Gustuff
The Gustuff banking Trojan, first spotted in 2016, went through quite a long journey of enhancements since its appearance on the threat landscape. Although originally built based on the infamous Marcher malware, it went through a major refactoring, introducing considerable changes in its architecture and feature set.
To the best of our knowledge, Gustuff was the first Android banking Trojan that heavily relied on Android’s Accessibility Service to power its RAT functionality. The RAT was originally implemented to lower detection of fraud but was later enhanced to facilitate automated and large-scale fraud from the infected devices. Unlike Cerberus, Gustuff’s RAT doesn't use third-party utilities but uses a home-made JSON-based text protocol instead, to both visualize and interact with content of the infected device’s interface.
In April 2019 the actors behind the Gustuff Trojan started developing a new version of the bot alongside the original one in “production”, resulting in the original Trojan being slowly phased out to make place for the new one. Although this process was slow, the new variant started replacing the old one extensively from August 2019 on. After several weeks the swap between versions was finished. Whilst keeping most of the codebase, the new variant of Gustuff introduced changes in the architecture and command handling and added some new features such as keylogging, browser overlays and even an ATS (Automated Transaction System) on top of the RAT.
Although technically being an overlay attack, browser overlays closely resemble the infamous “webfakes” (popular technique used by Windows banking malware), as instead of checking the package name of running apps, the Trojan abuses Accessibility privileges to check contents of the browser's address bar to determine if the victim is accessing a website from the target list. The browser ends up being overlayed, tricking the victim into interacting with a fake web page.
One of the first browser overlays built by the Gustuff actors was the public Australian government login page:
Unlike Cerberus, Gustuff is operated privately and has its main focus on Australian and Canadian banks. Targeting financial institutions, crypto-wallets but also government websites and job seeking platforms in order to collect more personal information from the victims (see the appendix for targets).
Gustuff was the first Android banking Trojan observed to include an ATS, making it more advanced and efficient compared to other similar bankers. The Automated Transaction System will operate quasi-automatically by stealing victim’s credentials, logging in to its account to verify validity of credentials and availability of funds, and later logging in again to setup and perform fraudulent transactions, all from the victim’s device. Due to its technological stand and focus, the Gustuff trojan is a major threat to all targeted parties in its target list.
Samples
SHA-256 |
|---|
a6f0fee73ec2ce4a75564637f57d661bab728b71c9237143ffc8913dd448fdf8 |
a16a93d229b38e175c93589d56c392901fa1137b24ab994c50d6f535304602d4 |
cb104f9c042c777d97587b2b93843ac220b01095aa83b0153c8d29a1f382dddb |
Target list
Package name | App name |
|---|---|
com.android.vending | Google Play |
com.rbc.mobile.android | RBC Mobile |
com.rbc.mobile.wallet | RBC Wallet |
com.rbc.mobile.uin0 | RBC Express Business Banking |
com.rbcc.mobile.android | RBC Caribbean |
com.rbc.mobile.rjj0 | RBC Rewards |
com.cibc.android.mobi | CIBC Mobile Banking |
com.mobilebrokerage.CIBC | CIBC Mobile Wealth |
com.td | TD Canada |
com.td.myloyalty | TD Wallet |
com.scotiabank.banking | Scotiabank Mobile Banking |
com.scotiabank.scotiaconnect | ScotaConnect Business Banking |
