In line with a recent news report by ‘The Next Web’, a new Trojan malware for the Android smartphones is globally targeting users of leading crypto-currency apps like Coinbase, BitPay and Bitcoin wallet, along with banks like JPMorgan, Wells Fargo, and Bank of America.
According to a recent research report published by cybercrime firm named ‘Group-IB’, this time its Trojan – presently called “Gustuff” – has been reported or analysed. The malware is represented as being designed for mass infection and is being spread by normal SMS messages with links to load malicious android package content kit files.
The creators of the malware have reportedly created “Automated Transfer Systems” that aim to expedite and scale the hacks/thefts by triggering autofills of payment fields for the legitimate apps to maliciously reroute transfers to the hackers.
The application is purported to issue a bunch of “web fakes” that mimic legitimate Android applications to phish for personal information from the users – specifically targeting customers of over 32 different cryptocurrency applications. Push notifications employing legitimate icons are an additional device the malware uses for automated downloads of faux apps and trigger autofills.
Group IB was successfully able to identify around 27 different Android cryptocurrency and banking application specific to the U.S., 16 for Poland, 10 for Australia, 9 for Germany as well as 9 for India. The malware conjointly targets payment systems and messenger services like PayPal, Revolut, Western Union, eBay, Walmart, Skype & WhatsApp.
Moreover, Gustaff reportedly exploits Android’ accessibility options designed for disabled users, with Group-IB outlining this as a comparatively rare and effective trick:
“Using the Accessibility Service mechanism implies that the Trojan is in a position to bypass the security […] changes to Google’s security policy introduced in new versions of the Android OS. Moreover, Gustuff is aware of the way to turn off Google Protect; as per the Trojan’s developer, this feature works in around 70% of the cases.”
Additionally, the first traced to hacker forums from Apr. last year, Group IB added that Gustuff has been designed by a Russian-speaking cybercriminal nicknamed “Bestoffer,” nonetheless targets customers of Global companies primarily outside of Russia.
Android users are suggested by Group IB to download applications strictly from the Google’s Play store while paying somewhat a little more extensions to the downloaded files.
As ‘reported‘ earlier in Feb., renowned decentralized application named ‘MetaMask’ was recently removed from Google Play, when the researchers identified a malware impersonating the tool to steal crypto-currencies from users.