Cisco Talos: Gustuff Android banking trojan is back with new features. It no longer contains hardcoded package names and added a “poor man scripting engine”
The cyber security experts: The malware still relies on malicious SMS to infect devices, but now supports the dynamic loading of WebViews and there is a command from the C&C to target an Australian Government Portal
First version of Gustuff that cyber security experts analyzed was based on Marcher, another banking trojan active for several years. Now, the malware has lost some similarities from it, displaying changes in methodology after infection, but it still relies primarily on malicious SMS messages to infect devices, mainly targeting users in Australia. The new campaign was observed at the beginning of October, with the updated variant continuing to leverage targets of little interest to send propagation SMS messages (each one sends around 300 SMS messages per hour). Gustuff now supports the dynamic loading of WebViews, meaning that it can receive a command to create a WebView targeting a specific domain (the injection is downloaded from a remote server). Furthermore, there is a command from the C&C to target an Australian Government Portal hosting several public services, with the command issued before the local injections were loaded from remote server.