Gustuff’s recent Android banking campaigns have included an updated malware version, reports Cisco Talos security researchers.
Earlier this year, shortly after the software was described, its operators switched delivery hosts, then moved to remove the C&C network, but continued to control the software via a SMS-based secondary management system.
The Gustuff now has a smaller static footprint because it no longer has hardcoded package names and enables operators to run scripts with internal commands— it depends on JavaScript — a new feature of Android malware.
Gustuff was originally based on the Trojan Marcher banking system but, according to security researchers, the new variant has lost some of these similarities.
The malware continues to use malicious SMS messages to target users in Australia and is thus the best defense against them, i.e. token-based two-factor authentication and security awareness.
The new campaign was noticed in early October, with the modified malware version continuing to use little-interest targets to send SMS message propagation — each target sends approximately 300 SMS messages per hour.
According to Talos, the propagation approach does not appear to be successful based on the number of Malware Hosting Domains accessed. The attacks are aimed primarily at Australian banks and digital wallets.
Gustuff also allows dynamic loading of WebViews to build a WebView with a particular domain (injector is downloaded from a remote server).
The researchers observed a C&C order to target an Australian government website with several services, including taxes and social security, with a command from a remote server before loading the regional injections.
“This is a change for the actor who now tends to threaten the credentials on the Web portal of the government of Australia,” states Talos.
Changes in malware actions include the state persistence of a file generated on external store installations. Gustuff also pings the C&C to receive an OK response or execute order at a standard interval.
During the activation cycle, a list of targeted applications is provided. The anti-virus / anti-malware list that the Trojan tries to block is loaded in the same way.
“The malware now asks the user to update their credit card information during the activation cycle. The downside is that there is not a screen for the client to provide the information immediately. It will wait for the client to do this rather than extract it by using the Android Accessibility API, “says Talos.
The malware also provides a secondary execution command, each of which has a unique ID that the malware uses to document the execution status.
Gustuff’s communication with the system was also updated with server / proxy socket commands, along with operations-related code, removed.
This allegedly allowed the attackers to carry out interactive actions on banking applications, now with the interactive command that uses the accessibility API to interact with the user interface of banking software.
A new command is’ script,’ by which Gustuff launches a WebChromeClient with JavaScript on the WebView to execute malware-defined methods. Another new command is’ script.’
This does not pose an additional security threat in this case, as the WebView object has already access to the filesystem. It helps the programmer to execute scripts and automate tasks.
“Although the way the operation is performed is not updated, Gustuff has always changed the way the malware is used to carry out its fraudulent activities. Banking and cryptocurrency wallets remain the main target. However, it is safe to assume, based on the list of apps and changes in the code, that the actor behind it is looking for other applications, “concludes Talos.