It’s not good stuff, it’s Gustuff. It’s the latest in the Android banking Trojan news and it is full of the bad stuff. This one, according to researchers is joining, if not surpassing the old stand-bys that hold the top spots now including Red Alert, LokiBot, and BankBot. All are pretty serious threats, and all are out to get credentials, but Gustuff holds a unique trick in its pocket to ensure it makes the most out of its efforts. Fortunately, it isn’t in the Google Play Store... yet.
This crafty malware uses social engineering—phishing—to trick users into giving it access to the Android Accessibility services. These are meant to assist those with disabilities with various UI interactions, such as performing screen taps on their behalves. However, that’s not unusual. Most of the others at the top of the list do that too. Gustuff abuses this by using it to do Automatic Transfer Services (ATS). In other words, it makes its own financial transactions without the user having input. It can open apps, fill in the credentials (which it previously acquired), and approve money transfers.
Fortunately, it hasn’t made it into the Google Play store yet. Kudos to Google for not allowing it to bypass security scans. However, it’s only a matter of time as it is being sold on the Dark Web at a rapid pace. So, for now it is making its way around in SMS spam messages with included links.
So, you know the drill. Don’t blindly click links in email or text messages. Be sure you are not part of a larger phishing scheme before clicking anything. Contact the sender and make sure it was intended for you. If you don’t know the sender, don’t even bother asking. Just delete it.
Also, we all have a lot of apps on our mobile devices. When downloading them, be sure to only use official app stores for your particular device. Getting them elsewhere (sideloading) introduces additional risk of bad stuff landing on it. And when they ask for permissions, don’t just give them whatever it asks for. Think about whether or not it really needs access. For example, a flashlight app probably doesn’t need to access your microphone and realistically, almost nothing needs administrative rights. Those are reserved for developers. If it asks for those, decline and if it won’t allow that, delete the app right away. If you aren’t sure if an app needs access to something, deny it and see if it works for you anyway. Often, that is the case and you can grant the mandatory permissions on an as needed basis.
Gustuff has been on the market for over a year now—primarily, though not exclusively, marketed to Russian speakers. But it’s a good bet that it’ll be heading your way soon—speaking English.