Gustuff Android Trojan Targeting 30+ Cryptocurrency Apps & 100 International Banks

By Bill Toulas / March 28, 2019

Cybersecurity firm Group IB has released their 'High-Tech Crime Trends' report that comes with a revelation about a new Trojan that quickly climbed the ranks of the most used tools out there right now. Named “Gustuff”, the Trojan was first seen about a year ago, but its systematic and continuous updating has made it a powerful bank credential phishing tool that features amazing inter-operative capabilities, automating bank transactions for 32 cryptocurrency apps and support for over a hundred banking apps. This sophistication has taken Gustuff among the ranks of the LokiBot and the Anubis banking malware, an especially stealthy tool that we wrote about at the start of the year.

Gustuff is covering major banks and Android payment apps such as the Bank of America, J.P. Morgan, Wells Fargo, Bank of Scotland, Western Union, eBay, PayPal, Skype, Revolut, Walmart, WhatsApp, Coinbase, Bitcoin Wallet, and more. This increases the attack surface and the possibilities of cybercriminals getting their hands on the payment data of victims, and that is one important reason why so many of them are using Gustuff. But the range of support is not the only trick up Gustuff’s sleeve.

Gustuff features a powerful and streamlined ATS (Automatic Transfer Service) system, enabling it to open the supported apps, fill in the phished credentials (which were acquired through social engineering), and then make the transactions. The cybercriminals have no direct involvement in this whole process, so they can sit back and relax while the money is stolen and transferred to their accounts automatically. Gustuff's creators have implemented this functionality by taking advantage of the 'Accessibility Service' which is meant to help people with disabilities register user input across Android and individual apps.

For now, the Google Play Store remains free of apps that are infected with the Gustuff Trojan, and the researchers have only noticed spam SMS messages containing links that point to the malicious APK file. If Gustuff finds its way to the Play Store, Android phones will face serious trouble, as the Trojan has the capacity to disable the Google Play Protect services, push any kind of masqueraded notifications, and collect images or videos that are stored in the phone. This helps malicious actors conduct the social engineering part that we mentioned above. Finally, the nastiest feature of Gustuff is to perform a factory reset on the infected phone, wiping out all traces that are left on the device.

Are you using any antivirus app on your Android device, and if yes, which one? Let us know in the comments below, and don’t forget that you have the power to help us warn others of threats like the Gustuff, by sharing this post through our socials on Facebook and Twitter.

For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: