Crypto-Stealing Gustuff Trojan Unmasks Alarming Banking Vulnerabilities
The darknet has a new soldier in the form Gustuff, a new Android trojan that has targeted over 125 cryptocurrency and banking apps.
Gustuff has been in existence since April 2018 and stands with Anubis, Red Alert, and BankBot as one of the deadliest threats to the financial space. Cybersecurity firm Group-IB suggests that Gustuff can uncover login credentials and automate transactions for a variety of banking and crypto apps including Capital One, Wells Fargo, PNC Bank, Coinbase, and Bitcoin Wallet. It’s also been known to target credentials for other payment and messaging apps, including Western Union, PayPal, Walmart, and Skype.
Gustaff Wants Your Money – And Crypto
Gustuff operates predominantly by taking over the Android Accessibility service. Designed for persons with disabilities, the service can tap screen items and automate interactions for users who can’t do this themselves.
Rustam Mirkasymov – head of dynamic analysis of the malware department at Group-IB – says this behavior isn’t surprising for most trojans, but Gustuff has a trait that seemingly makes it more dangerous:
“Trojans that use [the] accessibility service is not a rare occurrence. Gustuff’s unique feature is that it performs ATS with the help of the accessibility service. The fact that Gustuff uses [an] ATS makes it even more advanced than Anubis and RedAlert.”
ATS stands for automatic transfer service. Transactions occur through infected computers when ATS is utilized, meaning Gustuff doesn’t need to find login credentials that it would then use to steal funds. Instead, it simply infects a computer or mobile device and fills in the credentials on its own from there, allowing financial transfers to take place.
