A brand new generation of malware has been discovered specifically designed to steal Android users. Several crypto and bank apps are affected worldwide.
On March 28, The Next Web reported that cybersecurity company Group-IB discovered a previously unknown Trojan horse. The company described the malware, which is called “Gustuff”, as a “weapon of mass infection”.
The Trojan is distributed via SMS messages with built-in links that load malicious Android package files. Once an Android device is infected, the Trojan will be automatically redirected through the contact lists.
To accelerate and scale the theft, the malware uses so-called “automatic transfer systems”. These automatically replace fields in reputable Android apps with malicious data to redirect payments to the hackers.
Gustuff mimics several apps
The newsletter also said that Gustuff should contain several “web fakes”. This means following these imitative apps to get the sensitive data from unsuspecting users. This affects a total of 32 different crypto apps, including Coinbase, Bitpay and Bitcoin Wallet.
In addition, Group IB identified a variety of web-fakes for leading banks such as J.P. Morgan, Wells Fargo and Bank of America. 27 fake crypto and banking applications were spotted in the United States, 16 in Poland, 10 in Australia, nine in Germany and eight in India.
The malware also “supports” payment systems and messenger services such as PayPal, Revolut, Western Union, eBay, Walmart, Skype and WhatsApp.
Who is behind the Trojan?
The report states that Gustaff uses Andoird’s accessible features designed for users with physical disabilities. Group describes this approach as relatively rare and effective:
“Use of the Accessibility Service mechanism means that the Trojan is able to bypass [….] Changes to Google’s security policy introduced in new versions of the Android operating system. In addition, Gustuff knows how to disable Google Protect; According to the Trojan developer, this feature works in 70 percent of the cases. “
Group IB noted that Gustuff is backed by a Russian-speaking cybercriminal named “Bestoffer” who works exclusively on international markets.
That’s how you can protect yourself
To protect against Gustuff or other malware, Group IB recommends downloading applications exclusively from Google Play – never from third-party stores.
Furthermore, apps should always be up to date. It is also important to pay attention to the extensions of the downloaded files.
image by Shutterstock