New Variant of Gustuff Android Banking Trojan Emerges

Recent Gustuff Android banking Trojan campaigns featured an updated malware version, Cisco Talos security researchers report.


Soon after the malware was detailed earlier this year, its operators changed distribution hosts and then moved to disable the command and control (C&C) infrastructure, but continued to control the malware via a secondary administration channel based on SMS.


Gustuff now has a lower static footprint, because it no longer contains hardcoded package names, and allows operators to execute scripts using internal commands — it relies on JavaScript for that — which is a novelty in the Android malware space.


Initially, Gustuff was based on the Marcher banking Trojan, but the new variant has lost some of those similarities, the security researchers say.


The malware continues to use malicious SMS messages for infection and mainly targets users in Australia, meaning that token-based two-factor authentication and security awareness remain the best defense against it.


The new campaign was observed at the beginning of October, with the updated malware variant continuing to leverage targets of little interest to send propagation SMS messages — each target sends around 300 SMS messages per hour.


Based on the number of times the malware-hosting domains were accessed, the propagation method doesn’t appear to be effective, Talos says. The attacks mainly target Australian banks and digital currency wallets.


Gustuff now supports the dynamic loading of WebViews, meaning that it can receive a command to create a WebView targeting a specific domain (the injection is downloaded from a remote server).


The researchers observed a command from the C&C to target an Australian Government Portal hosting several ..

Support the originator by clicking the read the rest link below.