Gustuff Android Trojan Targeting 30+ Cryptocurrency Apps & 100 International Banks

  • Gustuff Trojan features unique automation and widespread support, streamlining the stealing of money.
  • Featuring a sophisticated ATS system, the Trojan is designed to perform and take over transactions on its own.
  • Furthermore, it can disable Android’s protection systems, steal data, and even reset the phone to factory settings.

Cybersecurity firm Group IB has released their ‘High-Tech Crime Trends’ report that comes with a revelation about a new Trojan that quickly climbed the ranks of the most used tools out there right now. Named “Gustuff”, the Trojan was first seen about a year ago, but its systematic and continuous updating has made it a powerful bank credential phishing tool that features amazing inter-operative capabilities, automating bank transactions for 32 cryptocurrency apps and support for over a hundred banking apps. This sophistication has taken Gustuff among the ranks of the LokiBot and the Anubis banking malware, an especially stealthy tool that we wrote about at the start of the year.

Gustuff is covering major banks and Android payment apps such as the Bank of America, J.P. Morgan, Wells Fargo, Bank of Scotland, Western Union, eBay, PayPal, Skype, Revolut, Walmart, WhatsApp, Coinbase, Bitcoin Wallet, and more. This increases the attack surface and the possibilities of cybercriminals getting their hands on the payment data of victims, and that is one important reason why so many of them are using Gustuff. But the range of support is not the only trick up Gustuff’s sleeve.

Gustuff features a powerful and streamlined ATS (Automatic Transfer Service) system, enabling it to open the supported apps, fill in the phished credentials (which were acquired through social engineering), and then make the transactions. The cybercriminals have no direct involvement in this whole process, so they can sit back and relax while the money is stolen and transferred to their accounts automatically. Gustuff’s creators have implemented this functionality by taking advantage of the ‘Accessibility Service‘ which is meant to help people with disabilities register user input across Android and individual apps.

For now, the Google Play Store remains free of apps that are infected with the Gustuff Trojan, and the researchers have only noticed spam SMS messages containing links that point to the malicious APK file. If Gustuff finds its way to the Play Store, Android phones will face serious trouble, as the Trojan has the capacity to disable the Google Play Protect services, push any kind of masqueraded notifications, and collect images or videos that are stored in the phone. This helps malicious actors conduct the social engineering part that we mentioned above. Finally, the nastiest feature of Gustuff is to perform a factory reset on the infected phone, wiping out all traces that are left on the device.

Are you using any antivirus app on your Android device, and if yes, which one? Let us know in the comments below, and don’t forget that you have the power to help us warn others of threats like the Gustuff, by sharing this post through our socials on Facebook and Twitter.



Indian Banks and Finance Companies Targeted by Multi-Staged JSOutProx RAT Malware

Indian banks and financial institutions are being targeted by a multi-tier JSOutProx RAT that acts in two stages.The malware uses spear-phishing emails...

Mega Deletes 144,000+ User Accounts for Repeated Copyright Infringement

Mega has changed its policies and terminated over 144,000 accounts for repeated copyright infringement violations.The company says flagged data is taken down...

YouTube Creators Targeted With Phishing Scams Based on Cookie Theft Malware

Google discoverd a new Cookie Theft-based phishing scam that targeted channels belonging to YouTube creators.Actors were sending phishing emails and hijacking channels...
For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: Chrome, Edge, Firefox, Safari