Malware researchers at Cisco’s Talos Intelligence are warning Australian consumers and businesses about Android malware specifically targeting users Android users from the country.
The researchers found a crook selling access to the Android Gustuff bot, a banking trojan, on an underground forum, offering to give other criminals a chance to hook online customers from CBA, Westpac, St George, NAB, Bankwest, Bank SA, ANZ, Citibank Australia, and the Bank of Melbourne.
The online advertisement was consistent with the researchers’ analysis of the infrastructure used to communicate with this particular version of Gustuff. They found that most requests to this infrastructure came from devices located in Australia.
The requests occur during installation of the malicious app, however that’s at the first stage, which involves the affected device sending SMS with a URL to the victim’s contact list. The infection that could threaten bank account security happens in a second stage, once a contact has opened a link allowing a remote server assesses whether the device fits the profile for delivering the actual banking malware to it.
The other evidence suggesting Australian banking customers are the primary target were the malicious app’s “overlays”, which are all copies of real Australian banking apps' login interfaces that are foisted on to an infected device’s screen when the victim opens the legit banking app.
Based on the number on initial requests, Talos researchers conclude that the operator of this instance of Gustuff “is aggressively spreading the malware” to Australian users.
Gustuff hit the radar in March after Russian cybersecurity firm Group-IB flagged it was being used to target customers from over 100 banks around the world, including Australia. What the Russian company describes is particularly nasty.
The malware uniquely uses an Android device’s Accessibility Service, or disability assistance features, to implement a so-called ATS, or Automatic Transfer System. TrendMicro wrote about the emergence of ATS in banking malware in 2012, noting “ATSs allow cybercriminals to automatically transfer funds from victims’ accounts to their own ones without leaving traces of their presence.”
By exploiting the Android device's Accessibility Service features, Gustuff can change the values of text fields in banking apps.
“Using the Accessibility Service mechanism means that the Trojan is able to bypass security measures used by banks to protect against older generation of mobile Trojans and changes to Google’s security policy introduced in new versions of the Android OS,,” Group-IB explained.
Additionally, Gustuff can turn off Google Play Protect, the built-in Google anti-malware product and can also display fake push notifications from icons of the legitimate apps, which when clicked by the victim triggers the fake login page.
Cisco’s take on the malware’s outstanding threat is that the operator can still control infected devices if an adversary — like law enforcement or a security company — takes down the control server by sending SMS messages directly to the infected devices.