Saturday, July 20, 2024

Gustuff Android Banking Malware Uses SMS Messages to Hack Users Device

Gustuff banking malware returns with new features, the threat actors behind Gustuff malware made changes with distribution hosts and disabled C2 infrastructure. The malware uses SMS messages for propagation.

The Gustuff malware is a fully automated one, the malware is capable of stealing login credentials by abusing Accessibility Services in Android devices.

Researchers observed that the latest version of Gustuff uses a “poor man scripting engine” based on JavaScript language, which provides an ability to execute scripts while using its internal commands backed by the power of JavaScript language. This is very innovative in the Android malware space.”

Gustuff Malware Campaigns

Talos researchers first observed the new campaign around June 2019, the campaign uses Instagram to trick the users into downloading the malware. The malware campaign uses SMS messages as the primary method to infect users.

A new wave of the campaign observed starting this month, just like the June campaign. The malware primarily observed targets Australian banks and digital currency wallets. But the new campaign targets Australia based hiring sites’ mobile apps.

Gustuff banking malware
Campaign Hits Credits: Talos

As the campaign based only on SMS, the malware-hosting domains receive only a few hits.

“This method of propagation has a low footprint since it uses SMS alone, but it doesn’t seem to be particularly effective, given the low number of hits we’ve seen on the malware-hosting domains.”

Malware Activation Cycle

The malware attempts creating an uu.dd in the external storage, which has a UUID value and the value is used as ID for the C2 server. It pings with C2 at a predetermined interval and will get commands for execution.

It checks for the list of apps installed and blocks the list of anti-virus/anti-malware software present in the below list.

Gustuff banking malware
List of apps Blocked Credits: Talos

The malware sends commands requesting credit card information, but it won’t present a form to enter the details, instead, it leverages the Android Accessibility API to harvest it.

Request Credit Card Data

The malware was initially designed to target only as a banking trojan, later it’s capabilities are expanded to target crypto services, online stores, payment systems, and messengers.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity and hacking news updates.


Latest articles

Hackers Claiming Dettol Data Breach: 453,646 users Impacted

A significant data breach has been reported by a threat actor known as 'Hana,'...

CrowdStrike Update Triggers Widespread Windows BSOD Crashes

A recent update from cybersecurity firm CrowdStrike has caused significant disruptions for Windows users,...

Operation Spincaster Disrupts Approval Phishing Technique that Drains Victim’s Wallets

Chainalysis has launched Operation Spincaster, an initiative to disrupt approval phishing scams that have...

Octo Tempest Know for Attacking VMWare ESXi Servers Added RansomHub & Qilin to Its Arsenal

Threat actors often attack VMware ESXi servers since they accommodate many virtual machines, which...

TAG-100 Actors Using Open-Source Tools To Attack Gov & Private Orgs

Hackers exploit open-source tools to execute attacks because they are readily available, well-documented, and...

macOS Users Beware Of Weaponized Meeting App From North Korean Hackers

Meeting apps are often targeted and turned into weapons by hackers as they are...

Hackers Exploiting Legitimate RMM Tools With BugSleep Malware

Since October 2023, MuddyWater, which is an Iranian threat group linked to MOIS, has...
Guru baran
Guru baran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Free Webinar

Low Rate DDoS Attack

9 of 10 sites on the AppTrana network have faced a DDoS attack in the last 30 days.
Some DDoS attacks could readily be blocked by rate-limiting, IP reputation checks and other basic mitigation methods.
More than 50% of the DDoS attacks are employing botnets to send slow DDoS attacks where millions of IPs are being employed to send one or two requests per minute..
Key takeaways include:

  • The mechanics of a low-DDoS attack
  • Fundamentals of behavioural AI and rate-limiting
  • Surgical mitigation actions to minimize false positives
  • Role of managed services in DDoS monitoring

Related Articles