Gustuff Android banking trojan targets 125+ banking, IM, and cryptocurrency apps


A new Android banking trojan is starting to gain popularity on the cybercriminal underworld. Named Gustuff, the trojan has been around for almost a year, during which time it slowly received updates over updates, becoming a powerhouse in terms of features and targeting capabilities.

This Android banking trojan now joins the ranks of similar top-tier threats, such as Anubis, Red Alert, Exobot, LokiBot, and BankBot.

According to an analysis of Gustuff shared with ZDNet by cyber-security firm Group-IB, Gustuff can phish credentials and automate bank transactions for over 100 banking apps and 32 cryptocurrency apps.

Targets include known banks such as Bank of America, Bank of Scotland, J.P.Morgan, Wells Fargo, Capital One, TD Bank, and PNC Bank, but also cryptocurrency apps such as BitPay, Cryptopay, Coinbase, and Bitcoin Wallet.

In addition, the trojan can also phish credentials for various other Android pyment and messaging apps, such as PayPal, Western Union, eBay, Walmart, Skype, WhatsApp, Gett Taxi, Revolut, and others.

Gustuff’s unique trick

Under its hood, Gustuff operates like all the other Android banking trojans on the market. It uses social engineering to trick users into giving it access to the Android Accessibility service, a feature meant for users with disabilities and a powerful tool that can automate various UI interactions and tap screen items on the user’s behalf.

Most Android banking malware uses this service to give itself admin rights and show the fake login pages on top of other apps. However, Gustuff abuses this service differently, and in a more complex and devious way than all its competitors.

“Trojans that use [the] Accessibility Service is indeed not a rare occurrence,” Rustam Mirkasymov, Head of Dynamic Analysis of Malware Department at Group-IB told ZDNet yesterday. “Gustuff’s unique feature is that it is capable of performing ATS with the help of the Accessibility Service.”

An ATS is a term specific to the banking –and banking malware– sector. It stands for Automatic Transfer Service. When used in the context of malware, it refers to a banking trojan’s ability to make transactions from an infected user’s computer, rather than stealing their account credentials and then using those credentials to steal money via other computers/smartphones.

Basically, thanks to the Android Accessibility service, Gustuff has implemented an ATS system right on the user’s phone. It can open apps, fill in credentials and transaction details, and approve money transfers on its own.

Banking trojans meant to infect Windows computers have been doing this for years, with the help of services like VNC, but ATSes are still a rare occurrence for Android banking trojans.

“The fact that Gustuff uses [an] ATS makes it even more advanced than Anubis and RedAlert,” Mirkasymov told ZDNet.

Not on the Google Play Store yet

But while the trojan is more advanced than most of its competition, it has not been that popular. Gustuff was never deployed inside apps uploaded on the official Google Play Store, as it currently appears to be unable to bypass Google’s security scans –unlike most of its rivals.

Currently, the only way threat actors have been seen distributing the trojan has been through SMS spam that carries links to the trojan’s APK installation file, Group-IB said.

The trojan has been on the market since April 2018, when its author first started advertising it on a well-known forum for Russian-speaking cybercriminals.

Gustuff ad

Gustuff ad

Image: ZDNet

Other Gustuff features

Besides having built an Accessibility Service-powered ATS, Gustuff also has other features. According to its ad, Gustuff can also turn off Google Play Protect, a security feature of the Google Play app –which according to its author, works in 70 percent of cases.

The trojan is also able to show custom push notifications that can pose as any app, but when clicked, open either a web page showing a phishing form to steal login credentials for a specific service, or they open the legitimate app, where the trojan auto-fills transaction forms and uses the Accessibility service to automatically approve funds transfers.

Last, but not least, the trojan can also collect data from infected devices, such as documents, photos, and videos, if necessary. Its most insidious feature is Gustuff’s ability to reset a device to factory settings, in case trojan operators fear their presence on the device would ever be discovered.

Related malware and cybercrime coverage:

About the author

E-Crypto News was developed to assist all cryptocurrency investors in developing profitable cryptocurrency portfolios through the provision of timely and much-needed information. Investments in cryptocurrency require a level of detail, sensitivity, and accuracy that isn’t required in any other market and as such, we’ve developed our databases to help fill in information gaps.

Related Posts

E-Crypto News Executive Interviews

Crypto Scams

Beanstalk Farms Loses $80M In A Massive DeFi Governance Flash-Loan Hack
Beanstalk Farms Loses $80M In A Massive DeFi Governance Flash-Loan Hack
April 23, 2022
Joon Pak Head of Crypto at Prove talks to Us about Crypto Fraud And More
April 11, 2022
Mintable CEO Zach Burks Talks to Us about the Opensea Stolen NFTs and Their Recovery
March 21, 2022
Crypto Crime
Crypto Crime Surges To Record Highs As Thieves Follow Market Buzz – Chainalysis 2022 Report
February 24, 2022
Bots Circumvent 2FA Login At Coinbase And Other Crypto Exchanges In 2022
Bots Have Circumvented 2FA Logins At Coinbase And Other Crypto Exchanges In 2022
February 17, 2022

Automated trading with HaasBot Crypto Trading Bots

Blockchain/Cryptocurrency Questions and Answers

Roundtable Interview-What is the Effect of The Russia-Ukraine War on Cryptocurrency Prices?
March 4, 2022
How Does Bitcoin Casino Work + 2021 Beginner’s Guide
November 8, 2021
How to Buy and Sell Cryptocurrency
November 8, 2021
What Are Bitcoin Futures And How Will They Work In 2022?
November 4, 2021
The Unconventional Guide to Ethereum
October 28, 2021

CryptoCurrencyUSDChange 1hChange 24hChange 7d
Bitcoin28,822 0.08 % 2.89 % 5.13 %
Ethereum1,758.2 0.87 % 6.97 % 13.13 %
Tether1.002 0.12 % 0.31 % 0.10 %
USD Coin0.9989 0.16 % 0.08 % 0.04 %
BNB302.53 0.26 % 4.21 % 1.66 %
XRP0.3878 0.70 % 2.82 % 8.01 %
Binance USD1.002 0.37 % 0.09 % 0.13 %
Cardano0.9566 0.22 % 0.68 % 6.96 %
Solana41.91 1.47 % 9.32 % 19.92 %
Dogecoin0.08386 0.28 % 4.70 % 3.69 %

Bitcoin (BTC) $ 28,881.00
Ethereum (ETH) $ 1,770.43
Tether (USDT) $ 1.00
USD Coin (USDC) $ 1.00
BNB (BNB) $ 302.95
XRP (XRP) $ 0.390019
Binance USD (BUSD) $ 1.00
Cardano (ADA) $ 0.461806
Solana (SOL) $ 42.38
Dogecoin (DOGE) $ 0.084133