A new form of Trojan horse malware targeting Android phones, specifically with the intention of stealing crypto assets of users of exchanges and international banks, has been discovered.
The Next Web first reported the news, saying that cybersecurity firm Group-IB discovered the malware, codenamed “Gustuff”, and its targets are significant and wide-ranging. The malware targets the apps of Coinbase, BitPay, and Bitcoin Wallet, and banks such as JPMorgan, Wells Fargo, and Bank of America. A total of 32 crypto apps are being targeted.
The report says that the malware is aiming at “mass infections and maximum profit for its operators.” The malware uses “web fakes” to phish sensitive data from unsuspecting users. The extent of the operation is considerable, as The Next Web writes,
Web fakes for leading banks like J.P. Morgan, Wells Fargo, and Bank of America are included. 27 Apps specific to the US were spotted, 16 in Poland, 10 in Australia, nine in Germany, as well as eight in India. Gustuff also “supports” payment systems and messenger services PayPal, Revolut, Western Union, eBay, Walmart, Skype, and WhatsApp.
Users are sent SMSs with Android package kits that possess the malware. It then spreads the message to the user’s contact list. The creators of the Trojan exploit Android’s Accessibility Service to make the attack possible,
Using the Accessibility Service mechanism means that the Trojan is able to bypass security measures used by banks to protect against older generation of mobile Trojans and changes to Google’s security policy introduced in new versions of the Android OS. Moreover, Gustuff knows how to turn off Google Protect; according to the Trojan’s developer, this feature works in 70 percent of cases.
Group-IB goes on to describe the severity of the malware, which has reportedly been created by a cybercriminal called “BestOffer”,
The malware is also capable of sending information about the infected device to the C&C server [the hackers], reading/sending SMS messages, sending USSD requests, launching SOCKS5 Proxy, following links, transferring files (including document scans, screenshots, photos) to the C&C server, and resetting the device to factory settings.
The best way to avoid infection is to only download apps from the Google Play store and not open untrusted links. It is a simple process that doesn’t offer 100% protection against malware in general, but it does go a long way in keeping a user safe. Installing software updates is also key in protection against an ever increasing list of security exploits.
Trezor recently responded to a list of vulnerabilities concerning its wallet, published by Ledger. In general, the temptation to execute hacks and attacks on crypto is high, as there is a lot to be gained for the cybercriminals. One report suggests that one group alone is responsible for more than half of all hacks that have taken place since 2017.
