On the darknet there’s a new Trojan for Android, Gustuff, which is aimed at more than 125 cryptocurrency and about 500 banking applications.
Gustuff exist from April 2018 and is, along with Anubis, Red Alert, and the BankBot, one of the most dangerous threats to the financial space. A cyber security company Group-IB suggests that Gustuff can get access to registration data and automate transactions for various banking and cryptocurrency applications, including Capital One, Wells Fargo, PNC Bank, Coinbase and bitcoin wallets. It is also known that it is aimed at credentials other programs of payment and exchange messages, including Western Union, PayPal, Walmart and Skype.
Gustuff operates primarily through the use of a service of Android Accessibility. Designed for people with disabilities, the service can choose elements of the screen and to automate interactions for users who do not can do.
Mirkasimov Rustam (Rustam Mirkasymov), Manager of dynamic analysis Department malicious programs, Group-IB, says that this behavior is not typical of most Trojans, but Gustuff has a property that makes it more dangerous:
Trojans that use the service availability, are not uncommon. A unique feature Gustuff is that it performs ATS with service availability. The fact that Gustuff uses ATS, makes it even more advanced than Anubis, Red Alert.
ATS means automatic transfer service. Transactions are via infected computers when using ATS, ie Gustuff not requires login credentials, which he will use to steal funds. Instead, it just infects a computer or mobile device and populates the credentials themselves out, allowing to carry out financial transfers.
Probably Gustuff can turn off security on Google Play Protect and show personalized push notifications, which are specific programs that can steal log-in information. It can collect data from documents, videos and photos and reportedly capable of dropping the electronic device to the initial factory settings to hide its presence.
The good news is that Gustuff is not yet too widespread and Trojan have never been downloaded in the app store Google Play Store. To date, noted by Group-IB, Trojan program that is primarily spread through SMS spam, which contains links to files installation.
Unfortunately the world of cryptocurrencies is still filled with crooks and criminals and their products. Potential hacker attacks cryptocurrency exchanges such as CoinBene and DragonEx, indicate that security and privacy in the digital currency world are not sufficient, but analysts say that the methods of protection there.
Group-IB commented that if users want to avoid Trojans, such as Gustuff, they should be limited to downloads of the apps available through Google Play, because Gustuff couldn’t bypass the security scan Google. Users should never download programs from third-party stores and should always include the signature modes for their devices. This ensures that if your registration data will be stolen, the device from which the theft can be tracked.