Saturday, April 12, 2025
Follow us On Linkedin
HomeAndroidGustuff Android Banking Malware Uses SMS Messages to Hack Users Device

Gustuff Android Banking Malware Uses SMS Messages to Hack Users Device

AndroidMalware

Published on

By Gurubaran
Gustuff banking malware

Supply Chain Attack Prevention

SIEM as a Service

Follow Us on Google News

Gustuff banking malware returns with new features, the threat actors behind Gustuff malware made changes with distribution hosts and disabled C2 infrastructure. The malware uses SMS messages for propagation.

The Gustuff malware is a fully automated one, the malware is capable of stealing login credentials by abusing Accessibility Services in Android devices.

Researchers observed that the latest version of Gustuff uses a “poor man scripting engine” based on JavaScript language, which provides an ability to execute scripts while using its internal commands backed by the power of JavaScript language. This is very innovative in the Android malware space.”

- Advertisement - Google News

Gustuff Malware Campaigns

Talos researchers first observed the new campaign around June 2019, the campaign uses Instagram to trick the users into downloading the malware. The malware campaign uses SMS messages as the primary method to infect users.

A new wave of the campaign observed starting this month, just like the June campaign. The malware primarily observed targets Australian banks and digital currency wallets. But the new campaign targets Australia based hiring sites’ mobile apps.

Gustuff banking malware
Campaign Hits Credits: Talos

As the campaign based only on SMS, the malware-hosting domains receive only a few hits.

“This method of propagation has a low footprint since it uses SMS alone, but it doesn’t seem to be particularly effective, given the low number of hits we’ve seen on the malware-hosting domains.”

Malware Activation Cycle

The malware attempts creating an uu.dd in the external storage, which has a UUID value and the value is used as ID for the C2 server. It pings with C2 at a predetermined interval and will get commands for execution.

It checks for the list of apps installed and blocks the list of anti-virus/anti-malware software present in the below list.

Gustuff banking malware
List of apps Blocked Credits: Talos

The malware sends commands requesting credit card information, but it won’t present a form to enter the details, instead, it leverages the Android Accessibility API to harvest it.

Request Credit Card Data

The malware was initially designed to target only as a banking trojan, later it’s capabilities are expanded to target crypto services, online stores, payment systems, and messengers.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity and hacking news updates.

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

cyber security

Threat Actors Leverage Email Bombing to Evade Security Tools and Conceal Malicious Activity

Threat actors are increasingly using email bombing to bypass security protocols and facilitate further...
Cyber Attack

Threat Actors Launch Active Attacks on Semiconductor Firms Using Zero-Day Exploits

Semiconductor companies, pivotal in the tech industry for their role in producing components integral...
Cyber Attack

Hackers Exploit Router Flaws in Ongoing Attacks on Enterprise Networks

Enterprises are facing heightened cyber threats as attackers increasingly target network infrastructure, particularly routers,...
cryptocurrency

Threat Actors Exploit Legitimate Crypto Packages to Deliver Malicious Code

Threat actors are using open-source software (OSS) repositories to install malicious code into trusted...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

Register Now

More like this

Browser

TROX Stealer Harvests Sensitive Data Including Stored Credit Cards and Browser Credentials

Cybersecurity experts at Sublime have uncovered a complex malware campaign revolving around TROX Stealer,...
cyber security

GOFFEE Deploys PowerModul in Coordinated Strikes on Government and Energy Networks

The threat actor known as GOFFEE has launched a series of targeted attacks against...
Cyber Attack

Sapphire Werewolf Upgrades Arsenal With Amethyst Stealer Targeting Energy Firms

Sapphire Werewolf has introduced a potent new weapon into its cyber arsenal, unveiling the...

GBHackers on Security is a top cybersecurity news platform, delivering up-to-date coverage on breaches, emerging threats, malware, vulnerabilities, and global cyber incidents.

Company

Trending

Categories

Copyright @ 2016 - 2025 GBHackers On Security - All Rights Reserved