Android phones have been targeted by a new form of Trojan horse malware with the aim of specifically stealing crypto assets of users of exchanges and global banks which has been discovered.
News surfaced earlier this week saying that cybersecurity company, Group-IB discovered the malware under the name ‘Gustuff’, with its targets being significant and wide-ranging. The malware targets the apps of Bitcoin Wallet, BitPay and Coinbase but banks such as The Bank Of America, Wells Fargo and JP Morgan are also being targeted.
Overall, there are more than thirty applications that have been targeted.
According to reports from The Next Web, they say that the malware in question is aiming at “mass infections and maximum profit for its operators.” The malware uses web fakes to phish out the sensitive data from unsuspecting users. The extent of the operation is considerable. As TNW state:
“Web fakes for leading banks like J.P. Morgan, Wells Fargo, and Bank of America are included. 27 Apps specific to the US were spotted, 16 in Poland, 10 in Australia, nine in Germany, as well as eight in India. Gustuff also “supports” payment systems and messenger services PayPal, Revolut, Western Union, eBay, Walmart, Skype, and WhatsApp.”
Users are sent texts with Android package kits that possess the malware which will then spread the message to the user’s contact list. The creators of the Trojan exploit Android Accessibility Service to make the attack possible.
“Using the Accessibility Service mechanism means that the Trojan is able to bypass security measures used by banks to protect against older generation of mobile Trojans and changes to Google’s security policy introduced in new versions of the Android OS. Moreover, Gustuff knows how to turn off Google Protect; according to the Trojan’s developer, this feature works in 70 percent of cases.”
Group-IB goes onto describe the seriousness of the malware which has been allegedly created by a cybercriminal who goes under the name ‘BestOffer’.
“The malware is also capable of sending information about the infected device to the C&C server [the hackers], reading/sending SMS messages, sending USSD requests, launching SOCKS5 Proxy, following links, transferring files (including document scans, screenshots, photos) to the C&C server, and resetting the device to factory settings.”
The best way to avoid infection is to only download apps from Google Play Store and not open links you aren’t 100% sure about.