Android Malware Attacked the Users of 32 Applications Related to Cryptocurrency, Including Coinbase and Bitpay
A new Android malware has targeted highly-used cryptocurrency applications such as Coinbase, Bitpay, and Bitcoin wallet and also banks such as JPMorgan, Wells Fargo, and Bank of America. This report was published by the Next Web technology news website on March 28.
According to the investigations done by the cybercrime group at Group-IB, this is the first time that this malware named Gustuff has been identified and analyzed. According to this report, Gustuff has been designed to infect many devices and is spreading via SMS and an infected link. There are the Android malware files in this link.
The developers of this malware have created an Automatic Transfer System through which they redirect valid applications to hackers’ unsafe payment gateways. This application steals sensitive information of users by copying valid applications. The main aim of this application is the users of 32 applications related to cryptocurrency. Another activity of this application is sending push notifications with valid icons to devices. These notifications hack users’ information by automatically downloading fake applications and stealing the account information of users. Push notification is a text (at times visual) content which is sent to you like SMS, but instead of being sent in the messages section, it is sent via the browser. Some of these push notifications may contain a link or ask you to install an application or update. In order to make sure of the validity of the push notification, pay attention to its sender. In case this notification is sent by an application that is not installed on your phone, don’t open it. Though in some cases (like the malware mentioned above) these push notifications may have been sent with the icon and name of valid applications and finally redirect you to an infected link.
Group-IB has identified 27 fake applications related to cryptocurrency and banks in the U.S., 16 in Poland, 10 in Australia, 9 in Germany, and 9 in India. This malware has also targeted messaging services and payment systems such as Revolut, Western Union, eBay, Walmart, Skype, and Whatsapp.
In order for this malware to work, Gustuff makes use of accessibility features on Android. Group-IB introduces this as a useful trick and says that:
Using the mechanisms of accessibility service, i.e., Trojan can direct changes to the new Google security rules that are offered in new versions of Android. Furthermore, Gustuff knows how to disable the security mechanisms of Google. According to the developers of this Trojan, this malware can be run successfully on 70 percent of phones.
According to the analyses of Group-IB, Gustuff has been designed by a Russian cybercriminal with the nickname of Bestoffer, but its goal are international users that are outside of Russia. It is recommended to Android users only to download apps from Google Play and pay attention to the files they download.
As it was reported in the month of February, Metamask, a decentralized application, recently exited Google Play, because it turned out that malware with a similar name was trying to steal the information of cryptocurrency users. Decentralized applications are designed to reduce third party attacks. The back-end of such applications is run in a decentralized network, and as a result, connect suppliers to users without the need for a third party. These applications are also less prone to censorship and improve payment methods. Today, most decentralized applications are run on Ethereum Blockchain, but new platforms are being introduced. This mechanism reduces attacks to a great degree, but hackers still manage to find ways to infiltrate. In fact, as technology advances, the techniques used by hackers get more complex.