skip to Main Content

Cybercrime, Gustuff Android banking trojan is back with new features

Cybercrime, Gustuff Android Banking Trojan Is Back With New Features

Cisco Talos: Gustuff Android banking trojan is back with new features. It no longer contains hardcoded package names and added a “poor man scripting engine”

Gustuff banking trojan is back with new features. It’s have been discovered by Cisco Talos cyber security experts, who first reported on the malware in April, after it targeted financial institutions in Australia. Soon after, the cybercrime actors behind it started by changing the distribution hosts and later disabled their command and control (C2) infrastructure. The actor retained control of their malware since there is a secondary admin channel based on SMS. The latest version of the malicious code no longer contains hardcoded package names, which dramatically lowers the static footprint when compared to previous versions. On the capability side, the addition of a “poor man scripting engine” based on JavaScript provides the operator with the ability to execute scripts while using its own internal commands backed by the power of JavaScript language. This is something that is very innovative in the Android malware space.

The cyber security experts: The malware still relies on malicious SMS to infect devices, but now supports the dynamic loading of WebViews and there is a command from the C&C to target an Australian Government Portal

First version of Gustuff that cyber security experts analyzed was based on Marcher, another banking trojan active for several years. Now, the malware has lost some similarities from it, displaying changes in methodology after infection, but it still relies primarily on malicious SMS messages to infect devices, mainly targeting users in Australia. The new campaign was observed at the beginning of October, with the updated variant continuing to leverage targets of little interest to send propagation SMS messages (each one sends around 300 SMS messages per hour). Gustuff now supports the dynamic loading of WebViews, meaning that it can receive a command to create a WebView targeting a specific domain (the injection is downloaded from a remote server). Furthermore, there is a command from the C&C to target an Australian Government Portal hosting several public services, with the command issued before the local injections were loaded from remote server.

Back To Top