nicknamed Bestoffer. The Gustuff malware was first discovered on hacker forums in April 2018; its developer was leasing it for $800 dollars a month. Although the Trojan horse was developed in Russia, research shows it has mainly been used outside of Russia.
After analyzing a sample of the malware, Group-IB found that it uses several different methods to infect victims' Android devices and gain access to bank accounts and digital wallets. For starters, it tricks users into downloading fake apps to their phone. The phonies look like real apps from well-known financial institutions such as J.P.Morgan, Wells Fargo, and Capital One, as well as apps from some of the most popular digital currency service providers like Bitpay, Bitcoin Wallet, and Coinbase. Gustuff isn't limited to these: It also uses fake applications from online retailers, such as Walmart and eBay, and payment portals like PayPal and Western Union.
The folks at Group-IB call the Gustuff malware a "weapon of mass infection" – and with good reason. Once a victim downloads one of the phony smartphone applications, Gustuff begins to spread, targeting and infecting the victim's contact list or server database by using SMS that contains links to a dangerous file.
In order to steal as much money and data as quickly as possible, Gustuff exploits the Android Accessibility tool, which is intended to aid people with disabilities. With this tool, Gustuff can turn off Google Protect, bypass bank security systems, and automatically interact with the banking and crypto exchange apps to fill in payment fields or change the values of text fields used by banking apps.
As if that were not enough, Gustuff can also initiate fake push notifications with the real icons featured in the legitimate apps from real financial institutions. Group-IB found that when this happens, one of two things will happen. A previously downloaded fake app will pop up and the victim will enter the required personal data, or the real app will open and the malware will automatically fill in the required information and steal the victim's funds. Gustuff can also send the victim's personal data, such as documents, screenshots, and pictures, to servers controlled by hackers, and can even reset Android devices to factory settings.
Pavel Krylov, head of Secure Bank, offered some advice to banks and exchanges on how to protect customers from being Gustuff's next victim:
"In order to better protect their clients against mobile Trojans, the companies need to use complex solutions, which allow [them] to detect and prevent malicious activity without additional software installation for [the] end-user. Signature-based detection methods should be complemented with user and application behaviour analytics. Effective cyber defence should also incorporate a system of identification for customer devices (device fingerprinting) in order to be able to detect usage of stolen account credentials from [an] unknown device. Another important element is cross-channel analytics that help to detect malicious activity in other channels."
Unfortunately, malware attacks have become all too common in the cryptocurrency ecosystem. In November of 2018, hackers locked the computer networks of two small towns in Alaska using Trojan horse malware. The hackers demanded a ransom be paid in bitcoin before they would unlock the towns' computers and servers. In March of this year, the Cardinal RAT malware resurfaced and was shown to be targeting FinTech and crypto companies. Just two days ago, a fake advertisement for the Electrum Bitcoin Wallet running on YouTube was found to contain malware.