A newly discovered form of Android malware has stolen cryptocurrency and banking data from more than 125 different apps.

Discovered by security researchers at Group-IB, the “Gustuff” Trojan virus is said to be gaining popularity in the cybercriminal underworld given that it’s tailored specifically for stealing banking and crypto assets.

Gustuff is believed to be about a year old but has come to attention only now as it defines itself, at least compared with other forms of malware, by sitting quietly in the background for a time, often undetected, before stealthily stealing financial data.

Gustuff targets 100 banking apps, including 27 in the U.S., 16 in Poland, 10 in Australia, nine in Germany and eight in India, as well as 32 cryptocurrency apps. The list of targets includes Bank of America, J.P. Morgan, Wells Fargo, Bank of Scotland, Western Union, Coinbase and Bitcoin Wallet.

“Initially designed as a classic banking Trojan, in its current version, Gustuff has significantly expanded the list of potential targets, which now includes, besides banking, crypto services and fintech companies’ Android programs, users of apps of marketplaces, online stores, payment systems and messengers, such as PayPal, Western Union, eBay, Walmart, Skype, WhatsApp, Gett Taxi, Revolut etc,” the security researchers noted.

In an interesting twist, Gustuff is primarily being distributed via SMS text messages with links to malicious Android package files. APK files are the file format Android uses to install applications. When a user clicks on a malicious link and installs an infected application, Gustuff quickly spreads across a victim’s device, seeking out both contact lists and installed applications.

Aimed at mass infections and maximum profit for its operators, Gustuff also comes with a unique feature called “Automatic Transfer Systems” that can autofill legitimate banking and cryptocurrency apps so as to steal funds. If that doesn’t sound bad enough already, it also has the ability to display fake push notifications with legitimate icons of the apps it is targeting. Users who click on the fake push notifications are then tricked into either sharing login details or credit card data.

The security researchers urge companies to use signature-based detection methods to give clients better protection against malware. It’s not yet clear whether major antivirus and malware companies are detecting Gustuff, but as always, it’s best to practice safe internet: Only download apps from official app stores, not via SMS links.

Photo: myhsu/Flickr