Gustuff malware can steal from banking apps, then spread via contact lists

The hacking tool now is available for a monthly subscription of $800 on black market forums.
the software pulls information from Facebook Messenger, WhatsApp, and Line, an end-to-end encrypted messaging application that's popular in Asia. (Flickr user <a href="">StevenW</a> / CC-BY-2.0)

A strain of malicious software affecting Android devices is capable of phishing credentials and automating bank transactions for more than 100 banks and 32 virtual currency apps, according to new research from security firm Group-IB.

The malware, dubbed Gustuff, is aimed at top international banks including Bank of America, Wells Fargo, Chase, Capital One, and others, researchers found. It also is designed to steal from cryptocurrency apps like Bitcoin Wallet and Coinbase, and can phish usernames and passwords from PayPal, Western Union, Walmart, eBay and WhatsApp, according to researchers at Group-IB.

The hacking tool infects victims with a text message, tricking them to provide access to the Android Accessibility function. That service enables Android phones to take action by default, such as increasing the size of an icon or reading text out loud. Once inside, Gustuff is then able to siphon funds from payment software called Automatic Transfer Service.

Gustuff has been available on cybercriminal forums since April 2018, Group-IB says, and an upgraded version now sells for a monthly subscription of $800. It was developed in the Russian language but has been detected primarily in international markets, the researchers say.


“Initially designed as a classic banking Trojan, in its current version, Gustuff has significantly expanded the list of potential targets[,]” Group-IB researchers explained.

Malware has exploited the Android Accessibility functionality before, but Gustuff leverages that feature to bypass security tools meant to keep hackers out.

The malware’s final target, the Automatic Transfer Service, is meant to provide efficiency and convenience by making automatic payments on a customer’s behalf. That convenience becomes pernicious when hackers are able to steal funds directly from a user’s account, rather than needing to steal their credentials first.

It also pushes out fake push notifications that appear to be from a mobile users’ banking app. It redirects them to a fake login page, where the victim is asked to enter their credentials.

Gustuff then spreads by reading the contact list of a compromised phone and sending a link to others on that list.


The Gustuff revelation comes as mobile malware tools rapidly are becoming more advanced. Spyware has been targeted at the widow and former colleagues of a Mexican journalist who was murdered for his coverage about international drug trafficking. Another strain unveiled by researchers in January proved capable of detecting when infected phones were physically in motion.

Latest Podcasts