Gugi
Almost every Android OS update includes new security features designed to make cybercriminals’ life harder. And, of course, the cybercriminals always try to bypass them.
We have found a new modification of the mobile banking Trojan, Trojan-Banker.AndroidOS.Gugi.c that can bypass two new security features added in Android 6: permission-based app overlays and a dynamic permission requirement for dangerous in-app activities such as SMS or calls. The modification does not use any vulnerabilities, just social engineering.
The Gugi Trojan is spread mainly by SMS spam that takes users to phishing webpages with the text “Dear user, you receive MMS-photo! You can look at it by clicking on the following link”.
Clicking on the link initiates the download of the Gugi Trojan onto the user’s Android device.
To help protect users from the impact of phishing and ransomware attacks, Android 6 introduced a requirement for apps to request permission to superimpose their windows/views over other apps. In earlier versions of the OS they were able to automatically overlay other apps.
The Trojan’s ultimate goal is to overlay banking apps with phishing windows in order to steal user credentials for mobile banking. It also overlays the Google Play Store app to steal credit card details.
The Trojan-Banker.AndroidOS.Gugi.c modification gets the overlay permission it needs by forcing users to grant this permission. It then uses that to block the screen while demanding ever more dangerous access.
The first thing an infected user is presented with is a window with the text “Additional rights needed to work with graphics and windows” and one button: “provide.”
After clicking on this button, the user will see a dialog box that authorizes the app overlay (“drawing over other apps”).
System request to permit Trojan-Banker.AndroidOS.Gugi.c to overlay other apps
But as soon as the user gives Gugi this permission, the Trojan will block the device and show its window over any other windows/dialogs.
Trojan-Banker.AndroidOS.Gugi.c window that blocks the infected device until it receives all the necessary rights
It gives the user no option, presenting a window that contains only one button: “Activate”. Once the user presses this button they will receive a continuous series of requests for all the rights the Trojan is looking for. They won’t get back to the main menu until they have agreed to everything.
For example, following the first click of the button, the Trojan will ask for Device Administrator rights. It needs this for self-defense because it makes it much harder for the user to uninstall the app.
After successfully becoming the Device Administrator, the Trojan produces the next request. This one asks the user for permission to send and view SMS and to make calls.
It is interesting that Android 6 has introduced dynamic request capability as a new security features
Earlier versions of the OS only show app permissions at installation; but, starting from Android 6, the system will ask users for permission to execute dangerous actions like sending SMS or making calls the first time they are attempted, or allows apps to ask at any other time – so that is what the modified Gugi Trojan does.
TSystem request for dynamic permission
The Trojan will continue to ask the user for each permission until they agree. Should the user deny permission, subsequent requests will offer them the option of closing the request. If the Trojan does not receive all the permissions it wants, it will completely block the infected device. In such a case the user’s only option is to reboot the device in safe mode and try to uninstall the Trojan.
TRepeating system request for dynamic permission
With the exception of its ability to bypass Android 6 security features, and its use of the Websocket protocol, Gugi is a typical banking Trojan. It overlays apps with phishing windows to steal credentials for mobile banking or credit card details. It also steals SMS, contacts, makes USSD requests and can send SMS by command from the CnC.
The Trojan-Banker.AndroidOS.Gugi family has been known about since December 2015, with the modification Trojan-Banker.AndroidOS.Gugi.c first discovered in June 2016.
The Gugi Trojan mainly attacks users in Russia: more than 93% of attacked users to date are based in that country. Right now it is a trending Trojan – in the first half of August 2016 there were ten times as many victims as in April 2016.
TUnique number users attacked by Trojan-Banker.AndroidOS.Gugi.
We will shortly be publishing a detailed report into the Trojan-Banker.AndroidOS.Gugi malware family, its functionality and its use of the Websocket protocol.
All Kaspersky Lab products detect all modifications of the Trojan-Banker.AndroidOS.Gugi malware family.