A new strain of Trojan malware for Android phones is targeting global users of top crypto apps such as Coinbase, BitPay and Bitcoin Wallet, as well as banks including JPMorgan, Wells Fargo, and Bank of America. The news was reported by technology news outlet The Next Web on March 28.
Based on research from prominent cybercrime analytics firm Group-IB, this is reportedly the first time the Trojan — now named “Gustuff” — has been reported or analyzed. The malware is described as being designed for mass infection and is spread by SMS messages with links to load malicious Android package kit files.
The malware’s creators have reportedly created “Automatic Transfer Systems” that aim to expedite and scale the thefts by triggering autofills of payment fields for legitimate Android apps to maliciously reroute transfers to the hackers.
The app is purported to issue a host of “web fakes” that mimic legitimate apps to phish for sensitive data from users — specifically targeting customers of as many as 32 different crypto apps. Push notifications using legitimate icons are a further device the malware uses to automate downloads of fake apps and trigger transaction autofills.
Group IB reportedly identified 27 fake crypto and banking apps specific to the United States, 16 for Poland, 10 for Australia, nine for Germany and nine for India. The malware also targets payment systems and messenger services such as PayPal, Revolut, Western Union, eBay, Walmart, Skype and WhatsApp.
In order to function, Gustaff reportedly exploits Android’s accessibility features designed for disabled users, with Group IB characterizing this as a relatively rare and effective trick:
“Using the Accessibility Service mechanism means that the Trojan is able to bypass [...] changes to Google’s security policy introduced in new versions of the Android OS. Moreover, Gustuff knows how to turn off Google Protect; according to the Trojan’s developer, this feature works in 70 percent of cases.”
Reportedly first traced to hacker forums from April 2018, Group IB notes that Gustuff has been designed by a Russian-speaking cybercriminal nicknamed “Bestoffer,” yet targets customers of international firms primarily outside of Russia.
Android users are advised by Group IB to download apps strictly from the Google Play store and pay attention to the extensions of downloaded files.
As reported in February, decentralized app MetaMask was recently pulled from Google Play after researchers detected malware impersonating the tool to steal crypto from users.