com.scotiabank.scotiaitrade | Scotia iTRADE |
com.bmo.mobile | BMO Mobile Banking |
com.bmo.business.mobile | Online Banking for Business |
com.bmo.expenses | BMO Spend Dynamics |
com.bmo.investorline | BMO InvestorLine |
au.com.nab.mobile | NAB Mobile Banking |
com.anz.android.gomoney | ANZ Australia |
org.westpac.bank | Westpac Mobile Banking |
au.com.bankwest.mobile | Bankwest |
com.ubank.internetbanking | UBank |
au.com.suncorp.SuncorpBank | Suncorp Bank |
org.stgeorge.bank | St.George Mobile Banking |
org.banksa.bank | BankSA Mobile Banking |
org.bom.bank | Bank of Melbourne Mobile Banking |
com.anz.android | ANZ Mobile Taiwan |
com.citibank.mobile.au | Citibank Australia |
au.com.ingdirect.android | ING Australia Banking |
com.commbank.netbank | CommBank |
com.circle.android | Circle Pay — Send money free |
com.coinbase.android | Coinbase |
com.moneybookers.skrillpayments | Skrill: Fast, secure online payments |
com.westernunion.android.mtapp | Western Union US - Send Money Transfers Quickly |
piuk.blockchain.android | Blockchain Wallet. Bitcoin, Bitcoin Cash, Ethereum |
com.bitcoin.mwallet | Bitcoin Wallet |
com.btcontract.wallet | Simple Bitcoin Wallet |
com.bitpay.wallet | BitPay – Secure Bitcoin Wallet |
com.bitpay.copay | Copay Bitcoin Wallet |
btc.org.freewallet.app | Bitcoin Wallet by Freewallet |
org.electrum.electrum | Electrum Bitcoin Wallet |
com.xapo | Xapo · Bitcoin Wallet & Vault |
com.airbitz | Bitcoin Wallet - Airbitz |
com.kibou.bitcoin | Bitcoin Wallet For Android |
com.qcan.mobile.bitcoin.wallet | Mobile Bitcoin Wallet |
me.cryptopay.android | Cryptopay |
com.bitcoin.wallet | Bitcoin Wallet |
lt.spectrofinance.spectrocoin.android.wallet | Bitcoin Wallet by SpectroCoin |
com.kryptokit.jaxx | Jaxx Blockchain Wallet |
com.wirex | WIREX: Bitcoin XRP Ethereum Litecoin Wallet |
bcn.org.freewallet.app | Bytecoin Wallet by Freewallet |
com.hashengineering.bitcoincash.wallet | Bitcoin Cash Wallet |
bcc.org.freewallet.app | Bitcoin Cash Wallet by Freewallet |
com.coinspace.app | CoinSpace Wallet |
btg.org.freewallet.app | Bitcoin Gold Wallet by Freewallet |
com.bitpie | Bitpie Wallet - Bitcoin USDT ETH EOS BCH TRON LTC |
net.bither | Bither - Bitcoin Wallet |
co.edgesecure.app | Edge - Bitcoin, Ethereum, Monero, Ripple Wallet |
com.arcbit.arcbit | Bitcoin Wallet - ArcBit |
distributedlab.wallet | Bitxfy Bitcoin Wallet |
de.schildbach.wallet_test | Bitcoin Wallet for Testnet |
com.plutus.wallet | Abra: Bitcoin, XRP, LTC |
com.coincorner.app.crypt | Bitcoin Wallet - CoinCorne |
org.vikulin.etherwallet | Ether Wallet |
eth.org.freewallet.app | Ethereum Wallet by Freewallet |
com.paypal.android.p2pmobile | PayPal Mobile Cash |
com.ebay.mobile | eBay: Online Shopping Deals |
com.amazon.mShop.android.shopping | Amazon Shopping |
com.gyft.android | Gyft - Mobile Gift Card Wallet |
com.walmart.android | Walmart |
com.bestbuy.android | Best Buy |
SEEK Job Search | au.com.seek |
Indeed Job Search | com.indeed.android.jobsearch |
Indeed Employer | com.indeed.androidemployers |
secret.access | Android screenlock |
secret.pattern | Android screenlock |
List of browser overlay targets
URL | Entity name |
|---|---|
https://my.gov.au | Australian government |
https://www.seek.com.au/sign-in | SEEK |
https://secure.indeed.com | Indeed |
https://www.commbank.com.au | Commonwealth Bank of Australia |
https://banking.westpac.com.au | Westpac |
https://ib.nab.com.au | National Australia Bank |
https://ibanking.stgeorge.com.au | St. George Bank |
https://ibanking.banksa.com.au | Bank of South Australia |
https://ibanking.bankofmelbourne.com.au | Bank of Melbourne |
https://www.anz.com/INETBANK/ | ANZ |