Skip to main content

New Malware Strain Targets Android Mobile Banking

Phil Hall
Apr 03, 2019
Photo credit: Getty Images/BigNazik

A new generation of malware that targets major banks, e-commerce sites and cryptocurrency services has been identified by Group-IB, a Russian cybersecurity firm.
The malware is known as Gustuff and operates on Android platforms. Group-IB warned that Gustuff can potentially target more than 100 banking apps, including 27 in the U.S.–Bank of America, Bank of Scotland, J.P.Morgan, Wells Fargo, Capital One, TD Bank and PNC Bank were among those cited in Group-IB’s report. Online payment service including PayPal and Western Union, along with cryptocurrency services including Bitcoin Wallet and Coinbase and e-commerce sites eBay and were among other potential targets.
Gustuff uses the Accessibility Service, intended to assist people with disabilities, to spread its digital mischief. Group-IB estimated that the malware was first developed in Russia and has been available since April 2018, and an upgraded version now sells for a monthly subscription in cybercriminal forums for $800.
“After being uploaded to the victim’s phone, the Gustuff uses the Accessibility Service to interact with elements of other apps’ windows including cryptocurrency wallets, online banking apps, messengers etc.,” the Group-IB researchers noted. “The Trojan can perform a number of actions, for example, at the server’s command, Gustuff is able to change the values of the text fields in banking apps. Using the Accessibility Service mechanism means that the Trojan is able to bypass security measures used by banks to protect against older generation of mobile Trojans and changes to Google’s security policy introduced in new versions of the Android OS.
“Moreover,” the researchers added, “Gustuff knows how to turn off Google Protect; according to the Trojan’s developer, this feature works in 70 percent of cases. Gustuff is also able to display fake push notifications with legitimate icons of the apps mentioned above. Clicking on fake push notifications has two possible outcomes: either a web fake downloaded from the server pops up and the user enters the requested personal or payment (card/wallet) details; or the legitimate app that purportedly displayed the push notification opens—and Gustuff at the server’s command and with the help of the Accessibility Service, can automatically fill payment fields for illicit transactions.”

Apr 03, 2019
More from
LBA Ware And Produce New Customer Satisfaction Integration

LBA Ware's LimeGear is now integrated with to provide customers with a new way to track customer satisfaction as a key performance indicator in LBA Ware's LimeGear BI platform.

Sep 28, 2021
UWM Launches BOLT Self-Service Platform

United Wholesale Mortgage launched BOLT, a self-service platform that the company says can provide initial approval for qualified borrowers in 15 minutes.

Sep 27, 2021
SimpleNexus Taps DocMagic To Help Enable Fully Digital Closings

SimpleNexus announced the integration of its Nexus Closing eMortgage solution with DocMagic’s eVault and eNote technologies.

Sep 24, 2021
E-Closing Technology: Norcom Mortgage’s Implementation Lessons

Norcom Mortgage outlines its implementation lessons learned as the company transitioned to its digital experience.

Sep 17, 2021
New York Community Bank Creates Groundbreaking Digital Payment Process

Now Figure Technologies Inc. can conduct real-time secondary trading in digital shares of its stock by utilizing Figure’s alternative trading system (ATS) that operates on Provenance Blockchain.

Sep 14, 2021
NAMB Partners With Dell Technologies

Offers Discounts To Members To Help With Technology Upgrades

Sep 13, 2021