A previously unreported advanced banking trojan named Gustuff can steal funds from accounts at over 100 banks across the world and rob users of 32 cryptocurrency Android apps.
The threat sells for a monthly subscription of $800 and it was first spotted in April 2018. Its developer promotes it as an upgraded variant of AndyBot banking malware whose activity has been tracked since 2017.
Casting a wide net
The malware includes code to target top international banks such as Bank of America, Bank of Scotland, J.P.Morgan, Wells Fargo, Capital One, TD Bank, and PNC Bank. It also searches for cryptocurrency wallet apps like Bitcoin Wallet, or from services BitPay, Cryptopay, Coinbase, and more.
Researchers at Group-IB security company specialized in preventing cyber attacks noticed that Gustuff's code lists apps from banks in the US (27), Poland (16), Australia (10), Germany (9), and India (8).
However, other types of apps also present interest: market places, online stores, payment systems, and messaging solutions. Apps for PayPal, Western Union, eBay, Walmart, Skype, WhatsApp, Gett Taxi, Revolut
Gustuff abuses Accessibility feature, can disable Google Protect
The malware relies on a relatively rare tactic to access and automatically change text fields in targeted apps. On compromised devices, Gustuff uses Android Accessibility services to interact with screens from other apps.
... ... ...