Recent Gustuff Android banking Trojan campaigns featured an updated malware version, Cisco Talos security researchers report.
Soon after the malware was detailed earlier this year, its operators changed distribution hosts and then moved to disable the command and control (C&C) infrastructure, but continued to control the malware via a secondary administration channel based on SMS.
Initially, Gustuff was based on the Marcher banking Trojan, but the new variant has lost some of those similarities, the security researchers say.
The malware continues to use malicious SMS messages for infection and mainly targets users in Australia, meaning that token-based two-factor authentication and security awareness remain the best defense against it.
The new campaign was observed at the beginning of October, with the updated malware variant continuing to leverage targets of little interest to send propagation SMS messages — each target sends around 300 SMS messages per hour.
Based on the number of times the malware-hosting domains were accessed, the propagation method doesn’t appear to be effective, Talos says. The attacks mainly target Australian banks and digital currency wallets.
Gustuff now supports the dynamic loading of WebViews, meaning that it can receive a command to create a WebView targeting a specific domain (the injection is downloaded from a remote server).
The researchers observed a command from the C&C to target an Australian Government Portal hosting several public services, including taxes and social security, with the command issued before the local injections were loaded from the remote server.
“This represents a change for the actor, who now appears to be targeting credentials used on the official Australian government’s web portal,” Talos notes.
Changes in the malware’s behavior include the state persistency across installations, achieved via a file created on external storage. Gustuff also pings the C&C at a predetermined interval to receive an OK message or a command to execute.
The list of targeted applications is provided during the activation cycle. The list of anti-virus/anti-malware software that the Trojan attempts to block is loaded in the same manner.
“During the activation cycle, the malware now asks the user to update their credit card information. The difference is that it does not immediately show a panel for the user to provide the information. Instead, it will wait for the user to do it and — leveraging the Android Accessibility API — will harvest it,” Talos explains.
The malware also features a secondary command execution control, with each command featuring a unique ID that the malware uses to report on the execution state.
Gustuff’s interaction with the device was also modified, with commands related to the socks server/proxy, along with code related to operations, removed.
These supposedly allowed the attackers to interactively perform actions on the banking applications, functionality now provided by the command ‘interactive’, which leverages the accessibility API to interact with the UI of the banking software.
With the WebView object already having access to the filesystem, this does not represent an additional security risk in this context. However, this does allow the operator to perform scripts and automate tasks.
“Although there are no changes in the way it conducts the campaign, Gustuff still changed the way it uses the malware to perform its fraudulent activities. The main target continues to be banking and cryptocurrency wallets. However, based on the apps list and code changes, it is safe to assume that the actor behind it is looking for other uses of the malware,” Talos concludes.